Personal information protection compliance in IST
Author: William Xu & Joe Liu 2024-11-13As biomedical research advances, the ethical principles governing informed consent have become increasingly stringent. The Personal Information Protection Law (PIPL) classifies medical health information as sensitive personal information, indicating that data collected and processed by pharmaceutical companies during industry sponsored clinical trials (ISTs) contains a significant amount of sensitive personal information.
Ensuring compliance in the use of personal medical health data in ISTs has become a major concern for pharmaceutical companies. This article outlines the current legal regulations in China regarding the signing of informed consent forms (ICFs) for ISTs, and proposes an ICF compliance structure for handling personal data of IST human subjects in line with PIPL on sensitive personal information processing.
These guidelines are intended to help pharmaceutical companies mitigate risks of non-compliance related to personal information processing in ISTs.
Informed consent
As a guiding principle for ISTs, the Declaration of Helsinki, developed by the World Medical Association, prioritises the rights, interests and safety of human subjects over scientific and societal benefits, with informed consent being a crucial means of protecting these rights.
In the context of ISTs, informed consent involves informing subjects of all aspects that may influence their decision on participation and obtaining their voluntary agreement to participate. This process must be documented with a signed and dated ICF in written form.
Informed consent is a prerequisite for conducting ISTs and is an ongoing process. Throughout the research, the researcher is to continuously seek the subject’s consent, informing the subject of any changes in the research and other information that may affect the subject’s decision to continue participating.
The PIPL
Based on the informed consent mechanisms outlined in the good clinical practice (GCP) international quality standard and the Measures for the Ethical Review of Biomedical Research Involving Humans, the PIPL has introduced more detailed compliance requirements for informed consent involving personal information.
Definition. Articles 4 and 28 of the PIPL distinguish between personal information and sensitive personal information (collectively “relevant personal information”). These articles clarify the types of activities in processing personal information, and stipulate necessary conditions for handling sensitive personal information.
Written consent. The PIPL mandates that consent must be given voluntarily and explicitly by individuals based on full information. If there are any changes in the processing of relevant personal information, fresh consent must be obtained from the individual.
Withdrawal. Article 15 of the PIPL stipulates that individuals have the right to withdraw their consent at any time. However, such withdrawal does not affect the validity of personal information processing activities conducted prior to the withdrawal. Additionally, personal information processors should provide convenient means for individuals to withdraw their consent.
Compliance structure
During the conduct of ISTs, issues often arise with unclear notifications and lack of appropriate arrangements following the withdrawal of informed consent for relevant personal information processing.
To address these concerns, the author recommends designing a compliance structure as below, which aligns with the informed consent mechanisms and ICF signing requirements outlined in the GCP and above-mentioned measures, as well as the informed consent compliance requirements for relevant personal information under the PIPL. This approach aims to mitigate the risk of non-compliance in personal information processing.
Distinguishing definitions. Differentiate the types of relevant personal information. Define human subjects’ basic personal information that is collected, used and transmitted in ISTs as personal information, and classify their medical health data and information on human genetic resources as sensitive personal information.
Identifying processors and accessors. List the personal information processors and agents authorised to access relevant personal information. Also specify the security measures adopted to protect such information being processed or accessed.
Protecting privacy. Clarify that personal information processors will de-identify relevant personal information to protect subjects’ privacy, along with the de-identification techniques specified.
Clarifying purposes. Specify the purpose and circumstances of personal information processing, the duration of such processing, and the expected retention period of relevant personal information.
Confirming on reuse. Clarify whether the personal information will be reused after the IST. In the case of information reuse, it is recommended to clearly state that such information will only be reused for medical or scientific research projects of the current IST drug. For research projects of other drugs, informed consent should be obtained from the subjects in written form separately.
Permissions after consent withdrawal. Clarify that relevant personal information collected before the subject’s withdrawal of informed consent will be kept and used for the current IST. Provide options for full withdrawal and partial withdrawal, and explain the two options (differentiated by whether relevant personal information will be collected in subsequent clinic visits or survival visits) for the subject to choose.
Conclusion
Built on the Cybersecurity Law, Data Security Law and the PIPL, the legal framework of personal medical health data protection has imposed higher compliance requirements on pharmaceutical companies. In strict observance of specific principles and requirements set out by the PIPL, pharmaceutical companies are to process relevant personal information with due caution, ensuring legal compliance while effectively leveraging the value of medical health data.