2. DATA PRIVACY AND PROTECTION:
WHY SHOULD IT BE A PRIORITY?
In the US alone, 11 million cases of medical data
security breaches were recorded in 2015.
Criminals and hackers now recognize that medical
data or sensitive personal health information (PHI)
are more valuable than credit card data, yet is 100
times easier to hack.
3. DATA PRIVACY AND PROTECTION: WHY
SHOULD IT BE A PRIORITY?
1st thing 1st It is an universal Human Right
Penalties
Theft of patient’s identity
Resulting in government investigations/ legal
consequences
Harm to company reputation
4. HUMAN RIGHT ON DATA PRIVACY
No one shall be subjected to arbitrary interference with
his privacy, family, home or correspondence, nor to
attacks upon his honour and reputation. Everyone has
the right to the protection of the law against such
interference or attacks.
- The Universal Declaration of Human Rights, Article 12
5. HUMAN RIGHT ON DATA PRIVACY
Everyone has right to respect for his
private and family life, his home and his
correspondence.
- European Convention for protection of
human rights and Fundamental freedom
6. THE CONFIDENTIALITY OF RECORDS THAT
COULD IDENTIFY SUBJECTS SHOULD BE
PROTECTED, RESPECTING THE PRIVACY AND
CONFIDENTIALITY RULES IN ACCORDANCE
WITH THE APPLICABLE REGULATORY
REQUIREMENT(S).
THE PRINCIPLES OF ICH GCP-2.11
7. REGULATORY GUIDANCE
EU Data Protection Directive 95/46/EC
EU Data Protection Directive 2001/20/EC
General Data Protection Regulation EU
2016/679
8. EU DATA PROTECTION DIRECTIVE
95/46/EC- 7 PRINCIPLES
Governing the Organization for Economic Cooperation and
Development recommendation:
Notice—data subjects should be given notice when their data is being collected;
Purpose—data should only be used for the purpose stated and not for any other
purposes;
Consent—data should not be disclosed without the data subject’s consent;
Security—collected data should be kept secure from any potential abuses;
Disclosure—data subjects should be informed as to who is collecting their data;
Access—data subjects should be allowed to access their data and make
corrections to any inaccurate data; and
Accountability—data subjects should have a method available to them to hold
data collectors accountable for not following the above principles
9. EU DATA PROTECTION DIRECTIVE 95/46/EC
Personal data should not be processed at all,
except when certain conditions are met. These
conditions fall into three categories:
transparency, legitimate purpose, and
proportionality.
10. EU DATA PROTECTION DIRECTIVE 95/46/EC
Transfer of personal data to third countries- The
Directive's Article 29 created the "Working party on the
Protection of Individuals with regard to the Processing
of Personal Data", commonly known as the "Article 29
Working Party". The Working Party gives advice about
the level of protection in the European Union and third
countries.
11. EU DATA PROTECTION DIRECTIVE 2001/20/EC
The Clinical Trials Directive (Officially Directive 2001/20/EC of 4 April 2001, of
the European Parliament relating to implementation of good clinical
practice in the conduct of clinical trials on medicinal products for human use)
is a European Union directive that aimed at facilitating the internal market in
medicinal products within the European Union.
It pursues to simplify and harmonize the administrative provisions
governing clinical trials in the European Community, by establishing a clear,
transparent procedure.
The Member States had to apply these provisions at the latest with effect
from 1 May 2004.
It has 24 Articles.
12. EU DATA PROTECTION DIRECTIVE
2001/20/EC- ARTICLE 3
Section 2(C) the rights of the subject to physical and mental integrity, to
privacy and to the protection of the data concerning him in accordance
with Directive 95/46/EC (EU Data Protection Directive) are safeguarded;
95/46/ EC
*Fair and lawful processing
*Purpose limitation and specification
*Minimal storage term
*Transparency Data quality
*Security Special categories of data
*Data minimization
13. GENERAL DATA PROTECTION REGULATION
EU 2016/679
Reason for moving to GDPR- Privacy issues arising from
an exponential growth in consumer and mobile
technologies, an increasingly connected planet and
mass cross border data flows
In 2012, the European Commission published a draft
regulation and final text published on 27 April 2016
14. GENERAL DATA PROTECTION
REGULATION EU 2016/679
More than 90% of Europeans say they want the same data
protection rights across the EU – and regardless of where their
data is processed.
Applies to EU and non EU Organization who process data related
to who are in EU
GDPR will capture many more overseas organizations
EU Member States have to transpose it into their national law by
6 May 2018.
15. GENERAL DATA PROTECTION
REGULATION EU 2016/679
The GDPR is Europe's new framework for data protection laws – it
replaces the previous 1995 data protection directive, which current UK
law is based upon
the legislation is designed to "harmonise" data privacy laws across
Europe as well as give greater protection and rights to individuals
GDPR changes how personal data can be used
In the full text of GDPR there are 99 articles setting out the rights of
individuals and obligations placed on organisations covered by the
regulation.
16. GENERAL DATA PROTECTION
REGULATION EU 2016/679
Any data breach must be reported to Supervisory
authority within 72 hours.
companies that have "regular and systematic
monitoring" of individuals at a large scale or process a
lot of sensitive personal data have to employ a data
protection officer (DPO).
17. SAFE HARBOR PRINCIPLES- HARMONIZATION
EFFORTS
The European Union and the United States have
fundamentally different attitudes towards the
protection of personal data.
To ease the business between US and EU, In 2000, the
U.S. Department of Commerce issued the Safe Harbor
Privacy Principles which were subsequently recognized
by the European Commission
18. SAFE HARBOR PRINCIPLES- 7 PRINCIPLES
Notice- An organization must inform individuals about
the purposes for which it collects and uses information.
Choice- Subject must be able to opt-out of collection
and transfer of the information
Onwards Transfer- Organization must apply notice and
Choice principles. Third parties acting as agents must
provide the same level of privacy protection
19. SAFE HARBOR PRINCIPLES- 7 PRINCIPLES
Security. Organizations creating, maintaining, using or disseminating
personal information must take reasonable precautions to protect
it.
Data Integrity. Personal information must be relevant for the
purposes.
Access. Individuals must have access to the information about them
Enforcement. Effective privacy protection must include mechanisms
for verifying compliance to the above principles.