Understanding Special Privacy Shield Requirements for Pharma & Medical Companies

The EU-US Privacy Shield framework is an approved transfer mechanism for personal data from the EU to the United States, meaning that once self-certified, companies have “adequate” protections when transferring personal data.

Businesses involved in clinical, medical, and other forms of scientific research may not be aware that there are specific requirements under Privacy Shield that apply to those fields.

The requirements may create the need for additional privacy policy controls, so companies in those fields should check to ensure that all requirements are being met.

These requirements are addressed in the supplemental principles of Privacy Shield and can be found on the Department of Commerce’s website.

Pharma & Medical Companies Need Adequate Protection for Transferring Personal Data

Data Collection and Processing Before Onward Transfer

data transferUnder Privacy Shield Supplemental Principles III Section 14.a, EU Member State laws apply to the collection of personal data and to any processing that takes place for pharmaceutical research and other scientific or medical purposes before transferring data to the U.S.

Anonymization of that data is also required where appropriate and if the Member State requires it.

Companies will need to determine whether personal data needs to be transferred in an identifiable form or if the data should instead be pseudonymized or anonymized prior to transfer.

Appropriate situations for anonymization may include any circumstance that does not require personal information, such as using information for historical or scientific research purposes.

For more information on anonymization techniques, please see Article 29 Working Party’s Opinion 05/2014 on Anonymization Techniques.

Additional Notice Requirements for Scientific Research

There are several disclosures that a company will need to provide to patients prior to the collection of their personal data for scientific research purposes.

Notice should be provided to a patient prior to personal data collection if a company will use that personal data in new and future research studies.personal data for scientific research

This will give the company permission to use an individual’s personal data without additional permissions if the collection of the data is consistent with its original purposes.

In general, the notice must include information regarding any future specific uses of the data, such as periodic follow-up, related studies, or marketing.

The notice provided must also explain that personal data may be used for future research that may be unanticipated but is consistent with the original research study’s purposes.

If, however, there are new research purposes that are not consistent with why the patient’s personal data were originally collected, companies would need to obtain consent for those new purposes.

It is also recommended to disclose to the patient that the company may still use the data even if the patient decides or is asked to withdraw from a clinical trial.

This disclosure should also take place prior to any personal information collection, and it ensures that the company will still have a right to process any personal data they have collected prior to the patient’s withdrawal for the company’s research.

Access and Notice Requirements for “Blinded” Studies

The nature of blinded studies doesn’t always permit companies to provide individuals access to their personal data.

Providing information about medication or other test factors to a patient may jeopardize the results of these studies.

In order to ensure that companies who participate in Privacy Shield can also meet access requirements under these conditions, notice must be provided to the patients that disclosure of this information may jeopardize the integrity of the research effort.

At the conclusion of the trial and analysis of the study’s results, participants should have the right to request access to their data.

Usually, this access would be provided through their healthcare physician or treatment facility.

Data Transfers for Regulatory and Supervision Purposes

Pharmaceutical and medical device companies are allowed to provide personal data from clinical trials in the EU to regulators in the US.

This data transfer must specifically be for regulatory or supervision purposes.

Similar transfers for the same purposes are also permitted to other parties, such as other company locations or other researches, but they must be consistent with Privacy Shield Principles, in particular notice and choice.

Under Certain Circumstances, Privacy Shield Principles Not Required for Product Safety and Efficacy Monitoring

privacy shield principles not required sometimesUnder some circumstances, a pharmaceutical company may be required to provide reports for adverse events or safety reporting requirements.

Pharmaceutical companies may have information that identifies an individual (such as gender, medical condition, age), but they do not have a direct means of receiving consent from that individual under these circumstances.

Fortunately, a pharmaceutical or medical device company does not have to comply with the Privacy Shield Principles if the purpose of the data is for product safety or efficacy monitoring activities and that the Principles (Notice, Choice, Accountability for Onward Transfer and/or Access) interfere with a company’s compliance with regulatory requirements.

This exception includes reports from

    • healthcare providers to pharmaceutical and medical device companies
    • pharmaceutical and medical device companies to government agencies

Key-Coded Data is Not Personal Data

Key-coded data is not considered personal data if

    • The research data was uniquely key-coded by the principal investigator;
    • The key-coded data does not reveal the identity of any individuals;
    • The sponsor pharmaceutical company does not receive the key; and
    • The unique key is held only by the researcher so that she can identify research subjects under special circumstances only.

If all of these elements are met, then the key-coded data is not subject to the Privacy Shield Principles.


Demonstrate your commitment to privacy, and differentiate your organization

With privacy certifications and assurance solutions from TrustArc, you can demonstrate privacy compliance, reduce risk and build trust through an independent review powered by technology and delivered by privacy experts.

TrustArc TRUSTe certificationTrustArc offers a comprehensive TRUSTe Privacy Shield Assessment and Verification program for your pharma or medical company, learn more.