The Learning Objectives for this podcast are to understand the scope and requirements of the main privacy laws and regulations, covering data types and processing activities including collection, usage, data retention, subjects’ rights and much more.
This podcast also considers the risks and practical application of the regulations in the conduct of various Medical Affairs activities.
Moderator: Jon Dixon
Speaker: William Mwiti
Following is an automated transcription provided by otter.ai. Please excuse inaccuracies.
00;00;00;00
MAPS
Oh. Welcome to this episode of the Medical Affairs Professional Society podcast “Elevate”. The views expressed in this recording are those of the individuals, and do not necessarily reflect on the opinions of MAPS or the companies with which they are affiliated. This presentation is for informational purposes only and is not intended as legal or regulatory advice. And now for today’s “Elevate” episode.
00;00;33;09
Jon Dixon
Welcome to this podcast on how to navigate privacy regulations in Medical Affairs. My name is Jon Dixon. I’ve had, a long career in GlaxoSmithKline, the last 12 years of which were in Medical Governance and Risk Management. And today we’re going to be having a conversation about privacy. And I’m delighted to have an expert, to lead a lot of that conversation. And so, Jessica, perhaps you’d care to introduce yourself.
00;01;06;10
Jessica Santos
Thank you. Jon. Delighted to be here. I’m Jessica Santos, currently as a Compliance and Regulatory Lead for Medical Affairs and the serving as a Global Head of Compliance and Quality Management, and also act as a Data Protection Officer for Oracle Life Science.
00;01;24;06
Jon Dixon
Great. So privacy is a bit of a hot topic in Medical Affairs circles, but why is it such an important consideration?
00;01;34;24
Jessica Santos
Well, the primary purpose for Medical Affairs is to ensure scientific integrity of a company’s products and provide unbiased, evidence based information to healthcare professionals, patients, and other stakeholders. And the right to privacy is recognized as a from the mental human right. So it fits into the scope of Medical Affairs very well. After all, protecting individual privacy is not just the right thing to do, but there are laws and regulations that must be followed. And if we don’t do, then there are potentially very significant consequences.
00;02;14;28
Jon Dixon
Right. So we’ll get into those regulations shortly. But what sort of information is in scope when we think about privacy in, particularly in, in our industry?
00;02;28;12
Jessica Santos
That’s a very good question. And that’s the first thing that any practitioners needs to establish. So first of all is data subject is who are we here to protect is about patients HCP payers and other stakeholders that could include employees, business contacts, etc.. Not entity level. Entity level is business to business. So data subject that’s the first point. Second point is the type of data we’re talking about. So the type of data we can talk a bit more in the in the later questions. But they can be personal data which is more likely in GDPR and the European side of the scope. And or in America. Usually you hear the term PII personal information and the high or pseudonymous the data. Aggregated data anonymize the data and confidential data. So different type of data are needed to different type of protection or safeguarding measures. And the suitable is legal basis for data processing. It’s how are we going to process these data. So there are a number of things that can potentially be your legal basis consent contract, legal obligations, vital interest, public task. And you need to be clear what are you using and how to do that. So staff’s personal data and the detail, the names of HCP and other contacts and patient IDs and patient, the medical records, patient data. The potential scope can be huge. But first of all is to clear what is your data subject? What are we doing here and what is the legal basis?
00;04;14;28
Jon Dixon
So there’s a lot to get our heads around there. So let let’s, Let’s try and frame up then the main international laws and regulations that cover data privacy. Because that’s going to be pivotal, I think, to the way this conversation goes.
00;04;31;29
Jessica Santos
It’s a very good starting point about which laws and regulations we’re talking about. So I would say the most famous one is GDPR. It covers the whole European continent and not just in Europe, but also any entities in aim to engage any data processing activity with Europe or have a establishment in Europe. So the turns that usually in GDPR will be data controller versus data processor, which we will talk a bit more later. And in the states in America, a HIPAA is probably the most famous one in the health care setting. And they use different terms like covered entities and the business associates, which have different terminologies in that scope. And then look at the rest of the word. I would say, well, the most of the country have some level of privacy regulations in place. Some of them are very similar to GDPR level, and some of them could be a bit more giving the entities and a bit more flexibility, but still GDPR. It was a good point to start with. It covers different principles, right? Of data, subjects, obligations to controllers and the processes and how they’re enforced, etc..
00;05;50;10
Jon Dixon
Okay. So then there are of the. That’s so. That’s Europe and the US. But there are other regional and local laws that we should also perhaps be aware of. Perhaps you could say a few words about this.
00;06;02;04
Jessica Santos
Oh, yes. Absolutely. So of the rest of the world other than Europe, the US, like I mentioned earlier, that most of them have some level of privacy law. Some of them can be very strict. So, there’s the Data Protection Act in the UK, people in China or GPD in Brazil, and in the US, it’s a state based. So every state, every sector have their own privacy law. It comes and goes. I think right now half of the United States have some level of state level privacy laws.
00;06;35;11
Jon Dixon
Right. So I won’t ask you to explain all those, acronyms, but, it’s clear, that different countries, have different regulations, and everybody needs to pay attention, to the laws and regulations in their own country. And any of the countries that may be impacted by the work that’s they’re doing. So GDPR, though, does come to the front as perhaps the most comprehensive of these regulations. Can you walk us through some of the key principles, of GDPR, please?
00;07;09;11
Jessica Santos
The key principles of GDPR, again, is based upon the protection of privacy as a human rights. So start with lawfulness. Fairness and transparency. That is, processing must be lawful, fair and transparent to the data subject which comes later. Like you need to tell people what are you doing? Second is purpose. Limitation is data should only be collected for specified, explicit and legitimate purposes where basically saying that if you don’t need it, don’t collect it, don’t process it. Data minimization it’s collected for two purpose limitation that is only necessary. Data should be collected and processed, and then accuracy data must be accurate and keep up to date. So if any entities having a very old historical data, you may need to ask your question do I still need it? And that’s come to the next point on the storage limitation. Another principle that is data should not be kept longer than necessary. That is usually in conflict of some of the company policies. That is, let’s keep it just in case. But privacy law is always don’t keep it unless you can tell me exactly why you need it for the next principle is integrity, and the confidentiality or security. That is, data must be processed securely to prevent unauthorized access or disclosure. I’ll also company fell for that is, who can access to what is actually a quite difficult task to manage. People may come and goes and different people assign the different roles. So you really need to keep a very up to date log for that accountability. That is, organizations are responsible for demonstrating compliance with these principles.
00;09;03;17
Jon Dixon
Right. So the pharma industry collects an awful lot of data, particularly patient data. Through its involvement in clinical trials. And this leads to different types of data being held. And indeed, being required by regulatory authorities, in order to get new medicines license. So you touched on different types of data for which there may be different rules. So I wondered if you could talk a bit more about that so that we understand the different types and what, rules might apply to those different types.
00;09;41;07
Jessica Santos
Right. So understanding the data type, I would say usually is the very first real task for any practitioners is that to get into your project or your task. The first part is, is that personal data you are collecting or processing? All personal information in some, some legislations in America, they pull it PII, personal identifiable information or by protected health information. So all of this is related to is that information able to identify an individual, the U.S., who is actually quite easy to implement in a way because they have an eating identifier, hip hop identifier. You can go down to the list, the one, two, three, four, five. So that typically will be name, telephone number, email address, social security number, etc., etc..So if you delete all of that group, there’s no PII in the data. More the GDPR on personal data. Personal information can be a bit more subjective. It’s with your data set put together. Can you identify that individual. Some of the patient records we can see and say, okay, this particular individual is 89 years old and they can still run a marathon. And living in this particular postcode, well, there’s only so many of them are there. And so even without the name, telephone number, address and you probably can still see it. So that is personal data and that is the fundamental scope within all the privacy legislation. Second part is pseudonymous. The data pseudonymous. The data has no obvious PII in it. But then you have a very clear ID that link the two personal data. So the treatment which I mean the safeguarding measures to pseudonymous, the data is still on the same level or personal data. The next level is aggregated data. Aggregated data we’re talking about is X. Percentage of my data set is in this condition or living in this particular region. And then so they are not in the scope of privacy legislation anymore. But you do want to make sure your sample is big enough. Another level is anonymous. Is the data anonymize the data? Again, it’s not in the scope of personal privacy legislation, but you really need to make sure that is absolutely anonymized. That means no way, no way at all. You can go back to that individual. So some of the cases will be I don’t have it. I don’t know any individual, but your third party may do the other department in your company may do. Or if you connect this database with another database, which both of you, both of those database are under the same controller. So that could potentially still be identifiable and be perceived as like a personal data. So these are the these are the shortfalls that you need to look into. The last but not least is confidential data. Confidential data is not in the scope of privacy law. But then still it’s a lot of liabilities coming into it. So, any data set, a data subject could disclose something confidential, not about them. And the ways a personal identifiable field connected to it. You may want to put the same safeguarding measures in place or a companies information which all of us if you are employed by a company or getting commissioned or in the supply chain that is also in the scope. So where do you get the data from? Usually you have primary source or secondary source. The primary source means you collect it from the data subject directly. That means you have the data subject in front of you, and you can ask a consent with which we can talk a bit more later. And the other part is secondary. Secondary means, the data has already existed and you want to use it for some other purpose. And so again, that you want to understand that particular secondary data. Is there any personal data in it is a pseudonym ized. Is it anonymized or aggregated already. And that how do you repurpose that data usage, which is not what you collected or internally? That’s another subject we can talk about. Finally, data retention. How long can you keep it for personal data? Again, the shorter the better. And anonymized aggregated data you can keep longer based on your subject purpose.
00;14;17;25
Jon Dixon
So there’s clearly a lot for our companies to think about. And make sure that they’ve got very good systems in place. They know which systems talk to which, they know exactly how, data is being, stored and who has access, etc., etc.. So there’s a lot to think about. So if we think about the GDPR principles in practice, let’s just take what you’ve been talking about and expand that a little bit into what does a company need to do to collect patient data in a legitimate and compliant way? And maybe we can break this down into the the not just a collection, but how it’s used stored and protected and how it eventually is deleted because, that I suspect is, is actually more challenging than, than people might think. And what are the patient’s rights throughout all that process?
00;15;16;29
Jessica Santos
Well, that’s a very big question. Let’s break it down to one point at the time. So a company must ensure they have policies and procedures. That’s including consent process, legitimacy of intent, how to address conflicts of interest, proportionality, transparency. Like what we talked earlier, data minimization and how to expand individual’s rights when respect to data hold by a company as a data controller. So procedures policies that’s always the starting point. And and then to practice privacy. So start with legal basis of data processing. So how do we process personal data. You must have a reason to it. So GDPR give us six six legal basis. The most common one is consent. The consent typically used for primary data collection. That is the data subject is right in front of you and you have a connection with them. But data subject must has given a clear, specific and informed consent to the processing of their personal data for a specific purpose. So common example is a automatic weekly check the box on the internet. You just did not do anything and then move to the next page. No, that is not consent because nobody is giving a clear affirmative action. So you have the tick box. It’s getting that better because they actively tick the box. But then if the privacy link of that tick the box is not even opened. So that means nobody’s even read it. So it depends on what we are trying to do. So consent is almost a form of art here. Contracting. So processing can be necessary for the performance of a contract with the data subject to take steps at their request prior to entering into a contract. Like you need to give your travel agent permission to inform the hotel because you’re entering the contract there, otherwise nobody will know you are arriving. So that’s a typical example. But in the healthcare is we are giving permission on the contracting, say healthcare provider or a hospital or a site, etc. the third one is a legal obligation. It’s processing is necessary to comply with the legal obligation under EU or member state law. Any government legal obligation, site vital interest that is processing is necessary to protect the vital interest of data, subject or another person that is used very often in the hospital setting. Is a person is conscious, unconscious and doctor must start to do something instead of I’m asking you consent. Yes, the patient is unconscious at that moment, or emergency services. This one is public task. That is, processing is necessary for the performance of a task carried out in the public interest or in the exercise of, or officially authorized a vested in by the controller. What? In the Covid time, people cannot just say I am positive, but I’m going to walk around and coughing all over, you know, imagine 2020 and anybody can exercise their consent. Right. And so used in the public health that side but not always and no matter what etc.. So that’s a different part legitimate interest. The final one. And it’s very interesting because it has been used increasingly by different, research part. And the Medical Affairs practitioner, that is the processing is necessary for the legitimate interest of the controller or a third party, unless those interests are overridden by a data subject’s rights and the freedom, the typical usage for legitimate interest would be secondary data for repurposing for a legitimate interest of the controller. So you have a secondary data already asking each individual consent for a aggregated report for your Medical Affairs publication may not be feasible or possible anymore because you don’t have individual’s contact details, or most people may not be traceable anymore. So you could do a legitimate interest assessment to see your legitimate interest. The liability is fulfilled. The other part we need to get into is the rights of the data subject we talked about. Individual human rights is the fundamental purpose of all privacy laws. So to respond to individual rights is a must by any data controller. But this task can be allocated to another third party if we are sure that how to do that. So the first legal right is right to be informed. So an individual has the right to be informed about how their data is being processed, is what what are you processing about me? Right of access is individual can request access to their personal data so they can write you a email or letter, say, hey, tell me, what do you know about me? Right to rectification that is individual can request correction to inaccurate data. I change my telephone number, please put the correct number and most, controllers will be very happy to receive something like that. But for the previous one, right of access is like, wait a second, what am I going to do? Because do I need to dig up all the personal data, all data related to that person, how to do that? That procedure called DSR Data Subject Access request, that is usually a huge policy within any company. Do read it if you’re not sure how to handle that. Another one is right to erasure or right to be forgotten. It’s probably the most romantic. One is please don’t remember me anymore. Delete my personal data in your database. Don’t contact me ever again. And some of the data controller don’t quite like it. It means that they lost the sample or lost the connection, especially on the sample. That’s pretty difficult to record, like call payers or patient, but we must have request to or obliged to fulfill that right to restrict processing that is, individual can request restrictions on how that data is processed. Say, you know what, I’m happy for you to talk to me, but don’t put my picture on YouTube. Yes. Okay, so even though we really want to use that for publication, but don’t do that. So right. For data portability, that doesn’t happen to the medical industry very often on the Medical Affairs side, but it can happen on the healthcare side. That is, individual can request the data in the usable format to transfer to another service. Like if you move the house from one area to another, you can ask for your medical records to move the whole lot from one place to the other place, and then the provider cannot refuse it. You can. You can tell them how long you will take what is entailed, or even charge a very small administrative fee. But you can always refuse that request. Right to object is individual, can object to the processing of their data for certain purposes. Don’t do that.
00;22;38;09
Jon Dixon
So there’s a lot of considerations there that, we have to keep in mind. And you make the point about, ticking a box, and I think we all know from, from common practice that it’s very easy to tick a box and say, yes, I’ve read the policy for privacy, for example. When? Of course we haven’t. But when it comes to, things like consent, then obviously we have a real obligation to make sure we do that consent in a way that is going to be appropriate for the individual giving the consent. And, make sure that we have that documented in an appropriate way. And we will illustrate that in one of our case examples shortly. But, you mentioned data controller. Often there’s a data processor, a data controller and a data protection officer. Can you explain the requirements for those three functions? What are the different responsibilities that.
00;23;40;15
Jessica Santos
Oh, that’s a very good question. So data controller is the entity that determines the purpose and the means of personal data processing. While the data processor acts on behalf of the controller and processes the data according to the controller instruction, both data controller data processors are entities companies, and the data protection officer is usually a person. A A is designated A person by either the controller or the processor, basically by every company. So essentially the controller decides why and the how the data is processed and the processor carries out those instructions. And to make matters more complicated, there will be joint data controllers because it could decide the purpose together. And you could have sub data processors, which is processor of the processor. But either way, Pro Controller, the processor companies and data protection officers is a person is a job act on behalf of a entity.
00;24;48;18
Jon Dixon
Right. Thank you. We’re focused, perhaps quite a bit, in some of the conversation about patient data. But in Medical Affairs, there are many settings other than clinical trials where privacy considerations need to be sought through. So, for example, interactions with patient organizations, interactions with individual patients, patient support programs. And it’s not just patients, but it’s any individual. For example, if you were filming for a video using photographs, copyright considerations, etc.. Could you just comment a little bit further on the rights of individuals in these broader settings, please?
00;25;30;29
Jessica Santos
It’s very important to part that we must address that. And we need to assess the various steps in any activities where privacy rules will apply and the how the risk of noncompliance can be mitigated. So we film something and they use it and then maybe later about somebody else. And so every step it’s easier to break it down and then inform the data subject as clear as possible to ensure a well written consent is obtained for each situation. So you must be freely given, specific, informed and unambiguous. Because as the scenario we just described earlier, Jon, that it has many different steps and sometimes we don’t know exactly how the video or photograph will be used the later. So you can have another consent once you have a bit more clear objective later. But at the moment of consent, whatever you know, tell people, don’t say something like, oh, I want a blank consent for something I can collect the forever. That usually doesn’t work. So that means a individual must have a real choice, understand what they are consenting to, and give a clear indication to the agreement. So a HCP ask a patient to sign a consent form to participate in a clinical trial or support program may be perceived as coercion because it’s not freely given, because a patient may be under pressure and say, oh, that’s my doctor if I don’t sign it. And, I may not get the right treatment, etc.. So I have to be very careful.
00;27;07;24
Jon Dixon
Right. That. We’ve covered a lot of ground here, but let’s try. And now look at a few examples to see how some of this plays out in practice. And you’ve just been talking there about consent. And our first example, is exactly on, on this point. So, so let’s imagine, that our marketing colleagues have recorded a video of a patient talking about their disease. So it’s to literally talk about the disease. We’re not trying to talk about product. And the patient has given consent to be recorded in this way, talking about their disease and for its use on a monitor screen. That’s an exhibit stand. So we’re assuming that’s a commercial booth at a specified local medical congress. So sounds reasonable thing to do, perhaps. But what are the risks and steps that we would need to be considering if it is then subsequently decided by marketing to use the same video on a booth later in the year at a different meeting, and that meeting might be an international congress. But let’s start to unpick this a little bit. Give me your first thoughts.
00;28;32;15
Jessica Santos
Yeah. Well, that is a very exact, specific example, which I love it. So, typically what we receive our request is marketing has not think about that clear yet, but if it is that clear, that specific like I’m going to recorded just for that specific local medical Congress, a you may get the consent the just the for a specific a local medical congress. Fine. That’s fantastic. Very specific informed but at the same time also very limited, which means that you cannot use it for next year in the International Congress. So maybe the marketing’s first consent is I’m going to use it for medical Congress. Full stop. Well that means which medical conference. How far is it? Is it a limited secured, very exclusive medical Congress or it is a open Congress in the public that is on YouTube as well. Anybody can have access to it. That has different consequences. The second scenario is not really able to do anything about it. So the first level is you want to establish what is the limit of your data collection. Is it just for a specific medical congress or something in general, but it’s protected. Only a number of people can have access to it, or it is in the public domain which everybody have access to it. So how long is the consent last for? And then in this example, Jon, you just mentioned is one year while you can just say one year or two years, but what would that be okay or not, if it’s something passed on too long, you could consider a re consent, which is go back to the data subject. I say you did a video with us last year, can I use it again? And this time is a different audience, different setting. So that’s that can be done. It doesn’t mean that you cannot never go back to the data subject again. The other part to consider is that the video we recorded, would that be edited, changed, modified to any other under other information? Likely yes is because most of the video we recorded first. It could be an hour or two hours long. And whenever we show in the medical Congress, likely we just want a few minutes so that a contract traffic and the people’s attention. So once it’s edited, you may be paraphrased and not in that meaning anymore. So it’s recommended to go back to the data subject and say your video will be used in the National Congress. Once we edited, we will let you have another look. And then to make sure that it’s not there anymore, what will be the consequence to the patient. So most the common consequences will be there are personal health information will be open to the public. Will that be happy about it. So some people will be okay. No problem. And there are even patient advocacy or patient to leaders. Social media influences all that. But there some people will keep it very private and quiet. So all deny of insurance in America or be perceived as another type of persona. So people will have different perceptions about what the consequence will be. And then think about that and then tell the patient about it. So don’t think about you will cover everything, but you can go back to have a consent to if your purpose has changed.
00;31;58;18
Jon Dixon
Very good. And clearly it illustrates. There’s a lot to think about when it does come to consent and the possibility of re consenting if you shift the boundaries. We don’t even know if this, international Congress is going to be of a similar nature to the local congress. Could be a very different type of audience, perhaps. There might be many countries attending. And do we need to take into consideration, additional rules, around that? Just as an aside on this, situation, you covered all the privacy angles very nicely, but there are other risks that also need to be thought about. For example, when the patient is recorded, do they say anything about treatment? If so, is it in label, etc. so that we’re not seem to be promoting off label? So there are other risks that need to be considered in addition to privacy. And hence, it is important to look at these situations holistically and from various angles. But clearly in this case, the, consent is is key. Great. Let’s move to another example, shall we? So let’s assume that your company is designing a patient support program, which involves the use of a mobile app for the patient to record daily symptoms and the symptom data is then accessed and reviewed by the treating physician to assess if the patient’s treatment should be adjusted. So what are the risks here that need to be mitigated, and what controls need to be in place to ensure compliance with privacy regulations?
00;33;47;24
Jessica Santos
Yeah. That is a very interesting example, because that that example involves a third party that develops or manages a app. So the first part is to assess the security and safeguarding measures of the app provider is at the home developed by your own company, or you use a third party likely to be a third party in our current supply chain. And so you need to vet the vendor due diligence, etc.. So what is the purpose of the app? Okay, we here to talk about patient support program. But is this patient support program is exclusively for your company. Or they do that off the shelf purposes. And for every companies who has a patient support program, would the data be cross and used for something else. So the next part for all the privacy consideration, will be what and how the data is collected, used, limited, transferred, processed, linked to other health care information on the individual basis or aggregated basis. So all of these questions you need to ask and to make sure that it’s to the purpose that you’ll want to do it and or limited or make sure that it is put the correct safeguarding measures in place. Again, from privacy point of view, it’s always collect as little information as possible, but you need to do a job which is patient support, so you can’t collect nothing at all. But then whenever it’s collected where would you put it, how do you do that, etc.. The next part is to make sure the data it will not be misused or repurposed without your knowledge. Consent is given by the patient. That’s probably the legal basis because patient with download app and then do something about it. But once you have the secondary data that on the app, what would be used for. And finally on very important topic is how do you address the data subject individual rights which we talked about earlier. Will there be you as the data controller telling the app company to do that? Or is the app company addressing individual rights right to be forgotten, right to rectification, etc.? So if they do it, you want to make sure put that in the contract very clearly. Who is doing what?
00;36;15;08
Jon Dixon
You often hear people talking about or asking the question. Who owns the data? And in this example, we’ve got a patient, we’ve got a doctor, and we’ve got a company that supporting, the app. We’ve got the company that is funding the patient support program. Any thoughts about who owns the data in this situation, or is it a case of it should be made clear upfront who owns the data? Had the decision made before any is actually collected?
00;36;46;29
Jessica Santos
This topic of ownership comes up fully matching every contract, negotiation or management board. But it’s never going to appear in any privacy legislation because ownership, in a way, it means I have the right. It belongs to me. I can sell it. I could deleted, I could rented, I could charge money for it. I can do whatever I want to it. It’s not quite like that. Ultimately, I would say, of course, data belongs to the data subject. But then data controller, data processor, we are having the permission which is consent or other legal basis to use that data for another purpose. So it’s a blessing. It’s not a commodity. So there’s only data custody data processing activities involved. And so you would never see the word ownership appear in any privacy regulations. It’s rather what are you going to do with it. So it’s the data custody data usage data processing activities and those terms. So I will usually steer away from the word ownership because it implies data becomes a commodity belongs to anybody.
00;38;02;04
Jon Dixon
So it illustrates the point as to why, for things like patient support programs, which, you know, can be quite complicated, and involve various elements, that it’s important, I think, to have, legal review, which we’ve said elsewhere. Of these proposals and to make sure that, compliance and others are also involved because there are just all these things to think about. And you’ve illustrated that very nicely there. I think. So let’s go to our last example. And then we can wrap up. So if a company has a standard operating procedure for advice, three boards. And one of the requirements is that when an advisory board is taken place, there should be a documented summary of the key advice obtained, which includes the names of the advisers who participated. Now, that’s not saying that, any particular advisor gave any particular advice. It’s simply indicating the group of advisers that provided this overall advice that has been summarized in the report. And the SOP, also allows for advisers to be any type of expert that might be needed to provide the advice that is being sought, which is fair enough. So with that background in mind, the Medical Affairs team is working on HIV and has a need to engage some patient experts from a patient advocacy group in an advisory board. So how should that team proceed in order to be compliant with the privacy regulations? But also follow the company procedures?
00;39;52;12
Jessica Santos
That’s a very interesting question. A very interesting scenario. So I would say the first step is look at your SOP. The. We need to establish who is the data controller here. Is that the company is that advocacy group or is it the recruitment agency to find that expert member for you? Because whoever is the data controller then can decide was the purpose a means and also has the liability to answer data subject rights. Either we don’t want to have more personal data that necessary to fulfill your job, your objectives, but at the same time, these things are determined by the controller. And then the second part is how our personal data is collected. And then who are those data subjects involved? Is that the patient? Is that the advisory board member or mixture? Both. So in the case you just mentioned, it could be both and there could be patient coming. So what is it coming from. How are we going to store it or how is going to be transferred, how are we going to name it, etc.. Would there be any future usage at all? So for any advisory board, I likely yes, because that is the purpose of all of the SOPs on the advisory board requirement that we want to document all these very interesting insights for future usage and then finally address the conflict between company policy and interest and the request of the advisor, because advisors are likely to say, this is what I want, but your company policy have something else. So it’s a balancing act between privacy and the conflict of interest and other compliance policies.
00;41;38;18
Jon Dixon
Would you consider here, a, a compliance exception to the SOP? In other words. By all means, do the summary. But don’t put the names. Particularly if that summary needs to be shared with various colleagues. In, in the organization. Is that a a step that you might consider from a compliance point of view?
00;42;02;07
Jessica Santos
I love the word exception. Yeah, I will always say that. First of all, I will ask the question. Why do you want the name to be on it?
00;42;10;25
Jon Dixon
Yeah.
00;42;11;18
Jessica Santos
you don’t need to, then pick it off and so that you have more freedom or more flexibility to share with a wider group. A lot of times, people put the specific personal data on the document is so that you can trace back to the individual and then make sure all these inside are from so and so. Another way to have a balancing balancing approach is to put a number on it. And that number means a specific advisory member. And then that file is kept the somewhere else. So it addresses the purpose of traceability at the same time protects the individual’s privacy. So that could be another solution. So it’s always a balancing act. And then to see how can I make sure that the both legislation and regulations are all, compliant.
00;43;06;15
Jon Dixon
Indeed. Very good. All right. We’ve covered an awful lot of ground. Do you have 2 or 3 key messages for the listeners, to take away from all this?
00;43;18;07
Jessica Santos
I would say the first and foremost is privacy is a fundamental human right. It matters to all of us. And, so understand your data, respect your individual, and read through your company’s SOPs.
00;43;33;22
Jon Dixon
Very good. Thank you very much for your time and for, helping to educate us all on on privacy, regulation and how to to navigate, clearly, it’s important for everyone listening to if, if you’re not a, a privacy expert to consult people in your company who are, so, so thank you very much. And I think we can close out.
00;43;58;22
Jessica Santos
Thank you.