How does European data privacy legislation impact on the disclosure code?
19.11.15
So how will the Data Protection Regulation impact on this new era of transparency?
European data privacy legislation
Directive 95/46/EC[1] aims to protect the rights and freedoms of persons (physical or, when applicable, moral) with respect to the processing[2] of personal data, by laying down the key criteria for ensuring that processing is lawful and the principles of data quality are respected.
This Directive has been transposed into each Member State’s own data privacy legislation. Data processing is only lawful if:
- the data subject unambiguously has given his/her consent[3]; this needs to be specific and freely given; or
- processing is necessary for the undertaking of a contract to which the data subject is party; or
- processing is necessary for compliance with a legal obligation to which the controller is subject; or
- processing is necessary to protect the vital interests of the data subject; or
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party; or
- processing is necessary for the purposes of the legitimate interest pursued by the controller or by the third party, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject, which require protection: a pragmatic approach that allows the use of practical assumptions, based primarily on what a reasonable person would find acceptable under the circumstances, and based on the consequences of the data processing activity for data subjects[4]. This approach will be subject to interpretation by the national data protection authorities.
The Directive not only outlines when data can be processed but also establishes principles for data quality. These must be implemented, in order for data processing activities to be lawful. The principles are:
- Personal data must be processed fairly and lawfully, and collected for specified, explicit and legitimate purposes.
- They must also be adequate, relevant and not excessive, accurate (and, where necessary, kept up to date), must not be stored for longer than necessary and solely for the purposes for which they were collected;
- Unless it is necessary to protect the vital interests of the data subject or for the purposes of preventive medicine and medical diagnosis, it is forbidden to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
The Directive also ensures that the data subject – in this case the health professional ¬– can exercise the following rights:
- To obtain information: the identity of the controller, the purposes of the processing, recipients of the data etc.;
- To access the data;
- To object to the processing of data.
How does the Directive impact on transparency?
First of all, before pharmaceutical companies publicly can disclose personal information they must seek and obtain the consent of the health professional concerned.
In most of Europe, companies do not need consent to publish payments made to healthcare organisations (HCOs). The only exceptions are Austria, Luxembourg and Switzerland, where consent from the organisation is required.
How is consent to disclose personal information obtained?
When relationships are framed by a contract between the company and individual, the method of obtaining HCP consent to disclose data is through inserting a clause into it. The contract provides a ready mechanism to obtain the data subject’s consent to the processing of his/her personal data. Alternatively, without this contract’s framework, companies must contact HCPs separately to discuss publication of the data and gain consent to disclose an individual payment or a number of payments over a given time period. As a matter of good practice, companies should create and retain evidence showing that the consent was indeed given, as well as procedures for handling enquiries and for making HCPs or HCOs aware of the content of upcoming disclosures.
What happens if a health professional does not give their consent to disclose?
Firstly, the Code requires that EFPIA Member Companies should make their best efforts to obtain the consents necessary to the disclosure on an individual level. We believe that transparency is vital for the future of industry/HCP collaboration and we will continue to work with individual HCPs, as well as with professional and representative bodies, to underline the benefits of transparency and make the case for public disclosure of payments on an individual level.
If the HCP (or HCO) does not give consent (or withdraws) its consent, then the company cannot publish the data concerned legally.
However, companies are required by the Code to publish the aggregate total paid to HCPs who did not give their consent, as well as the number of non-consenting HCPs in each category of payment. Clearly, patients, society and the media will have a perspective on the number of HCPs not giving their consent to disclose and the total amount paid to them. Industry will disclose everything they are allowed legally to disclose and our aim is to work with the health professional community to reduce the number of HCPs refusing their consent.
Despite this strict data privacy legal framework, bringing greater transparency to this, already well-regulated, vital relationship is about strengthening the basis for collaboration in the future. Industry is being proactive, based on its commitment to this relationship. Our hope is that health professionals will also recognise the benefits of greater transparency and provide their consent to disclose the data.
[1] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
[2] The Directive applies to data processed by automated means (e.g. a computer database of customers) and data contained in or intended to be part of non automated filing systems (traditional paper files).
[3] Art 29 working party – opinion 15/2011
[4] Art 29 working party – opinion 06/2014
