Along with the promulgation of laws and regulations such as the Personal Information Protection Law of the People's Republic of China (hereinafter referred to as the "PIPL"), the personal information compliance in the life and health industry will experience a far-reaching change. The life and health industry is one of the industries which involve a lot of personal information processing activities. Pharmaceutical companies naturally access personal information of various groups of individuals during business operation, among which the personal information of Healthcare Professionals (hereinafter referred to as "HCP") is one typical type. The large amount of HCP personal information collected and stored by pharmaceutical companies, and the wide application of emerging digital operation technology in the life and health industry, have determined the urgent need for relevant practitioners to pay close attention to the protection of HCP personal information.
Typical scenario I: Daily visit to HCP or invite HCP to participate in academic conferences, lectures and educational activities
Daily visit/communication: The pharmaceutical representatives may collect personal information of HCP during their daily communication with HCP, such as their names, employers, departments, educational backgrounds and contact information. The personal information of these HCP may be obtained by the representatives through visits by themselves or from third parties (such as academic associations and industry associations). Some pharmaceutical companies use and develop digital tools (such as WeChat mini-programs and CRM systems) to assist the representative’s daily communication with HCP, via pushing academic content and recording the relevant communication. Companies may review HCP's operations in these programs and applications to understand their areas of interest and promote medical information and academic communication opportunities to HCP accordingly.
Academic conferences/educational activities: Usually a considerable number of healthcare experts will be attracted to act as speakers or participate in academic or educational activities jointly organized by pharmaceutical companies and third-party academic associations. Online meeting is also an important means of digital communication. Pharmaceutical companies often devote a lot of resources to the preparation of such meetings. The pre-meeting warm-up, in-meeting publicity and post-meeting follow-up may all produce content including corresponding HCP’s personal information, such as doctor's name, employer, position, contact information and even sensitive information like ID card number and bank account number.
Before collecting HCP's personal information, the legal basis for the collection and processing needs to be thought through. In general, two legal bases provided under Article 13 of PIPL are relevant: (i) necessity for conclusion and performance of a contract to which the HCP is a party, or (ii) informed consent (including separate consent).
The application of the first legal basis has its limitation because daily visit and communication to HCP do not necessarily lead to signing a contract with HCP. Meanwhile, it is also difficult to obtain the informed consent of the corresponding HCP before collecting his or her personal information during the daily visit activities.
In academic conferences or educational activities, if a conference is held by a pharmaceutical company in cooperation with a third-party organization, the company should, in principle, communicate with the third-party organization and require the third-party to acquire HCP’s informed consent and fulfill other relevant legal obligations. When pharmaceutical companies obtain relevant personal information from the third parties, both parties shall clarify the allocation of respective rights and obligations in the written contracts expressly.
If pharmaceutical companies hold academic conferences or educational activities on their own, they should pay attention to distinguishing between HCP with contracts and HCP without contracts.
For academic conferences/educational activities involving signing of contracts with HCP, “the necessity of performing contracts” can be considered as the legal basis. Nevertheless, in this case, the scope of collection and processing of personal information should be strictly limited to the minimum necessity. For example, when signing a contract with HCP for providing an academic conference lecture, the scope of personal information that can be collected should be those necessary to fulfill the lecturing obligation of the HCP. This legal basis cannot be used to justify the collection of personal information that are not directly related to the delivery of the lecture, such as the speaker's home address. In addition, companies need to consider, if the contract signing party for the academic activities is a third-party academic association, whether the transmission of HCP personal information from such third-party organization to the pharmaceutical company, or even to its domestic or overseas affiliates, are all necessary to perform the contracts with HCP.
When HCP personal information is collected and processed without a contract or more than what is necessary to fulfill the contract, the informed consent of the HCP is required prior to the collection. The informed consent of HCP participating in the meetings may be obtained offline by signing a document or online through system interfaces. The scope of consent needs to be adjusted according to the business practice, meaning that the subject, purpose, scope and method of processing personal information should be described as detailed and accurate as possible. Any vague or general words should be avoided.
In addition to general informed consent, attention should be paid to whether any separate consent is required. For example, in the case of transferring HCP personal information to overseas affiliates of pharmaceutical companies, the consents to such cross-border transfer shall not be mixed in the general consents. Instead, pharmaceutical companies shall clearly inform HCP of the name, contact information, processing purpose, processing method, type of personal information of the overseas recipient, and the way and procedure to exercise their rights of information, and to obtain their separate consents to such cross-border transfer. Separate consent is also required in connection with the handling of HCP's sensitive personal information, the provision of HCP's personal information to other personal information processors, and the public disclosure of the HCP's personal information. Separate consent can be obtained through a separate notification page, or sometimes in practice, by setting up a separate column on the notification document for the information subjects to check.
In addition, if pharmaceutical companies use software, applications or WeChat mini programs to analyze HCP's browsing preferences and conduct personalized promotion to HCP, companies shall pay attention to the legal obligations associated with automated decision-making. While providing customized information to HCP, pharmaceutical companies shall also provide options that are not customized, or to provide HCP with convenient options to refuse the customized information. It is also necessary to conduct a prior assessment of the personal information protection impact of the automated decision-making behaviors and record the handling details. The assessment report of the personal information protection impact and the handling record shall be kept for at least three years.
Typical Scenario II: Product R&D/Scientific Research Activities
As part of their product R&D and registration application activities, pharmaceutical companies acting as the sponsor would fund clinical trial institutions and researchers to conduct relevant clinical trials. In the process of conducting clinical trials, the sponsors, CROs, SMOs and clinical trial institutions may all obtain the personal information of the researchers and the staff of clinical trial institutions through various means.
When multiple parties are involved under one personal information processing scenario, the first step of legal analysis is to clarify the role of each party under PIPL. CROs are often funded by the sponsor, and they carry out corresponding activities directly according to the instructions of the sponsor. The sponsor has respective control and supervision authority over the CROs. Generally speaking, the relationship between the sponsor and a CRO is a typical entrustment relationship between the personal information processor and the entrusted party.
There is often no direct instruction and supervision relationship between clinical trial institutions and sponsors. Although clinical trial institutions should carry out clinical trials based on clinical trial plans that contain and reflect the will of the sponsors, the specific processing of clinical trial data is mostly determined by researchers and clinical trial institutions according to the actual research necessity. There is usually limited specific or detailed instructions from the sponsors on the data processing. Therefore, it may be more appropriate to regard clinical trial institutions as independent processors from the sponsors.
For SMOs, although they are often hired by the sponsors, in the whole process of clinical trial, SMOs mainly communicate with clinical trial institutions, and SMOs’ data processing instructions usually come from clinical trial institutions, so it may be more appropriate to regard SMOs as the entrusted party of clinical trial institutions.
Since this article mainly discusses the protection of HCP personal information, though there are usually many categories of personal information subjects involved in clinical trials, the following discussion only focuses on HCP personal information in clinical trials.
The personal information of HCP involved in clinical trials mainly come from researchers and staff of clinical trial institutions. The personal information may be collected through verification of the researchers' qualification in the early stage or communication with the researchers in the process of clinical research. For researchers, since they sign the clinical trial agreements, collection of their personal information can be considered based on necessity of the conclusion and performance of contracts.
As for other staff of clinical trial institutions, one way is to require the clinical trial institution to guarantee that the consent of the staff on the provision of their data to pharmaceutical companies has been obtained; the other way is to check whether there are corresponding personal information clauses in the clinical trial institution’s internal personnel management rules and regulations.
When signing data agreements among the sponsor, the researcher and the clinical trial institution, the sponsor is suggested to specify the processor and the entrusted party under different processing scenarios, especially in the clauses concerning the response to the request of personal information rights of the data subject and the handling of data security incidents.
Another compliance difficulty encountered in practice is that pharmaceutical companies in China may need to submit international project cooperation application as the sponsor of the clinical trials. In an international cooperation project, it is necessary to exchange information and data with overseas related parties or cooperative scientific research institutions, which often involve personal information of relevant HCP. In practice, CROs may bring risks to pharmaceutical companies due to lack of compliance awareness or ability when dealing with cross border transfer of data. This requires pharmaceutical companies, on the one hand, to assess their CROs’ data compliance awareness and ability when selecting them, and on the other hand, to set forth the CROs’ obligations and liabilities in the clinical trial contract or a separate information processing entrustment agreement. The pharmaceutical companies shall utilize their strong management power over the CROs to limit their processing activities. CROs shall process (including but not limited to, transfer cross-border) HCP personal information only within the scope authorized by the pharmaceutical companies. In addition, pharmaceutical companies shall set up strict supervision mechanisms for CROs’ processing activities (such as regular audits and random checks on CROs) and clarify the liabilities of breach of contract. Furthermore, it is also necessary to conduct a personal information protection impact assessment and record the entrusted handling activities of CROs. The protection impact assessment reports and the handling records shall be kept for at least three years.
Typical scenario III: The Internet medical platform receives HCP personal information obtained through crawlers and other technical means.
The vigorous growth of internet medical platforms conforms to China’s policy trend of promoting the development of "Internet + medical health". In the past few years, internet medical platforms have given full play to its advantage of not being constrained by space and significantly improved the sufficiency of modern healthcare services. In order to expand the platform business and increase market share, many internet medical platforms hope to recruit well-known healthcare experts to attract customers for their platforms, and also recruit a large number of doctors to provide health consultation services for online users. In this process, the internet medical platforms may purchase the data or services from the upstream crawler data providers to screen the HCP they want to recruit and display on their platforms.
Since internet medical platforms are mostly downstream receiving party of the crawler data, i.e., they are not capturing the data using crawler technology by themselves, they often neglect the compliance issue of the crawler technology. However, even as the receivers of crawler data, companies shall not take it for granted. They need to examine whether the use of crawler data is compliant from the following two aspects.
On one hand, crawler data suppliers should be required to use crawler technology in an authorized way, to use crawler software without violating the anti-crawler statement or other relevant policies set by the websites, and to provide services that do not exceed the scope of the original authorization. The liability for breach of the above commitments by the suppliers shall be set out in the agreements in advance.
On the other hand, in the process of obtaining and using crawler data, internet medical platforms should strictly review the scope of their own data use to ensure that all necessary authorizations have been obtained. If any use in the operation of the platform exceeds the scope authorized by the original data subject, the consent of the data subject shall be obtained again. Even if certain HCP personal information is disclosed on another website, it does not mean that such information can also be disclosed on the internet medical platforms to attract patients and customers.
In addition, if large amount of crawler data is grabbed from the platform’s competitor and is used by the platform to provide services similar to its competitor, even if the supplier's behavior of obtaining such data does not violate the anti-crawler statement set by the website, there is high risk of being regarded as unfair competition. Internet platforms should pay attention to avoid such non-compliant activities.
Due to its nature, life and health industry is surely subject to high standards in terms of personal information protection. Although the PRC regulations on personal information and data protection are becoming more mature, its application in the life and health industry is still in its preliminary stage. For pharmaceutical companies, how to implement personal information protection in a compliant and practicable way is a top priority, while many doubts are waiting to be answered. One thing is for sure, the information protection measures of pharmaceutical companies will not be limited to simple application of the law, but an integration with the industry characters.