Transcript Case Study: Pharmaceuticals

Case Study: Pharmaceuticals
Patrick F. Sullivan, Ph.D.
939 North Graham Avenue, Indianapolis, IN 46219
317-352-1362 [email protected]
Background



Clinical research division of major
pharmaceutical
Scope of program covers clinical trials and
drug safety and surveillance worldwide
Program is located in divisional compliance
function, under direction of Data Privacy &
Security Compliance Area Manager
2
Pharma Research- What’s Different


No consumer privacy issues- no research data go
outside the division’s databases, no marketing
functions in research division, no marketing data
comes in
Research context changes application of Fair
Information Practices



Notice- Consent for participation in protocol; HIPAA
authorization to transfer data for research purposes;
country-specific consents; general notice
Choice/consent- Everything is consent driven or required
by regulation; “opt-out” isn’t a relevant concept
Limitation- Protocol, regulatory requirements determine
minimum data; data types may differ- personal data, family
history, tissue sample, genetic
3
Pharma Research- What’s Different


Access- Difficult to unblind a study; access could
expose other’s data; pharma typically gets minimal
identifiers- most identifiable data stays with
investigator
Onward transfer- Disclosures are to regulatory
agencies or other investigators, required by
regulation (GCPs, Pharmacovigilance)


Data import compliance is a more salient issue
Data Integrity- Data accuracy is essential to
research; significant SOPs, divisional procedures
focused on data accuracy, relevance, currency
4
Pharma Research- What’s different

Regulatory environment is more complex




Good Clinical Practices, other protections of human
subjects
HIPAA is limited in research context- pharmas are not
covered entities; authorizations for transfer from
investigator, subsequent research use of data are issues
Part 11- electronic records, digital signature; validation,
security, audit trail concerns
International- EU Clinical Trials Directive requires
compliance with Data Protection Directive- raises stakes for
privacy compliance, transborder data flow compliance
5
Program Organization
Administrative
• Accountability
• Policy/Planning
Operational
• Data Subject
Rights
Fair
Information
Practices
• Data Processing
Controls
Manage/Maintain
Corporate Compliance
Program Requirements
• Monitoring & due
diligence
• Training
• Complaints/inquiry
• Response to noncompliance
6
Our Approach







Define core privacy practices, create compliance
guidelines- drive through enforceable policy (corporate
information, compliance, business practice & security
policies)
Map data flow
Create control objectives for privacy compliance
Identify data flow control points, review & index SOPs
Revise SOPs as needed
Create accountability, maintenance infrastructure and
procedure
Create 04-05 updates and continuation/monitoring plans
7