Data privacy or information privacy is the relationship between collecting and disseminating data and the legal implications surrounding these topics. Privacy concerns arise whenever personal identifiable information is collected and stored. A control process over that collection and storage is required to be defined and communicated to the required governing regulation.
The International Conference on Harmonization, (ICH) E6, Guideline for Good Clinical Practice (GCP) states “The confidentiality of records that could identify subjects should be protected, respecting the privacy and confidentiality rules in accordance with applicable regulatory requirement(s).”
Mandatory EU Data Protection Directive 95/46/EC (1998) and 2001/20/EC (2004) covers privacy of all types of personal data including informed consents and data from clinical studies. These directives state that personal data “shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. EU are not allowed to transfer personal data to countries that the EU Commission has determined lack adequate subject privacy standards.
US Department of Commerce in collaboration with the EU developed Safe Harbor Principles to acquire adequacy determination must re-certify every 12 months. Companies must provide the following:
- Notice—Subjects must be informed of how their data will be collected and used.
- Choice—Subjects must be able to opt out of collection of their data and its transfer to third parties.
- Data transfers—any transfers of data to third parties must only be to other organizations that have rigorous data-protection policies.
- Security—all reasonable efforts must be made to prevent the loss of any data collected.
- Data integrity—Data must be reliable and relevant to the purpose for which it was collected.
- Access—Subjects must be able to access information about them that is collected, and have an opportunity to have this data corrected or deleted if necessary.
- Enforcement—a mechanism must be in place to effectively and consistently enforce these rules.
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, 45 CFR Section 164.501, which defines individually identifiable health information as “…information that is a subset of health information, including demographic information collected from an individual and
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
- That identifies the individual; or
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual
Section 5 of the Federal Trade Commission Act (15 United States Code § 45(a)(1))
Code of Federal Regulations Titles 21 and 45, including the IRBs responsiblity for ensuring that informed consent documents include the extent to which the confidentiality of medical records will be maintained [21 CFR 50.25(a)(5)]. FDA requires sponsors (or research monitors hired by them) to monitor the accuracy of the data submitted to FDA in accordance with regulatory requirements. These data are generally in the possession of the clinical investigator. Each subject must be advised during the informed consent process of the extent to which confidentiality of records identifying the subject will be maintained and of the possibility that the FDA may inspect the records. While FDA access to medical records is a regulatory requirement, subject names are not usually requested by FDA unless the records of particular individuals require a more detailed study of the cases, or unless there is reason to believe that the records do not represent actual cases studied or actual results obtained. The consent document should list all other entities (e.g., the sponsor) who will have access to records identifying the subject.