The past year has seen China’s data security framework take shape, raising compliance requirements for entities engaged in data processing, with the Data Security Law and the Personal Information Protection Law (PIPL) coming into force, rounded off with the Cybersecurity Law, the Regulations on Protecting the Security of Critical Information Infrastructure, the Measures for Security Assessment of Overseas Transfer of Data (Draft for Comments) and the Regulations for the Administration of Cyberdata Security (Draft for Comments).
The author will address the transfer of medical data from the perspective of Chinese pharmaceutical companies during cross-border approvals of Investigational New Drug (IND) applications and New Drug Applications (NDAs), as well as the latest trends in data security regulation.
Cross-border data transfer
Cross-border transfer of medical data in IND and NDA processes mainly occurs during the application to overseas drug regulatory authorities for IND and drug clinical trials and submission of NDA to overseas drug regulatory authorities.
When applying for IND, pharmaceutical companies are usually required to submit pre-clinical trial data (e.g., data from animal pharmacology/toxicology studies), information on drug ingredients and production, clinical protocol and investigator information. If drug clinical trials are conducted in an international multi-site manner, the trial data collected and generated at each site should be aggregated for statistical compilation, processing, analysis and monitoring.
If the trial sponsor sets up a unified data processing centre overseas, the clinical data generated in China need to be transferred across the border. Additionally, if the Electronic Data Capture (EDC) system deployed on overseas servers is used in the trial, cross-border transfer of domestic clinical data will also be involved.
In NDA applications, it is usually necessary to provide overseas regulatory authorities with information including: drug production information; non-clinical pharmacological and toxicological data; human pharmacokinetics and bioavailability data generated in clinical trials; microbiological data; clinical data; safety update reports; statistical data; case report forms; relevant patents; samples; and packaging and labels.
Security assessment required?
From the perspective of personal information: New drug clinical trials in China involve the collection and processing of basic information, physiological indicators, test results and other medical and health data of subjects. However, according to the requirements of China’s Good Clinical Practice, Technical Guidance for Clinical Trial Data Management and other specifications, clinical protocols and databases have been designed to protect personal information of subjects, including replacing the names of subjects with identifiers, which also applies to adverse events and other trial data.
Therefore, trial reports and materials in IND and NDA applications usually do not include personal information that directly identifies subjects, and the number of subjects involved is relatively limited.
The application materials will also include some ordinary personal information, such as the names and emails of sponsors, investigators and CRO staff.
In respect of a new drug R&D company, the scale of personal information it processes in China rarely exceeds the threshold of one million subjects. Therefore, unless relevant parties are identified as critical information infrastructure operators, there is no need to declare security assessment for cross-border transfer of data.
In addition, the clinical trial data may also include information about subjects’ human genetic resources. The Biosafety Law and the Regulations on the Administration of Human Genetic Resources provide requirements for approval or filing and backup for the overseas transfer of China’s human genetic resources information in different scenarios.
Subject to the principle that “specialised laws prevail over general laws”, and according to the arrangement in article 2
of the Measures for Security Assessment that “if otherwise provided by laws and administrative regulations, such provisions shall prevail”, to the author’s understanding, transfer in such scenarios shall be subject to the requirements of the Ministry of Science and Technology.
From the perspective of important data: According to the drafts for comment of the Measures for Security Assessment and the Regulations for Cyberdata Security, as long as the data transferred overseas include important data, it is necessary to declare security. However, what exactly constitutes important data and how to identify it require clarification by regional and industry authorities.
Although a national standard – draft for comments – distributed on the internet, when describing the characteristics of important data, mentioned that “experimental data of drugs concerning national strategic security submitted for new drug application” are important data, it also provides that the categories/characteristics of important data in an industry/field shall be defined by regional and sector authorities. Therefore, it remains to be clarified and guided by the catalogue of important data by the competent authorities (i.e. National Medical Products Administration and National Health Commission).
According to the new regulations, relevant parties in new drug R&D are also required to comply with the following obligations regarding cross-border data transfer:
- In addition to disclosing the cross-border transfer of data in the consent forms for trial subjects and obtaining their express consent, where personal information of staff is involved, the staff must also be informed of such transfers in writing and give express consent.
- Establish a self-assessment system within the institution, sort out the cross-border data transfer activities involved, conduct risk self-assessment according to the PIPL, Measures for Security Assessment and other requirements, and retain the assessment reports.
- Update the contractual provisions with overseas partners in the process of IND application, clinical trials and NDA (such as foreign institutions in clinical trials, overseas registration agents, and overseas technical service institutions), and stipulate their obligations of security protection for data received from China.
- Retain the logs and records of cross-border data transfer involved in relevant scenarios for at least three years.
Zhou Hanshuo is a partner at Jingtian & Gongcheng
45/Floor, K.Wah Centre
1010 Huai Hai Road (M)
Shanghai 200031, China
Tel: +86 21 5404 9930
Fax: +86 21 5404 9931