Reshaping investigations in the pharma industry: Ensuring compliance under the DPDP Act

The advent of the Digital Personal Data Protection Act, 2024 (DPDP Act) marks a significant shift in the landscape of data privacy and protection. While the DPDP Act will affect most investigations, for the pharmaceutical industry and health insurance sector, this new legislation effectively seeks to ensure the integrity and confidentiality of personal data, requiring additional care, especially during investigations.  

The pharmaceutical industry and health insurance industry are some of the most data-intensive and data-driven sectors in the world. Real-world data, which are extensively used in these industries, may include data relating to patient health status and/or the delivery of healthcare regularly collected from a variety of sources including electronic health records (EHRs), patient-reported outcomes (PROs), patient-generated health data – data generated from various devices (including mobile devices), medical claims and billing data, product and disease registries, observational studies – and patient-powered data. These industries generate and process huge amounts of personal health, clinical trial, research, and other sensitive data.

We delve into the implications, responsibilities, and best practices for managing investigations in pharmaceutical and health insurance companies under the purview of the DPDP Act.

The DPDP Act: An overview

The DPDP Act, enacted to safeguard digital personal data, mandates stringent compliance requirements for organisations handling sensitive information. It emphasises transparency, accountability, and the need for explicit consent from individuals whose data is being processed. This act applies to various sectors, including pharmaceuticals and health insurance, which deal with vast amounts of personal and sensitive health data. As the Rules under the DPDP Act get finalised and notified, the true power of the DPDP Act will soon be in force, and investigations in companies touching these industries will have to evolve to meet the changing needs of law. 

Key challenges related to investigations in pharma and health insurance companies

The law follows its standards of compliance with how to handle sensitive personal health data and data investigation– a critical aspect in clinical research and pharma operations — by matching the existing global standards like the EU’s General Data Protection Regulations (GDPR). While the changes bring more transparency and strengthen patient privacy, they also mean operational challenges for companies conducting trials and managing global data from India.

• Data minimisation: Organisations are required to collect only the data that is necessary for the intended purpose of the investigation.
• Purpose limitation: Personal data must be processed strictly for the purpose for which it was collected, and any deviation requires fresh consent from the data subject.
• Data security: Robust security measures must be in place to protect data from unauthorised access, breaches, and other cyber threats.
• Data subject rights: Individuals have the right to access, correct and delete their personal data, as well as to object to certain types of data processing.
• Transparency and accountability: Organisations must maintain clear records of data processing activities and be prepared to demonstrate compliance with the DPDP Act.

Implications for investigations in pharmaceutical and health insurance companies

Investigations in pharmaceutical and health insurance companies may inevitably require some level of access to sensitive information, such as personal health data, for purposes such as clinical trials, drug safety monitoring, and regulatory compliance. The DPDP Act imposes several obligations on companies to ensure that such data is handled with utmost care.

Challenges in compliance will also be faced by the global capacity centres of international drug companies, which have evolved from back-office operations to innovation and R&D hubs. These centres, storing huge volumes of patient data and research insights, need to strengthen cybersecurity measures while ensuring smooth data flow to keep up with the new requirements.

Key frameworks that pharmaceutical companies need to ensure compliance with: 

• Informed consent

Obtaining informed consent from participants is paramount. The consent must be explicit, informed, and freely given. Participants should be made aware of the nature of the data collected, the purpose of the investigation, and their rights under the DPDP Act. This ensures transparency and builds trust between the participants and the organisation.

• Data anonymisation and pseudonymisation

To further protect individuals’ privacy, pharmaceutical companies are encouraged to anonymise or pseudonymise data wherever possible. Anonymisation involves removing personally identifiable information from the dataset, thus ensuring that individuals cannot be re-identified. Pseudonymisation, on the other hand, replaces identifiable information with pseudonyms, adding an additional layer of security while maintaining the data’s utility for analysis.

• Data sharing and third-party involvement

Pharmaceutical investigations often involve collaboration with third-party entities, such as research institutions, regulatory bodies, and contract research organisations. The DPDP Act mandates that any data sharing with third parties must be governed by strict contractual agreements ensuring compliance with data protection standards. Third parties must also be vetted to ensure they have adequate security measures in place.

• Role of health insurance in pharmaceutical investigations

Health insurance providers play a crucial role in supporting pharmaceutical investigations, particularly in post-marketing surveillance and drug safety monitoring. The DPDP Act places additional responsibilities on health insurers to protect the privacy of insured individuals’ health data.

• Data collection and processing

Health insurers must ensure that any data collected for pharmaceutical investigations is processed in accordance with the DPDP Act. This includes obtaining explicit consent from policyholders, informing them of the purpose of data collection, and ensuring that the data is used solely for the intended investigation.

• Data retention and disposal

The DPDP Act requires organisations to retain personal data only for as long as necessary to fulfil the purpose for which it was collected. Health insurers must establish clear data retention policies and ensure the secure disposal of data once it is no longer needed.

• Data breach response

In the event of a data breach, health insurers must have a robust response plan in place. This includes notifying affected individuals, regulatory authorities, and taking immediate steps to mitigate the breach’s impact. Transparency in communication is crucial to maintaining trust and compliance with the DPDP Act.

• Regular audits and assessments

Conduct regular audits and assessments of data processing activities to identify potential risks and areas for improvement. This proactive approach helps in maintaining continuous compliance with the DPDP Act.

• Training and awareness

Provide comprehensive training to employees and stakeholders on data protection principles, the importance of informed consent, and the requirements of the DPDP Act. Awareness programs can help foster a culture of data privacy within the organisation.

Conclusion

The DPDP Act represents a significant step forward in protecting personal data in the digital age. For the pharmaceutical and health insurance sectors, compliance with this act is not only a legal obligation but also a moral imperative to safeguard individuals’ privacy. 

By adopting best practices and fostering a culture of data protection, organisations can ensure that investigations in pharmaceutical and health insurance companies are conducted with the highest standards of integrity and transparency. This not only enhances public trust but also contributes to the advancement of medical science and the overall well-being of society. 

Global pharma companies operating in India and headquartered in the US, or the European Union might also need modifications in their existing data privacy programmes. For Indian multinational pharmaceutical companies which are operating in the US and the EU, a review of their current data privacy and data protection programmes with an India-centred lens is the need of the hour.