Compliance of cross-border transmission of medical data involved

Author: Zhou Hanshuo

(This article was first published on China Business Law Journal column "Life sciences & healthcare", authorised reprint)

The data security law and the personal information protection law came into force successively in 2021, together with the previous network security law, as well as the regulations on the security protection of key information infrastructure, the measures for data exit security assessment (Draft for comments) and the regulations on the management of network data security (Draft for comments). So far, China's data security regulatory framework has taken shape and put forward comprehensive compliance requirements for relevant subjects engaged in data processing.

As a practicing lawyer in the field of medical law, the author makes a preliminary discussion on the cross-border transmission of medical data in combination with the cross-border data transmission needs of Chinese pharmaceutical enterprises in the process of cross-border application for new drug clinical research approval (ind) and new drug registration application (NDA), and in combination with the latest data security supervision trend.

Cross border data transmission

The cross-border data transmission of medical data in ind and NDA mainly occurs when (1) applying for ind and drug clinical trials to overseas drug regulatory authorities and (2) submitting NDA to overseas drug regulatory authorities.

When applying for ind, pharmaceutical enterprises usually need to submit preclinical test data of drugs (such as animal pharmacology / toxicology research data), drug composition and production information, clinical research scheme and researcher information, etc. If the drug clinical trial is carried out in an international multi center way, the data collected and generated by each center need to be summarized and processed for the sake of the unity of statistics, analysis and supervision of the trial data. If the trial sponsor sets up a unified data processing center overseas, it will involve the transmission of the data of clinical trials in China to overseas. For another example, if EDC (electronic data capture) system deployed on overseas servers is used in the test, it will also involve the transmission of domestic clinical trial data to overseas.

In the NDA stage, it is usually necessary to provide overseas regulatory authorities with drug production information, non clinical pharmacological and toxicological data, human pharmacokinetics and bioavailability data generated in clinical trials, microbial data, clinical data, safety data update report, statistical data, case report form, relevant patents, samples, packaging and labels, etc.

Is a safety assessment required?

From the perspective of personal information

The development of new drug clinical trials in China will involve the collection and processing of medical and health data such as subjects' basic information, physiological indicators and test results. However, according to the requirements of China's specifications for the quality management of drug clinical trials and the technical guide for clinical trial data management, the protection measures for the personal information of subjects are included in the design of clinical trial scheme and database, including replacing their names with subject identification codes (the same when reflecting adverse events and other trial data). Therefore, the test reports and data submitted when submitting ind and NDA applications usually do not include personal information that can directly identify the subjects, and the number of subjects involved is relatively limited.

The application materials will also contain a small amount of ordinary personal information such as the names and emails of the sponsors, researchers and cro staff, but the overall scale is very limited and it is difficult to reach the transmission scale specified in the exit evaluation measures (more than 100000 personal information has been transmitted in total); As far as new drug R & D enterprises are concerned, the scale of personal information processed in China usually does not exceed the threshold of 1 million people. Therefore, the obligation to declare data exit security assessment will not be triggered unless the relevant party is identified as the operator of key information infrastructure.

In addition, the clinical trial data may also include the subject's human genetic resource information. The biosafety law and the regulations on the administration of human genetic resources stipulate the corresponding approval or filing backup requirements for the exit of China's human genetic resources information in different scenarios. According to the principle that the special law is superior to the general law, and according to the arrangement of "if there are other provisions in laws and administrative regulations", the author understands that the transmission of such scenes should be subject to the requirements of the Ministry of science and technology.The development of new drug clinical trials in China will involve the collection and processing of medical and health data such as subjects' basic information, physiological indicators and test results. However, according to the requirements of China's specifications for the quality management of drug clinical trials and the technical guide for clinical trial data management, the protection measures for the personal information of subjects are included in the design of clinical trial scheme and database, including replacing their names with subject identification codes (the same when reflecting adverse events and other trial data). Therefore, the test reports and data submitted when submitting ind and NDA applications usually do not include personal information that can directly identify the subjects, and the number of subjects involved is relatively limited.

From the perspective of important data

According to the draft of exit evaluation measures and network data security regulations, as long as the exit data includes important data, it is necessary to declare the exit security evaluation of data. However, the catalogue of important data and its identification still need to be determined by regional and industrial competent departments.

Although the "drug experimental data submitted by drugs with national strategic safety in drug approval" is mentioned as important data when describing the characteristics of important data in a national standard exposure draft posted online, it also stipulates that all regions and departments will clarify the categories / characteristics of important data in their industries / fields, Therefore, the clarification and guidance of the important data catalogue formulated by the competent authorities (State Food and Drug Administration and National Health Commission) are still needed.

Other compliance obligations

According to the above-mentioned new regulations, the relevant parties in the new drug R & D process also need to comply with other obligations on data exit activities. For example, 

1

In addition to disclosing the data exit situation in the subject's informed consent and obtaining their explicit consent, if there is personal information of the staff participating in the trial, it also needs to be disclosed in writing and obtain express consent;

2

Establish a set of self-assessment system within the institution to sort out the cross-border data transmission activities involved, carry out risk self-assessment in accordance with the requirements of the personal security law, the measures for exit assessment and other regulations, and keep the assessment report;

3

Improve the contract agreements with overseas partners in the process of ind, clinical trials and NDA application (such as foreign institutions in clinical trials, overseas intermediaries registered as agents, overseas technical service institutions, etc.), and agree on their safety protection responsibilities and obligations for receiving data from China; 

4

And keep the logs and records of cross-border data transmission involved in relevant scenarios for at least three years.

*Special thanks go to the partner Casper Sek for his suggestions on cybersecurity and data compliance.

Jingtian & Gongcheng’s Life Science and Healthcare Team has extensive legal and industrial experience in the field. Our lawyers have been focused on international and pharmaceutical legal practices over a dozen of years, with working experiences at international law firms and top-tier multinational healthcare companies, and many of them are qualified both in China and abroad.

We have advised clients on mergers and acquisitions, technology licensing, contracted manufacturing, co-promotion, business conduct and compliance, and daily operational issues related to pharmaceutical and medical devices companies. For more information, please contact Ms. Hanshuo ZHOU(zhou.hanshuo@jingtian.com, phone: 0086-21-2613 6241, mobile: 0086-18616860012).

医药医疗专栏往期文章

1. 七宗错丨医药领域技术许可交易的法律风险（下）

2. 从《生物安全法》看中国生物安全监管趋势

3. Biosafety Law: China’s new, stricter controls

4. 《人类遗传资源管理条例实施细则（征求意见稿）》研读

5. 七宗错丨医药领域技术许可交易的法律风险（上）

6. 海南自贸港大浪淘沙之网售处方药的实践观察

7. 从医美机构探讨“颜值经济”投资

8. Investing in the "beauty economy"

9. 医疗器械追溯制度及企业上市重点关注问题

10. Medical Device Tracking System and Key Issues for Listing

11. 中国药品专利纠纷早期解决机制概览

12. Early resolution mechanism for drug patent disputes in China

13. 医疗数据合规三问

14. Three questions on medical data compliance

15. Highlights of New Rules on Medical Devices Regulation

16. 管中窥豹读新《医疗器械监督管理条例》

17. Cross-border Use of Medical Products in the Greater Bay Area

18. 细胞治疗监管政策——基础篇

19. 互联网医疗：医疗行业企业之数字化营销——春潮涌动，乘风破浪

20. 说一说互联网“医+药”里的那个“药”

21. 民营医疗机构：赴港IPO之合规注意事项探析

22. 互联网医疗：跨境线上诊疗与咨询

23. 互联网医疗：新冠疫情背景下的法律准入与监管发展

24. 药械应急审批助力疫情防控——8问小科普

25. 临床基因检测行业的监管与挑战（上篇）

26. Highlights of China’s 2019 Drug Administration Law

27. 与时俱进，焕然一新——喜迎《药品管理法》新修订版

28. 疫苗管理法正式出台，新法亮点几何？

29. 《人类遗传资源管理条例》亮点初析

30. “药品4+7带量采购”之小白十问

31. 我国医疗行业上市许可持有人(MAH)制度初探（下篇）

32. 重典治乱，监查并举，制度创新——从疫苗管理单独立法说起

33. 我国医疗行业上市许可持有人(MAH)制度初探（上篇）

作者介绍

周晗烁等律师往期文章回顾

1. 七宗错丨医药领域技术许可交易的法律风险（下）

2. 从《生物安全法》看中国生物安全监管趋势

3. Biosafety Law: China’s new, stricter controls

4. 《人类遗传资源管理条例实施细则（征求意见稿）》研读

5. 七宗错丨医药领域技术许可交易的法律风险（上）

6. 医疗数据合规三问

7. Three questions on medical data compliance

8. Highlights of New Rules on Medical Devices Regulation
9. 管中窥豹读新《医疗器械监督管理条例》

10. 细胞治疗监管政策——基础篇

11. 互联网医疗：医疗行业企业之数字化营销——春潮涌动，乘风破浪

12. 说一说互联网“医+药”里的那个“药”

13. 互联网医疗：跨境线上诊疗与咨询

14. 药械应急审批助力疫情防控——8问小科普

15. 临床基因检测行业的监管与挑战（上篇）

16. 与时俱进，焕然一新——喜迎《药品管理法》新修订版

17. Highlights of China’s 2019 Drug Administration Law

18. 疫苗管理法正式出台，新法亮点几何？

19. 《人类遗传资源管理条例》亮点初析

20. “药品4+7带量采购”之小白十问

21. 我国医疗行业上市许可持有人(MAH)制度初探（下篇）

22. 重典治乱，监查并举，制度创新——从疫苗管理单独立法说起

23. 我国医疗行业上市许可持有人(MAH)制度初探（上篇）

24. 美国出口管制之小白问答