Personal Data Protection in Pharmaceutical Sector (webinar presentation)
Personal Data Protection in RussiaAnastasiya LemyshVsevolod Tyupa7 December 201107/12/2011
Webinar scheduleI. Legal framework for personal data protection in RussiaII. Personal data protection in the medicine field
Legal acts regulating personal data protection Constitution of the Russian Federation; Federal Law No. 152- FZ “On personal data”; Labour Code; Code for administrative offences; Federal Law No. 149 – FZ “On information, information technologies and protection of information; Resolutions of the Government; Acts issued by specialised ministries and services.
Definition of the term ‘personal data’Personal data are any information relating to a directly or indirectlyidentified or identifiable individual ("data subject").This definition is in line with the Strasbourg Convention of 1981 Text, graphic, biometrical, photo, May be identified with acoustic, digital … the use of accessible means Any relating information
The principles of personal data processing (1)1. Legality and fairness “Processing personal data should be performed on a legal and fair basis.”2. Purpose “Personal data processing should be limited to achieving specific purposes that should be specified preliminarily and be legal. It is prohibited to process personal data in a way that is not consistent with the purposes for which personal the data were collected”. “The content and scope of processed personal data have to comply with the purposes of processing personal data. Personal data that are processed must not be excessive with regard to the declared purposes of their processing.”
The principles for personal data processing (2)3. Proportionality “Only data that correspond to the purposes of their processing should be processed .”4. Data quality “(…) it is necessary to ensure that personal data are accurate, sufficient, and, if necessary, up-to-date in relation to the purposes of processing personal data.”5. Term of processing “Personal data must not be stored longer than it is necessary for the purposes of personal data processing” (NB. A timeframe to process personal data may be also provided by the law or by an agreement with the data subject.)
Legal grounds for personal data processing Processing personal data upon consent without the consent of of the data subject the data subject form of consent only in cases directly qualified form of consent: any form proving provided by the law For special categories of personal data, biometrical that the consentpersonal data, cross border was duly obtained transfer of personal data
Processing personal data without the consent ofthe data subject (1)1. Requirements of the laws: Achievement of purposes provided by : international treaty signed by the Russian Federation; the Russian law; Execution by the operator of the obligations or functions provided by the law;2. Execution of justice, and execution of the act of the court;
Processing personal data without the consent ofthe data subject (2)3. Providing state or municipal services;4. Contract relations: execution of a contract: the data subject is a party, a beneficiary or a guarantor under the contract; signing of a contract: upon the initiative of the data subject; If the data subject is a beneficiary or guarantor under the contract;5. Protection of life, health or other vital interests of the data subject, if it is impossible to obtain his/her consent;
Processing personal data without the consent ofthe data subject (3)6. Legal interests and socially important purposes: protecting the rights and legal interests of the operator and third parties; achieving socially important purposes; Condition: rights and freedoms of the data subject are not violated;7. Particular types of activities: journalist or other legal activity of mass media; scientific work; literature (activity of writer); other creative activity; Condition: rights and interests of the data subject are not violated;
Processing personal data without the consent ofthe data subject (4)8. Statistics or other research purposes • Except for for promoting goods and services and political agitation; • Condition: mandatory depersonalisation of personal data;9. If public access to personal data is provided by the data subject at his/herrequest;10. Processing personal data that should be made public under the law;
Obligations of a personal data operator Inform the Personal Data Authority of its intent to process personal data (must be done prior to processing of personal data). Exceptions: cases provided by the law; Do not disclose information to third persons without the consent of the data subject; Bear the burden of proof for obtaining the consent of a data subject;
Protection of employees’ personal data Purposes of processing employees’ personal data: compliance with the provisions of the law; recruitment; promotion; education; personal safety; control of work quality. Obligations of the employer: to ensure the confidentiality of personal data; not to disclose personal data without the consent of the employee.
The specifics of processing personal data in themedicine field1. Patients’ and doctors’ personal databases established by newRussian Federal Law on Healthcare, dated 23 November 2011;2. Processing of medical professionals’ personal data by thepharmaceutical companies;3. “Medical secrecy”
Personal data protection within clinical trialsThe personal data of clinical trials patients are a “specific” type ofpersonal data because of information on the state of health.The main legal issues are: Patient’s information list ; Transferring personal data to the Sponsor and its affiliates; Cross-border transfer of personal data in the case of international multi- centre clinical trials.
Thank you for your attention! CMS, Russia Gogolevsky Blvd. 11, 119019 Moscow +7(495) 786 4000 Vsevolod Tyupa, Senior Associate Vsevolod.Tyupa@cmslegal.ru +7 (495) 786 4097 Anastasiya Lemysh, Associate, Avocat à la Cour Anastasiya.Lemysh@cmslegal.ru +7 (495) 786 3076Защита персональных данных: согласие, обработка, трансграничная передача. 30 ноября 2011 16