As a society, we place a huge value on data: from supermarkets using our previous shopping habits to help us effortlessly select our preferred tea bags, to insurance companies tailoring their offerings to our specific motoring needs. With the proliferation of digital technology, we are collecting more and more data in real-time, through which we can discern patterns in behaviour and begin to predict events. The health care market is no exception.
Despite the exciting new opportunities that the expansion of health data creates, these opportunities are necessarily bounded by the legal framework which governs how data can be collected, accessed, and used. In an OHE Consulting Report, recently published, we outline the main legal barriers to the better use of health data to deliver pharmaceutical innovation. To identify tangible and specific legal barriers, we investigated the legal issues arising from six key activities along the pharmaceutical lifecycle:
- Epidemiology and pharmacoepidemiology: identifying unmet need
- Pharmacogenetics: targeting development
- Interventional studies
- Non-interventional studies
- Managed entry agreements
A key development in this space was the introduction of the General Data Protection Regulation (GDPR) earlier this year. For most, mention of the GDPR seems to conjure feelings of uneasiness (what does this mean for me?), confusion (is this personal data, and do I need consent/re-consent to use it?), or exasperation (dealing with the flood of new privacy notices filling up your email inbox from other companies grappling with the same issues). The Regulation, which became law across all European countries in May 2018, intends to harmonise data protection practices across Europe. However, considerable ambiguity remains. This ambiguity – which arose in consideration of all six activities considered in our report – is principally around the appropriate legal basis for data processing in the absence of consent. Under the GDPR, pharmaceutical companies should be considered to have “legitimate interests” in processing data (Article 6), which due to its sensitive nature must and does undergo rigorous safeguarding activities, and must meet one of the additional legal bases for processing health data outlined in Article 9: (h) provision of health or social care, (i) public interest in the area of public health, or (j) scientific research. In our report we speculate which legal bases may be most appropriately applied to the six pharmaceutical activities studied, but clear guidance and consensus is required.
The legal barriers that arise in the utilisation of data by pharmaceutical companies vary across a product’s lifecycle. However, the main issues can be described under eight main themes.
- Data subject rights are not absolute and may be more limited within the context of health research due to the scientific or public interest merits of the data use, along with the high level of safeguards in place to protect data.
- Data ceases to be personal once anonymisation has been achieved, in which case it does not fall under data protection legislation. Where anonymisation is not possible, processors must have a legal basis for processing data.
- One such basis is (informed) consent. However, a key challenge is in constructing consent that is broad enough to permit later research, but specific enough to meet legal standards, particularly within the heightened requirements of the GDPR. We argue that these requirements are not usually compatible with medical research, and whilst consent is critical for other reasons, it should not usually be the legal basis for data processing.
- However, as outlined already, uncertainty around the appropriate legal basis for processing data under the GDPR is currently a major issue for industry.
- There is a need for a shared and consistent understanding of the compatibility of primary and secondary (re-)use of data.
- This addresses the heterogeneity both within and between countries that arises from divergent interpretations.
- There is a need for clear guidance or minimum standards for industry in the emerging area of digital health.
- Promoting confidence and engendering trust is fundamental and is achieved through being transparent and sharing good practice. The public must be convinced of the benefits of data processing for pharmaceutical research, and of the high safeguarding standards employed in handling their sensitive information.
The GDPR was not designed to hamper important scientific research, and we propose that it does not create new legal barriers. In assessing the legal barriers to the better use of data, many of the issues we identified were uncertainties rather than barriers per se. Therefore, there is a strong case for industry to deal proactively with the uncertainties, sharing good practice and engendering trust by co-creating a code of conduct, outlining principles of responsible use.
We all have a stake in how our health data are collected and used to drive innovation and improvements in health care delivery. A shared understanding of the value to society of pharmaceutical research is therefore necessary and underpins our legal frameworks.
Cole, A. and Towse, A., 2018. Legal Barriers to Better the Better Use of Health Data to Deliver Pharmaceutical Innovation. OHE Consulting Report, London: Office of Health Economics.
Cole, A., Garrison, L., Mestre-Ferrandiz, J. & Towse, A., 2015. Data Governance Arrangements for Real-World Evidence. OHE Consulting Report, London: Office of Health Economics. RePEc.
Posted in OHE Consulting, Innovation, Drug Development/R&D | Tagged Consulting Reports