Note: Chapter 15 (formerly 14) has not been updated for Revision 11 of the Guide, as contents remain up-to-date.
15.1. Personal data protection in the European Union
In the European Union, the conduct of pharmacoepidemiological studies needs to respect applicable Union data protection rules, namely the General Data Protection Regulation (EU) 2016/679 (GDPR) and Member State laws adopted in line with the GDPR (for example further conditions or limitations with regard to the processing of genetic data, biometric data or data concerning health), which apply to processing carried out by organisations and bodies operating within the EU (for more details regarding the territorial scope of the GDPR, see EDPB Guidelines 3/2018 on the territorial scope of the GDPR, Article 3). Regulation (EU) 2018/1725 (EUDPR) apply to the personal data processing by Union institutions, bodies, offices and agencies.
Personal data is information that relates to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly. Where it is possible to identify an individual directly from the information being processed, then that information is personal data. Where an individual cannot be directly identified from that information, it is still important to consider whether the individual is identifiable. For this, all the information being processed should be taken into account together with all the means reasonably likely to be used to identify that individual.
Special categories of personal data need more protection because they concern sensitive information. They include amongst others information revealing racial or ethnic origin, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Special categories of personal data can only be processed if specific conditions set out in Article 9 of GDPR and Article 10 of EUDPR are met.
EudraLex - EU pharmaceutical legislation – the regulatory information for human medicines on the EMA website, the Good pharmacovigilance practices and ENCePP provide for methodological and ethical standards and ensure that private interests do not prevail over the general interest of public health. In this context, the Union data protection legislation is an enabler that promotes high data protection standards whilst providing the foundation for scientific research for the purpose of development, authorisation and supervision of medicinal products.
For interventional research, Clinical Trial Regulation (EU) 536/2014 and the Guidelines for Good Clinical Practice (Commission Directive 2005/28/EC) apply. It also applies to trials authorised under the previous legislation if they are still ongoing three years after the Regulation has come into operation. In addition, marketing authorisation holders (MAHs) and investigators must follow relevant national guidance of those Member States where the study is being conducted. To explain the interplay between the Clinical Trials Regulation and the GDPR the European Commission has published dedicated Questions and Answers.
Post-Authorisation Safety Studies (PASS) may be interventional or non-interventional. They may be conducted voluntarily or imposed on the marketing authorisation holder (MAH). Article 36 of the Commission Implementing Regulation (EU) No 520/2012 specifies that for post-authorisation safety studies (PASS) imposed as an obligation, MAHs shall ensure that all study information is handled and stored in a way that ensure the confidentiality of the study records of the study subjects. Section VIII.B.6. of the GVP Module VIII - Post-authorisation safety studies (Rev. 3) recommends that these provisions should also be applied to PASS that are voluntarily initiated, managed or financed by a MAH.
The ISPE Good pharmacoepidemiology practice provides recommendations on the protection of human subjects and refers to the ISPE guidelines on Data Privacy, Medical Record Confidentiality, and Research in the Interest of Public Health. It also recommends that the plans for protecting human subjects should be described in a stand-alone section of the study protocol.
The Data Protection Authorities (DPAs) of the Member States are competent for monitoring and enforcing the application of the GDPR. They are the natural interlocutors and first point of contact for the public, businesses and public administrations for questions regarding the GDPR. The Data Protection Authorities' role includes informing controllers and processors of their obligations and raising the general public’s awareness and understanding of the risks, rules, safeguards and rights in relation to data processing.
The European Data Protection Board (EDPB) is an independent European body which is composed of representatives of the national DPAs (of all Union and EEA Member States) and the EDPS. The EDPB is established by Art 68 of the GDPR and is empowered to make binding decisions towards national DPAs to ensure the consistent application of Union data protection law. The EDPB may also issue general guidance (including guidelines, recommendations and best practice). Certain guidance adopted by the predecessor of the EDPB, the Article 29 Working Party (WP) are still applicable and provide interpretation of data protection principles under Union law.
15.2. Scientific integrity and ethical conduct
Principles of scientific integrity and ethical conduct are paramount in any medical research. The Declaration of Helsinki (2013) provides ethical principles addressed primarily to physicians participating in medical research involving human subjects, including research on identifiable human material and data and is the main document on human research ethics. The ENCePP Code of Conduct (Revision 4, 2018) offers standards for scientific independence and transparency of research in pharmacoepidemiology and pharmacovigilance and promotes best practice for the interactions between investigators and study funders in critical areas such as planning, conduct and reporting of studies. As a core transparency measure, it recommends that the protocols of all pharmacoepidemiology and pharmacovigilance studies should be registered in the HMA-EMA Catalogue of RWD studies, ideally before they start. The Code also recommends that study findings should be published irrespective of positive or negative results.
Guided by three core values (best science, strengthening public health and transparency), the ADVANCE Code of Conduct for Collaborative Vaccine Studies (Vaccine 2017;35(15):1844-55) includes recommendations about 10 topics: Scientific integrity, Scientific independence, Transparency, Conflicts of interest, Study protocol, Study report, Publication, Subject privacy, Sharing of study data, Research contract, and be used for research on any type of medicinal product. Each topic includes a definition, a set of recommendations and a list of additional reading. The concept of the study team is introduced as a key component of the ADVANCE Code of Conduct with a core set of roles and responsibilities. It also provides direct access to a comprehensive list of relevant guidelines.
The Good Pharmacoepidemiology Practices (GPP) (2015) of the International Society for Pharmacoepidemiology (ISPE) proposes practices and procedures that should be considered to help ensure the quality and integrity of pharmacoepidemiological research, including detailed guidance for protocol development, roles and responsibilities, study conduct, communication, reporting of adverse events and archiving. The Good Epidemiology Practice (GEP) (2007) of the International Epidemiological Association addresses four general ethical principles for research (Autonomy, Beneficence, Non-maleficence and Justice) and proposes rules for good research behaviour in relation to working with personal data, data documentation, publication, the exercise of judgment and scientific misconduct.
The CIOMS International Ethical Guidelines for Health-related Research Involving Humans (Geneva: 2016) provides detailed commentary on how universal ethical principles should be applied, with particular attention to conducting research in low-resource settings. It includes 25 guidelines addressing different topics, settings and population groups concerned by health-related research.
The Recommendations for the Conduct, Reporting, Editing, and Publication of Scholarly work in Medical Journals (2021) by the International Committee of Medical Journal Editors (ICJME) include clear statements on ethical principles related to publication in biomedical journals. Authorship and contributorship, editorship, peer review, conflicts of interest, privacy and confidentiality and protection of human subjects and animals in research are addressed.
The Agency for Healthcare Research and Quality (AHRQ) published Registries to Evaluate Patient Outcomes: a User’s guide, 4th Edition, 2020, which is a reference for establishing, maintaining and evaluating the success of registries created to collect data about patient outcomes. Section II: ‘Legal and Ethical Considerations for Registries’ is a specific chapter dedicated to ethics, data ownership, and privacy. The concepts within are focused on US law.
More specifically on data used for the purpose of pharmacoepidemiology and pharmacovigilance studies, the HMA-EMA Joint Big Data Taskforce Phase II report: ‘Evolving Data-Driven Regulation’ (2019) acknowledges (in section 5.7) that data sharing and secondary use of data for research raise ethical issues which require identification, examination and guidance. The report uses Floridi and Taddeo’s definition of data ethics: a new branch of ethics which “studies and evaluates moral problems related to data (including generation, recording, curation, processing, dissemination, sharing, and use), algorithms (including artificial intelligence, artificial agents, machine learning, and robots), and corresponding practices (including responsible innovation, programming, hacking, and professional codes), in order to formulate and support morally good solutions (e.g. right conducts or right values)”. The Task Force report provides a set of recommendations for secure and ethical use of data ensuring that personal data are protected and that ethical challenges are addressed.