The document discusses critical regulations surrounding data privacy and protection, highlighting the increasing vulnerabilities in medical data security and the necessity for robust compliance mechanisms. It outlines various directives, including the EU Data Protection Directive and the General Data Protection Regulation (GDPR), emphasizing principles like transparency, consent, and accountability. The document also contrasts the EU and US approaches to data protection, notably through the Safe Harbor principles aimed at facilitating cross-border data flow while ensuring privacy rights.

1. CRITICAL REGULATIONS
GOVERNING DATA PRIVACY
AND DATA PROTECTION
Surabhi Jain
Clinical Data manager
india

2. DATA PRIVACY AND PROTECTION:
WHY SHOULD IT BE A PRIORITY?
In the US alone, 11 million cases of medical data
security breaches were recorded in 2015.
Criminals and hackers now recognize that medical
data or sensitive personal health information (PHI)
are more valuable than credit card data, yet is 100
times easier to hack.

3. DATA PRIVACY AND PROTECTION: WHY
SHOULD IT BE A PRIORITY?
1st thing 1st It is an universal Human Right
Penalties
Theft of patient’s identity
Resulting in government investigations/ legal
consequences
Harm to company reputation

4. HUMAN RIGHT ON DATA PRIVACY
No one shall be subjected to arbitrary interference with
his privacy, family, home or correspondence, nor to
attacks upon his honour and reputation. Everyone has
the right to the protection of the law against such
interference or attacks.
- The Universal Declaration of Human Rights, Article 12

5. HUMAN RIGHT ON DATA PRIVACY
Everyone has right to respect for his
private and family life, his home and his
correspondence.
- European Convention for protection of
human rights and Fundamental freedom

6. THE CONFIDENTIALITY OF RECORDS THAT
COULD IDENTIFY SUBJECTS SHOULD BE
PROTECTED, RESPECTING THE PRIVACY AND
CONFIDENTIALITY RULES IN ACCORDANCE
WITH THE APPLICABLE REGULATORY
REQUIREMENT(S).
 THE PRINCIPLES OF ICH GCP-2.11

7. REGULATORY GUIDANCE
EU Data Protection Directive 95/46/EC
EU Data Protection Directive 2001/20/EC
General Data Protection Regulation EU
2016/679

8. EU DATA PROTECTION DIRECTIVE
95/46/EC- 7 PRINCIPLES
Governing the Organization for Economic Cooperation and
Development recommendation:
 Notice—data subjects should be given notice when their data is being collected;
 Purpose—data should only be used for the purpose stated and not for any other
purposes;
 Consent—data should not be disclosed without the data subject’s consent;
 Security—collected data should be kept secure from any potential abuses;
 Disclosure—data subjects should be informed as to who is collecting their data;
 Access—data subjects should be allowed to access their data and make
corrections to any inaccurate data; and
 Accountability—data subjects should have a method available to them to hold
data collectors accountable for not following the above principles

9. EU DATA PROTECTION DIRECTIVE 95/46/EC
Personal data should not be processed at all,
except when certain conditions are met. These
conditions fall into three categories:
transparency, legitimate purpose, and
proportionality.

10. EU DATA PROTECTION DIRECTIVE 95/46/EC
Transfer of personal data to third countries- The
Directive's Article 29 created the "Working party on the
Protection of Individuals with regard to the Processing
of Personal Data", commonly known as the "Article 29
Working Party". The Working Party gives advice about
the level of protection in the European Union and third
countries.

11. EU DATA PROTECTION DIRECTIVE 2001/20/EC
 The Clinical Trials Directive (Officially Directive 2001/20/EC of 4 April 2001, of
the European Parliament relating to implementation of good clinical
practice in the conduct of clinical trials on medicinal products for human use)
is a European Union directive that aimed at facilitating the internal market in
medicinal products within the European Union.
 It pursues to simplify and harmonize the administrative provisions
governing clinical trials in the European Community, by establishing a clear,
transparent procedure.
 The Member States had to apply these provisions at the latest with effect
from 1 May 2004.
 It has 24 Articles.

12. EU DATA PROTECTION DIRECTIVE
2001/20/EC- ARTICLE 3
 Section 2(C) the rights of the subject to physical and mental integrity, to
privacy and to the protection of the data concerning him in accordance
with Directive 95/46/EC (EU Data Protection Directive) are safeguarded;
 95/46/ EC
*Fair and lawful processing
*Purpose limitation and specification
*Minimal storage term
*Transparency Data quality
*Security Special categories of data
*Data minimization

13. GENERAL DATA PROTECTION REGULATION
EU 2016/679
Reason for moving to GDPR- Privacy issues arising from
an exponential growth in consumer and mobile
technologies, an increasingly connected planet and
mass cross border data flows
In 2012, the European Commission published a draft
regulation and final text published on 27 April 2016

14. GENERAL DATA PROTECTION
REGULATION EU 2016/679
 More than 90% of Europeans say they want the same data
protection rights across the EU – and regardless of where their
data is processed.
 Applies to EU and non EU Organization who process data related
to who are in EU
 GDPR will capture many more overseas organizations
 EU Member States have to transpose it into their national law by
6 May 2018.

15. GENERAL DATA PROTECTION
REGULATION EU 2016/679
 The GDPR is Europe's new framework for data protection laws – it
replaces the previous 1995 data protection directive, which current UK
law is based upon
 the legislation is designed to "harmonise" data privacy laws across
Europe as well as give greater protection and rights to individuals
 GDPR changes how personal data can be used
 In the full text of GDPR there are 99 articles setting out the rights of
individuals and obligations placed on organisations covered by the
regulation.

16. GENERAL DATA PROTECTION
REGULATION EU 2016/679
Any data breach must be reported to Supervisory
authority within 72 hours.
companies that have "regular and systematic
monitoring" of individuals at a large scale or process a
lot of sensitive personal data have to employ a data
protection officer (DPO).

17. SAFE HARBOR PRINCIPLES- HARMONIZATION
EFFORTS
The European Union and the United States have
fundamentally different attitudes towards the
protection of personal data.
To ease the business between US and EU, In 2000, the
U.S. Department of Commerce issued the Safe Harbor
Privacy Principles which were subsequently recognized
by the European Commission

18. SAFE HARBOR PRINCIPLES- 7 PRINCIPLES
Notice- An organization must inform individuals about
the purposes for which it collects and uses information.
Choice- Subject must be able to opt-out of collection
and transfer of the information
Onwards Transfer- Organization must apply notice and
Choice principles. Third parties acting as agents must
provide the same level of privacy protection

19. SAFE HARBOR PRINCIPLES- 7 PRINCIPLES
 Security. Organizations creating, maintaining, using or disseminating
personal information must take reasonable precautions to protect
it.
 Data Integrity. Personal information must be relevant for the
purposes.
 Access. Individuals must have access to the information about them
 Enforcement. Effective privacy protection must include mechanisms
for verifying compliance to the above principles.