UK: 


New Clinical Trial Regulations Signed, and 


New Privacy Wording for all Clinical Studies

1 - NEW PRIVACY WORDING FOR ALL CLINICAL STUDIES


On 1st April 2025 the UK NHS Health Research Authority ('HRA') released new Privacy transparency wording for all sponsors of clinical studies: this new wording needs to be put in the Informed Consent Forms handed out by the investigators to patients.

This is to comply with the principles from GCP and GDPR, which state that sponsors should be transparent to patients.


Access to this new wording here.


In the UK, sponsors/CROs must also use the templates provided by the HRA for the Data Privacy Impact Analysis ('DPIA'), which is a risk analysis from the point of view of the patients (article 35 GDPR).


Do you have questions on regulations and/or guidelines in the UK for medical research and privacy: contact our UK senior consultants Julianne (j.m.hull ( at ) pharmarketing.net) and Dave (d.p.edwards ( at ) pharmarketing.net) .


2 - NEW CLINICAL TRIAL REGULATIONS SIGNED INTO LAW


New regulations for running clinical trials in the UK have been signed into law on 11 April 2025. 


A 12-month roll-out began on 11 April to deliver the most significant update to UK clinical trials regulation in two decades – with the aim of strengthening patient safety, accelerating approvals, enabling innovation and helping more people benefit from taking part in vital research.


The reforms will:


  • Put patients and their safety are at the focus of all clinical trials and bring the benefits of clinical trials to everyone.
    Cut duplication and unnecessary delays, while maintaining robust oversight of the safety of trials.
  • Create a proportionate and flexible regulatory environment, reducing bureaucracy for lower-risk trials.
  • Cement the UK as a destination for international trials.
  • Provide a framework that is streamlined, agile and responsive to innovation.


By reducing red tape and simplifying approvals, the new framework supports the Prime Minister’s target to reduce the time from application to first participant from 250 to 150 days. It will speed up research and reduce the time it takes for promising treatments to reach patients, without compromising on safety.


Read more on the website of the MHRA here.


For any questions on UK's laws and guidelines on privacy and/or healthcare, contact one of our senior UK consultants Julianne Hull (j.m.hull (at ) pharmarketing.net) or Dave Edwards  (d.p.edwards (at ) pharmarketing.net)





Taiwan: 


Bill reforming 


the Data Protection Authority


and the Privacy Law

Taiwan's Executive Yuan approved the draft Organization Act of the Personal Data Protection Commission (PDPC) as well as draft amendments to the Personal Data Protection Act (PDPA). 


The Organization Act outlines 11 measures clarifying the organizational structure of the PDPC


The draft amendments to the PDPA include:

  • requiring public and nonpublic entities to preserve data breach incident records, 
  • revising the types of personal data that fall under reporting requirements and 
  • requiring public entities to appoint a data protection officer.


Read more: 

https://www.leeandli.com/EN/Ne...

https://www.jurist.org/news/20...





Examples of Non-Compliance


 with Health Data Privacy


Data Protection Authorities published several decisions related to the processing of health data in the past months.

Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.


For each decision, we propose key takeaways: use them as ideas and guidelines for your own organisations: check that such measures are implemented at your organisation, and if not, talk to your management (or talk to us!).


Many thanks to GDPR hub NOYB and to IAPP for all this valuable information!


Belgium


Fact:

The Belgium DPA, the APD, held that a hospital manager who consults their subordinate's medical file in excess of its internal competences acts as controller for this processing and not the hospital. However, the hospital failed to notify the data breach to the DPA. Read more or edit on GDPRhub...


Takeaway:

Send all your staff to a privacy refresher training every year. Have them sign a privacy policy.


Germany:


Fact:


The Federal Court of Justice held that when a customer orders pharmacy-only medications via a pharmacist's account on Amazon, the processing of that order data constitutes health data within the meaning of Article 9 GDPRRead more or edit on GDPRhub...


Takeaway:


This is clearly a processing a personal health information ('PHI'), as the processors will know the patient's name, the drugs he or she ordered and by consequence the pathologies that the patient has: these are very sensitive personal data as per privacy laws: as a consequence, all organisations participating to this process should be trained to privacy and have privacy clauses in the contracts; also they should implement strong IT security measures.


Iceland:


Fact:

The DPA fined a health service provider €34,360 (ISK 5,000,000) for unlawfully granting third parties access to its joint medical record system without seeking the necessary prior permission required by national law. Read more or edit on GDPRhub...


Takeaway:

Again, employees at the health service provider should attend a privacy refresher training, to learn that in all countries, healthcare laws say that it is forbidden for a third person to access the health data of another person, unless such person has a legal basis to do so. Typically, the medical team can access, but other persons can't unless patients have consented to it, or the third party works in the police/firefighters, health emergencies etc.

Also, this organisation should update their role-based access SOP, and train IT people on it.


Italy:


Fact:

The Italian DPA, the Garante, fined a doctor €10,000 for unlawfully sending an email to his patients to promote his electoral bid for public office. The recipients of the email numbered approximately 500 people. Read more or edit on GDPRhub...


Takeaway:


The doctor has access to its patients' emails only for the sake of providing healthcare to them.

Using their email addresses to send political information is a completely different objectiveThe doctor should have requested explicit consent from its patients to do so.


Here, as the doctor didn't ask for consent PRIOR to sending the email, it's a breach of privacy.


Fact:


The DPA fined a health authority €5,000 for unlawfully disclosing patients' health data to several companies and external parties after a doctor shared a patients' list to justify work schedule changes.

Read more or edit on GDPRhub...


Takeaway:


As indicated above, healthcare laws prohibit the sharing of patients' data outside of the healthcare team, unless patients have been informed and/or consented to such transfer.


Fact:


The DPA fined a region €10,000 due to a data breach that made several data subjects' health records accessible to all users. The breach was caused by the insufficient security measures implemented by the region's sub-processor. Read more or edit on GDPRhub...


Takeaway:


Same as above, healthcare laws prohibit the sharing of patients' data outside of the healthcare team. Here the region's sub-processor is not compliant with privacy laws, because it should have implemented strong IT security measures. The region is also responsible, as it should have checked, before contracting with the vendor, that the latter had sufficient IT security measures in place.7


==> Keep in mind that the GDPR says that all stakeholders in the value chain share responsibility!


Malta:


Fact:


The DPA fined a health care provider €20,000 for unlawfully collecting a patient’s address from the electoral registry and for failing to update it despite the data subject’s requests. This led to medical examinations being sent to an outdated address. Read more or edit on GDPRhub...


Takeaway:


Privacy laws state that organisations should keep personal data updated at all times and should answer requests from data subjects within one month. So, here, the health care provider made 2 mistakes.

In addition to the non compliance with privacy laws, the patient could have suffered from health problems if he didn't receive the medical examinations in dur time to get appropriate treatment.


Romania:


Fact:


The DPA fined a medical clinic RON 9,946 (€2,000) after it erroneously transmitted medical data to the wrong patient via unsecured email. The clinic failed to report the incident to the DPA and the data subject and had insufficient security measures in place. Read more or edit on GDPRhub...


Takeaway:


There are 3 non compliance findings here:

1) medical data was transmitted to a wrong person

2) medical data was sent via unsecured email

3) the clinic failed to the DPA and the data subject 


Sending an email to the wrong person can always happen due to human error, but it's not acceptable to use unsecure email when you work in healthcare and not to inform the Romanian DPA and the patient. 


==> Please check that all your employees and subcontractors use secure emails.


Spain:


Fact:


The Spanish Society of Medical Oncology was fined €42,000 after their processor suffered a data breach revealing 2,622 patients´ personal data, including health dataRead more or edit on GDPRhub...


Takeaway:


Same as above: both the processor and the Data Controller (the Spanish Society of Medical Oncology) are in fault. The Controller should do due diligence as soon as possible and check that the vendor has appropriate IT security measures in place as recommended by article 28 of GDPR and by IT security guidelines (like ISO 27001 or the guidelines from ISACA for example).


USA


Fact:


The U.S. Department of Health and Human Services' Office for Civil Rights (HHS OCR) and California-based PIH Health reached a USD600,000 settlement over potential Health Insurance Portability and Accountability Act violations. The violations stem from a phishing attack that compromised employee email accounts and exposed unsecured electronic protected health information, affecting nearly 200,000 individuals.
Full story: http://info.iapp.org/MTM4LUVaT...


Takeaway:


A phishing attack can always happen, but organisations should have put in place appropriate IT security measures, privacy policies for managing personal data breaches:, and a privacy training plan if they are able to provide evidence to the local authority that they did so, usually the authority is more prone to give a lower penalty.

What is important also is how PIH health has managed the personal data breach: did they notify the HHS promptly and transparently? did they collaborate closely with the HHS?


You want to train your staff to privacy laws or you need to draft procedures for the management of potential data breaches or to check your contracts with your clients or vendors?


==> Contact us at contact ( at ) pharmarketing.net




IT Security for Dummies #4: 


Protecting personal data 


while traveling



At PharMarketing, we appreciate that most of our readers are versed in biology, medical, chemistry, manufacturing, legal, regulatory, clinical operations, but few of them feel comfortable with IT.

So, we decided to start a series on 'IT for Dummies', to help you grasp key and useful facts about IT security in a simple way.

After discussing Best Practices with an External Hard Disk in Dec/Jan, the key clauses to have in a contract with a SaaS software provider in February, the NIS2 Directive on Cybersecurity in March, let's now look at Protecting personal data while traveling.


In a nutshell, the key measures to take are the following (this list is from our experience, we don't guarantee it is exhaustive):

  • Back-Up the information on your electronic devices before departing.
  • Put a confidentiality screen on the screen of your laptop if you work in public areas like a plane, a train, a transit area at the airport, etc.
  • Make sure your devices will go on sleeping mode (with black screen) after a short time, for example 20-30 seconds, and that after that a password or a fingerprint is required to access your device.
  • Make sure all your devices are encrypted: laptop, mobile phone, external hard disk, etc.
  • If you leave your hotel room, put your devices in the safe; if the safe is not big enough for your laptop, attach your device to a fixed furniture with a cable; if you forgot to bring a cable, ask the hotel reception for their safe. 
  • Same if you had a meeting in a rented room (like Regus) and go to grab a lunch: attach your device with a cable and make sure the door is safely closed.
  • When connecting to a free Wi-Fi in a public area (airport, restaurant, plane, train, etc.), always activate your VPN (Virtual Private Network)!
  • Always activate your anti-virus on laptop and smartphone
  • Make sure all your hardware and softwares are updates to the latest version.
  • Don't leave your electronic devices (and paper documents) in a car unattended, even for 2 minutes.
  • Make sure your electronic devices will go in sleep mode (black screen) after a short idle time (e.g. 1 minute); then, make sure that a strong password or a fingerprint will be mandatory to access your device again


You think these advices are useless and such incidents never happen?


If you knew how many of our clients were stolen very confidential information about their clinical research, you would immediately implement these measures!


Read article from Axios on mobile phone data: https://www.axios.com/2025/03/...

Read article from Cybernews: https://cybernews.com/privacy/...


A question on this topic?

==> Contact our IT Security expert Bertrand at b.p.lebourgeois ( at ) pharmarketing.net









Mexico revises its Privacy Law



Mexico revises its Privacy Law. Thanks to IAPP for the article!


In the New Law, the references that were made to the INAI (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, or in English 'National Institute for Transparence, for Access to Information and for the Protection of Personal Data') are modified by references to the Secretariat and no longer refers to the Ministry of Economy and other regulatory authorities. Some of the most relevant modifications to the text of the New Law are those set out below:)


Article 2, sections V and XVIII, defines "personal data" as "any information concerning an identified or identifiable person [...]" (as in the EU GDPR, comment from PharMarketing) and "owner" as the "person to whom the personal data correspond" (called 'data subject' in the EU GDPR, comment from PharMarketing), i.e., there is no longer any express mention of a "natural person". We will see if the legislator's intention was to also include legal entities or if it was simply an omission.


Article 9 excludes the consent of the owner when the processing of his or her personal data is provided for in a legal provision, no longer in a regulation with the status of law as previously provided. Likewise, the possibility of excluding consent when personal data is required to exercise a right is expressly included, previously it only referred to compliance with obligations arising from a legal relationship. Finally, section VII of the same article referred to the existence of a resolution of a competent authority and the text of the New Law includes: "judicial order, resolution or reasoned and reasoned mandate", which expands the cases in which an authority could request personal data from a responsible party.


With the previous law, it was understood that, if the personal data were intended to be processed for a purpose compatible with or analogous to the purposes informed and provided for in the privacy notice, it was not necessary to obtain consent again, however, the New Law establishes that "if the responsible party intends to process the data for a purpose other than those established in the privacy notice, it will be necessary to obtain the consent of the owner again" (Article 11).


The essential requirements of a privacy notice are modified in the New Law (Article 15), since now the data subject to processing and the purposes must be mentioned, differentiating those that require the consent of the owner. Likewise, it is not mentioned as an essential requirement to report on the transfers that are intended to be carried out.


When personal data is not collected directly and a simplified or short privacy notice can be used, the requirements that such notice must contain are increased, removing a little the character of simplified since it will be required to include more information.


The previous text of the law referred to the right of access as the possibility of the owner to know the personal data subject to processing and the privacy notice, and the text of the New Law mentions that the owner has the right to access their personal data, as well as "to know the information related to the conditions and generalities of their processing, through the privacy notice". This does not mean that previously this information was not provided to the owner, derived from an access request, but today the text is worded differently.


Article 26 expressly extends the right to object when in cases where "there is legitimate cause and the specific situation of the owner so requires" and when "the personal data are subject to automated processing, which produces undesired legal effects or significantly affects interests, rights or freedoms, and are intended to evaluate, without human intervention, certain personal aspects or analyze or predict, professional performance, economic situation, state of health, sexual preferences, reliability or behavior".


As mentioned above, the chapter that referred to regulatory authorities and established their obligations and functions, such as the creation of guidelines and parameters for self-regulation, disappears, but the articles referring to self-regulation are retained.


Nowadays, the Anti-Corruption and Good Governance Secretariat does not have to submit an annual report of activities to Congress and neither is the attribution to develop, promote and disseminate analyses, studies and research on the protection of personal data expressly foreseen, in accordance with the modifications in Article 39 of the New Law.


Another important change is that against the resolutions of the INAI the nullity trial proceeded, today individuals will be able to promote the amparo lawsuit against the resolutions of the Secretariat, which will be presented before district courts and collegiate circuit courts specialized in matters of access to public information and protection of personal data.


The latter will be enabled within the following 120 calendar days from the date of publication of the decree, that is, by June 19, 2025.


Despite the fact that we are facing a new law, we would dare to say that data controllers do not have to make major adjustments internally, since this New Law does not impose obligations radically different from those previously foreseen or with which they were not already complied with as a result of good practices. However, we must be very aware of the new authority, know its priorities, criteria, way of working, etc. to safeguard the fundamental right to the protection of personal data, to which we are all entitled.


Read the article from IAPP (in Spanish): https://iapp.org/news/a/entend...




 EMA: 


New Paper on Use of RWD 


for Regulatory Purposes


On 8 April 2025 the EMA Released a reflection paper on the use of real-world data ('RWD') in non interventional studies (NIS) to generate real-world evidence for regulatory purposes.


As you probably know, at this time the only guidelines for non interventional studies (NIS) are those from the International Society for Pharmacoepidemiology (ISPEand the from the Network of Centres for Pharmacoepidemiology and Pharmacovigilance (ENCePP), so any additional documents are useful and welcome.


Also, NIS are not covered by the Good Clinical Practices (ICH E6 / GCP) at this time.

NIS using RWD can complement and support data from Randomised Clinical Trials (RCTs) by filling gaps in knowledge and reducing uncertainties about a product’s safety and effectiveness.

This reflection paper is relevant to all stakeholders involved in the planning, conduct and analysis of NIS using RWD to generate RWE to be submitted for regulatory purposes in the EU, regardless of whether the NIS is conducted in the EU or ELSEWHERE.

Download the EMA reflection paper on NIS here: https://www.ema.europa.eu/en/d...


Do you plan to launch a non interventional study (NIS), or to build a Healthcare Data Warehouse (HDW) and you need help for compliance with Privacy Laws, with local guidelines for HDW, with hosting healthcare data in the Cloud, or with IT security guidelines?

==> Contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net




EU to introduce 


Potential GDPR Simplification Reform:


Will you Benefit from It?


At the beginning of April 2025, Politico reported the European Commission plans to introduce a proposal to reform the EU General Data Protection Regulation in the "coming weeks," according to European Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection Michael McGrath. 


The reform, part of a broader simplification of EU digital rules, is expected to focus on easing the GDPR's reporting requirements for small and medium-sized businesses. 


There are “a lot of good things about GDPR, [and] privacy is completely necessary. But we don’t need to regulate in a stupid way. We need to make it easy for businesses and for companies to comply," Danish Digital Minister Caroline Stage Olsen told reporters last week. Denmark will chair the work in the EU Council in the second half of 2025 as part of its rotating presidency.


McGrath confirmed that a proposal to simplify the GDPR is due in the “coming weeks.” The Commission had planned to agree on a so-called simplification package for small and medium-sized businesses on April 16, according to the Commission's diary, but that date has since been bumped to May 21.


BUT Don't dream! 


If you are a clinical stage start-up biotech based outside of EU, you will still have to appoint a Data Protection Officer and to draft a DPIA.


Why so?


This simplification initiative is targeted at small and mid size business doing 'basic' activities: small shops in town, a car dealer, an online magazine sending basic news to its subscribers, etc. 


Organisations doing medical research (or processing medical research data on behalf of their client) will still need to have a DPO because they process very sensitive personal data (PHI) from vulnerable data subjects (patients, children, elderly persons). 

Same for an online portal selling drugs via the internet to end consumers (see also the article on a data breach which happened to such a drug retailer).

Same for a commercial stage small pharma company selling drugs, as it probably collects sensitive personal data from patients at the occasion of adverse events, or medical information requests.


For the same reason, a small marketing agency running huge direct marketing campaign across the world for its clients, processing email adresses and names of dozens of millions of data subjects across many countries will probably still have to appoint a DPO, because of the big volumes of data and the number of countries.


This is exactly what the UK did in their simplification bill that passed into law in the past months. So, at PharMarketing, we can guarantee that this is what will happen also with the EU simplification reform.


Read the article from Politico: https://www.politico.eu/articl...


You want to prepare for this simplification bill? Contact us at contact ( at ) pharmarketing.net




US Department of Justice: 


Transfers of Data to 6 Countries of Concern: 


Impact for Life Sciences Industry


Are you sending patient data to China, Cuba, Iran, North Korea, Russia and Venezuela?


Then you might fall under the US rule from the Department of Justice (DOJ) limiting sensitive data transfers to adversarial countries.


How does this rule impact the health and life sciences industry?

Thanks to IAPP for the article!


The rule designates six countries — the People's Republic of China, including Hong Kong and Macau, Cuba, Iran, North Korea, Russia and Venezuela — as "countries of concern."


The rule exempts transactions that are ordinarily incident to and part of clinical investigations regulated by the U.S. Food and Drug Administration under sections 505(i) and 520(g) of the Federal Food, Drug, and Cosmetic Act — that is, the investigational new drug application and investigational device exemption requirements — or clinical investigations that support applications to the FDA for research or marketing permits for drugs, biological products, devices, combination products or infant formula.


In short, clinical trials data can be sent from the US to these 6 countries of concern.


That said, if a US company runs a clinical trial recruiting patients in one of these 6 countries, usually the data transfer will go from such country to the US, and not from the US to such country. So, such data transfer will not fall under this rule.


Read the full article from IAPP here:
https://iapp.org/news/a/doj-ru...


  1. We developped a global template for the Informed Consent Form to Patients: we will use it as it is in all countries where our clinical study will recruit patients: is this ok?  yes / no

    No, because in our experience, each country, and even each Ethics Committee and even each hospital have their own template for such ICFs. Same for Clinical Trial Agreements, for Information Notice to Investigators, etc.

    ==> If you need help to navigate the guidelines from different countries across the world for the wording to use for such documents, contact us at contact ( at ) pharmarketing.net


2. I heard that the EU Commission will simplify the GDPR (the EU Privacy Law) for small and mid-size organisations: as a start-up clinical stage biotech based outside of EU, can we expect that we will not need to have a Data Protection Officer anymore?  yes / no


No, as explained in the article above on this EU Simplification Reform of the GDPR.