OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR on the proposal for a Regulation of the European Parliament and of the Council amending, as regards pharmacovigilance of medicinal products for human use, Regulation (EC) No 726/2004 laying down Community procedures for the authorisation and supervision of medicinal products for human and veterinary use and establishing a European Medicines Agency, and on the proposal for a Directive of the European Parliament and of the Council amending, as regards pharmacovigilance, Directive 2001/83/EC on the Community code relating to medicinal products for human use.
Recall: on 10 December 2008, the Commission adopted two proposals relating to the amendment of the actual pharmacovigilance system. The general intention of the two proposals is to remedy these weaknesses and to improve and strengthen the Community pharmacovigilance system with the overall objective of better protecting public health, ensuring proper functioning of the internal market and simplifying the current rules and procedures (see COD/2008/0257). The overall operation of the current pharmacovigilance system relies on the processing of personal data. These data are included in the adverse drug reactions reporting and can be considered as data relating to health of the persons concerned since they reveal information about drug use and associated health problems.
Processing of such data is subject to strict data protection rules as laid down in Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data and Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Despite this, no reference to data protection is included in the current text of Regulation (EC) No 726/2004 and Directive 2001/83/EC, except for one specific reference in the Regulation. The EDPS regrets that data protection aspects are not considered within the proposed amendments and that he was not formally consulted on both proposals for amendments. The EDPS recommends that a reference to this opinion is included in the preamble of both proposals.
Content of the Opinion: this Opinion will first proceed with a simplified explanation of the system of pharmacovigilance in the EU as it follows from Regulation (EC) No 726/2004 and Directive 2001/83/EC in their present state. Subsequently, the necessity of processing of personal data in the context of pharmacovigilance will be analysed. After this, the proposals of the Commission for improving the current and envisaged legal framework will be discussed and recommendations will be made on how to ensure and improve the data protection standards.
Conclusions and recommendations: the EDPS takes the view that the lack of a proper assessment of the data protection implications of pharmacovigilance constitutes one of the weaknesses of the current legal framework set out by Regulation (EC) No 726/2004 and Directive 2001/83/EC. The current amendment of Regulation (EC) No 726/2004 and Directive 2001/83/EC should be seen as an opportunity to introduce data protection as a full-fledged and important element of pharmacovigilance.
A general issue to be addressed thereby is the actual necessity of processing personal health data at all stages of the pharmacovigilance process. As explained in this Opinion, the EDPS seriously doubts this need and urges the legislator to reassess it at the different levels of the process. It is clear that the purpose of pharmacovigilance can in many cases be achieved by sharing information on adverse effects which is anonymous in the meaning of the data protection legislation. Duplication of reporting can be avoided through the application of well structured data reporting procedures already at national level.
The proposed amendments envisage a simplified reporting system and a strengthening of the EudraVigilance database. The EDPS has explained that these amendments lead to increased risks for data protection, especially when it involves the direct reporting of patients to the EMEA or the EudraVigilance database.
In this respect, the EDPS:
a. strongly advocates a decentralised and indirect reporting system whereby communication to the European webportal is coordinated through using the national webportals;
b. emphasises that privacy and security should be part of the design and implementation of a reporting system through the use of web-portals (‘privacy by design’);
c. underlines that once data concerning health about identified or identifiable natural persons is processed, the person responsible for such processing should comply with all the requirements of the Community data protection legislation.
More specifically, the EDPS recommends:
- to include a reference to this Opinion in the preamble of both proposals, to introduce in both Regulation (EC) No 726/2004 and Directive 2001/83/EC a recital stating the importance of data protection in the context of pharmacovigilance, with references to the relevant Community legislation;
- to introduce in Regulation (EC) No 726/2004 and Directive 2001/83/EC a new Article having a general nature which states that: (i) the provisions of Regulation (EC) No 726/2004 and Directive 2001/83/EC are without prejudice to the rights and obligations stemming from the provisions of Regulation (EC) No 45/2001 and Directive 95/46/EC respectively, with specific reference to Article 10 of Regulation (EC) No 45/2001 and Article 8 of Directive 95/46/EC respectively; (ii) identifiable health data shall only be processed when strictly necessary and parties involved should assess this necessity at every single stage of the pharmacovigilance process;
- to include in the proposed Article 24(2) of Regulation (EC) No 726/2004 a sentence stating that the accessibility of the EudraVigilance database shall be regulated in conformity with the rights and obligations stemming from the Community legislation on data protection;
- to add a paragraph to the proposed Article 24 stating that measures shall be put in place which ensure that the data subject can exercise his right of access to personal data concerning him as provided for by Article 13 of Regulation (EC) No 45/2001;
- to add to the proposed Article 101 of Directive 2001/83/EC a paragraph which states that in case of processing of personal data the individual shall be properly informed in accordance with Article 10 of Directive 95/46/EC;
- to include in the newly proposed Articles 25 and 26 of Regulation (EC) No 726/2004 and Article 106 of Directive 2001/83/EC, which deal with the development of a reporting system for adverse effects through the use of web- portals, an obligation to incorporate proper privacy and security measures at an even level across Member States, taking into account the basic principles of confidentiality, integrity, accountability and availability of data.