Before data security issue of clinical trial raised people’s attention, the supervision of clinical trial data in China mainly relied on the clinical trial related administration requirements such as the Good Clinical Practice for Drug Trials (the “GCP"), which mainly reflected the supervision requirements of National Medical Products Administration (the “NMPA") and National Health Commission (the “NHC") on the data collected during clinical trials, especially for the protection of the personal information of trial subjects.

As for the outbound transfer of clinical trial data, the previous main considerations of the sponsoring pharmaceutical enterprises focused on the requirements of providing human genetic resources information overseas provided under the PRC Administrative Regulations on Human Genetic Resources (the “Human Genetic Resources Regulations"). However, since the promulgation of the PRC Personal Information Protection Law (the “PIPL") in 2021, and the promulgation of the Measures for the Security Assessment of Outbound Data Transfers (the “Measures for Security Assessment") enacted by the Cyberspace Administration of China (the “CAC") on July 7, 2022, the supervision approach of the CAC has become increasingly clear and refined. In this context, the outbound transfer of clinical trial data will involve multi-sectoral and multi-dimensional supervisions. How should enterprises prepare for and respond to the new regulation regime? We try to touch upon several important issues in this regard in anticipation to elicit further discussion.

1. Cross-border application for the Investigational New Drug (“IND") and the New Drug Application (“NDA")

When PRC enterprises apply for IND with overseas pharmaceutical regulatory agencies, the agencies generally require an overall research plan, an investigator’s brochure, a clinical study protocol, chemical, production and quality control information, pharmacology and toxicology information, existing human clinical experience information and additional information.

At the NDA stage, usually it is necessary to provide the overseas pharmaceutical regulatory agencies (such as the FDA) with drug production information, non-clinical pharmacology and toxicology data, human pharmacokinetics and bioavailability data generated in the clinical trials, microbiological data, clinical data, safety data update reports, statistical data, case report forms, relevant patent status, samples, packaging and labeling, and etc.

2. Outbound transfer of clinical trial data in the international cooperative research

When foreign entities and Chinese partners jointly carry out international cooperative research involving the clinical trial, the research projects may be accompanied by the relevant clinical trial data export. Under this scenario, besides applying for approval or filing with the administrative department of science and technology for the export of human genetic resources materials and human genetic resources information involved in international cooperation according to the Human Genetic Resources Regulations, other clinical data that do not qualify as human genetic resources information may also be provided overseas along with the development of research projects.

3. Utilization of EDC system or management system server to provide clinical data overseas or open to the public

Electronic Data Capture (the “EDC") is a technology of acquiring the clinical trial data based on computer network. Namely, on the organic combination of software, hardware, standard operating procedures and staffing, the clinical data can be directly collected and transmitted electronically. In recent years, the EDC technology has been utilized more and more in the clinical trials. Because of its advantages of timely data entry, real-time detection of data errors, speeding up the research progress and improving the data quality, pharmaceutical regulatory authorities of many countries encourage the use of EDC in the clinical trials to ensure data quality. It may constitute outbound transfer of clinical trial data if the data transmission settings of the data collection or management systems require the data to be transferred abroad; or the systems open the data access rights to overseas entities; or servers, operation and maintenance of the systems are deployed overseas.

4. Publication of clinical trial results outside of China for scientific research purposes

Research institutions in China that conduct clinical trials may submit results of their research findings to overseas institutions or journals, and the process of submission or review may involve the provision of relevant clinical trial data to overseas parties.

After the promulgation of the PIPL, the specific compliance approach and threshold requirements for the cross-border transfer of personal information was not immediately clarified, which put multinational pharmaceutical companies into greater compliance uncertainty when conducting international pharmaceutical research business. Since June 2022, China has issued a series of regulations and drafts related to the cross-border data transfer, including the Network Security Standards Practice Guide - Security Accreditation Specification for Cross-border Processing of Personal Information (the “Accreditation Specification") issued by the National Information Security Standardization Technical Committee (“TC260") on June 24, 2022, and Provisions on Standard Contracts for Cross-border Transfers of Personal Information (Draft) (the “SCC Provisions") issued by CAC, as well as the Measures for Security Assessment which took effect on September 1 this year. The framework of regulation on data cross-border transfer has been further clarified, and the supervising authorities have given substantially detailed directions for the practice.

For pharmaceutical companies with the outbound transfer need for clinical trial data, these regulations and drafts have answered some basic questions in outbound data transfers, clarified the compliance path of cross-border data transfers, improved the pharmaceutical companies’ ability to judge whether they need to declare the security assessment, and prompted the pharmaceutical companies to start considering how to fulfill compliance requirements such as obtaining full consent, separate consent and self-assessment in the practice of processing and providing clinical data abroad.

The PIPL provides three(3) main compliance paths for providing personal information overseas: (a) Security Assessment, i.e., passing the data security assessment organized by the CAC; (b) Institutional Certification, i.e., obtaining the personal information protection certification from the professional institutions in accordance with the regulations of the CAC; or (c) the SCC, i.e., signing a contract with an overseas recipient in accordance with the SCC Provisions formulated by the CAC which stipulates the rights and obligations of both parties[1]. The relationship among them is that, if the threshold of the security assessment is reached, the security assessment shall be carried out; if not, the data processor can either choose the institutional certification or the execution of a contract in accordance with the SCC Provisions. The following briefly discusses the issues that pharmaceutical enterprises may face under the above three approaches in the scenario of  outbound transfer of the clinical trial data.

The threshold requirements for the data security assessment are specified in the Measures for Security Assessment as follows[2]:

(a) Outbound transfer of “important data" by a data processor;

(b) Outbound transfer of personal information by a “critical information infrastructure operator" or a personal information processor who has processed the personal information of more than 1,000,000 individuals;

(c) Outbound transfer of personal information by a personal information processor who has made outbound transfers of the personal information of 100,000 individuals cumulatively or the sensitive personal information of 10,000 individuals cumulatively since 1 January of the previous year; or

(d) Other circumstances where an application for the security assessment of outbound data transfer is required as prescribed by CAC.

The above item (a) is concerned with important data, while personal information is dealt with under items (b) and (c). Please see below for more details.

1. Security assessment is required for outbound transfer of important data

The sponsors shall consider the objective possibility of the personal information of trial subjects constituting important data under PRC law. Laws and regulations such as the PRC Data Security Law (“Data Security Law") and the Measures for Security Assessment identify the important data according to the harm which may be brought to national security, economic operation, social stability, public health and safety if certain data has been tampered with, destroyed, leaked or illegally obtained or used[3]. Although the Data Security Law requires all localities and departments to determine the specific catalogues of important data in their own regions, departments and related industries and fields according to the data classification and classification protection system, the data protection authorities and medical industry authorities have not yet formulated specific catalogues for important data in the medical field.

The 2022 edition of the Information Security Technology - Important Data Identification Guide (Draft) issued by TC260 sets out identification factors of important data, which include “h) basic data reflecting the health and physiological conditions of the population, ethnic characteristics, genetic information, etc., such as census data, human genetic resources information, and original data of gene sequencing are important data"[4].

The CAC also defined and listed the important data in the Regulations on Network Data Security Administration (Draft) issued on November 14, 2021, which include “5. national basic data of population and health, natural resources and environment, such as genetic data, geographic data, mineral data and meteorological data, which have reached the scale or accuracy stipulated by relevant state departments"[5].

From the above explanations of the connotation and extension of important data in different legislative documents, it can be seen that the regulatory authorities tend to treat information related to general health characteristics of the population, genetics, genes, etc., which involves a certain amount of population base, as data with higher risk level. Meanwhile, the different expressions in the above regulations also seem to reflect the different understandings of various regulatory authorities on the scope of important data from different perspectives.

Based on the requirements of the Data Security Law, all regions and departments shall determine the specific catalogues of important data in their regions, departments and related industries and fields. We understand that different regions and regulators may have different definitions of important data in clinical trial business scenarios, and the inconsistent understanding of important data in different departments may persist for a long time. Before the relevant requirements are officially specified, enterprises can (a) based on the definition of important data, try to analyze the possible impact of its clinical trial data on national security, economic operation, social stability, public health and safety once it is tampered with, destroyed, leaked or illegally acquired or used, or seek professional legal advice; (b) in addition to fulfilling the requirements of the filing/approval procedures for the international cooperative research by using human genetic resources, filing of the external provision of human genetic information, and approval of the export of materials of human genetic resources, etc. in accordance with the existing regulatory system of the Human Genetic Resources Regulations, pay attention to the regulatory trends of the NMPA and the NHC on the identification of important data in the medical industry and treat the clinical trial data involving human genetic resources and genetic information in accordance with the compliance requirements no lower than those required by law for the protection of important data and the outbound transfer thereof; (c) evaluate the number of individuals involved in its own clinical trial program, and provide higher security measures if the clinical trial program involves a massive number of trial subjects.

2. Threshold of Security Assessment for Out-bound Transfer of Sensitive Personal Information

In addition to ordinary personal information, the pharmaceutical clinical trials also involve various sensitive personal information of the trial subjects. The PIPL deems “medical and health information" as sensitive personal information, but does not provide detailed examples of this type of information.

Prior to the promulgation of PIPL, the national standard Information Security Technology - Personal Information Security Specification (GB/T 35273-2020) lists the following as sensitive personal information: “personal records due to illness and treatment, such as symptoms, hospitalization records, doctor orders, inspection reports, operation and anesthesia records, nursing records, medication records, drug and food allergy information, birth information, past medical history, diagnosis and treatment, family medical history, current medical history and infectious disease history"[6].

According to GCP, the source data generated in the clinical trial stage includes hospital medical records, medical images, laboratory records, memorandum, subject diaries or evaluation forms, medicine dispensing records, data automatically recorded by instruments, microfilms, photographic negative plates, magnetic media, X-rays, subject files, clinical trial-related documents and records kept by pharmacies, laboratories and medical technology departments, including certified copies, etc.[7] It can be concluded that clinical trial data naturally contains various kinds of sensitive personal information. Therefore, if the clinical trial data containing sensitive personal information is transferred overseas without any treatment, once the amount of transferred sensitive personal information exceeds more than 10,000 individuals, the transferor will be obligated to apply for the security assessment to the CAC. In practice, it is relatively common to reach the threshold of 10,000 individuals in clinical trials in order to ensure the accuracy and scientific rationality. Thus, relevant stakeholders need to formulate strategies in advance, e.g., to check whether the cross-border transfer of sensitive personal information can be avoided/reduced or how to improve the possibility of passing the security assessment.

In case the threshold of security assessment is not met, enterprises can choose SCC or the Institutional Certification to ensure that the outbound data transfer complies with the requirements of Chinese laws. Both the Accreditation Specification issued by TC260 and the SCC Provisions issued by the CAC require the transferor and the overseas recipient to conclude a legally binding agreement, which puts forward many specific requirements.

In particular, the SCC Provisions stipulate that the overseas recipient shall (i) process personal information legally, legitimately and as necessary in terms of purpose, scope and method of processing, and (ii) assess the quantity, scope, type and sensitivity of personal information to be transferred abroad, and the risks that the outbound transfer of personal information may bring to the rights and interests of the data subjects.  In addition, the overseas recipient is also required (i) to clarify the responsibilities and obligations undertaken by the overseas recipient, and whether the management, technical measures taken by it and its capabilities to fulfill the responsibilities and obligations can guarantee the security of personal information to be transferred abroad; (ii) to assess the risks of personal information leakage, damage, or being tampered or abused after being transferred abroad, whether the channels for individuals to safeguard their personal information rights and interests are unobstructed, and (iii) to assess the impact of personal information protection policies and regulations of the country or region where the overseas recipient is located on the performance of SCC.  Per our understanding, the degree of information protection in such overseas recipient countries or regions may require the advice of local professional lawyers. The SCC Provisions also require overseas recipients to allow domestic personal information processors to review data files and documents or audit the processing activities of the overseas recipients.

Appendix II of the SCC specifically provides a section for the parties to negotiate and agree on other terms suitable for their own business arrangements. However, these other terms or other contracts signed by domestic personal information processors and overseas recipients shall not conflict with SCC.

If the domestic transferor of clinical trial data asks an overseas recipient, which is not from the same company group with the domestic transferor, to sign SCC (e.g., in the case of providing information directly to overseas scientific research magazine institutions, etc.), it is quite possible that the overseas recipient may resist because of the heavy obligations imposed on it by SCC and the need to accept the jurisdiction of Chinese law. At present, the official version of SCC is yet to be published, and the institutional certification approach is also yet to be recognized and implemented by regulatory authorities such as CAC. The relevant sponsors and scientific research institutions are strongly suggested to thoroughly discuss the cross-border scheme (including the content of cross-border transfers and the design of transfer path, etc.) and the choice of cross-border compliance channels in advance, including communicating with the overseas recipients.

1. Requirements for using identification codes and anonymization of personal information

Some sponsors may hope that the identification code approach required by GCP can also satisfy the anonymization requirements under PIPL, so that their outbound transfers do not need to be calculated into the threshold number of the security assessment. Although GCP requires researchers to use the trial subject identification code to refer to the trial subjects when recording adverse events and other data related to the trial, plentiful physiological and medical characteristics and medical history information of specific trial subjects will be collected in clinical trials due to the need of research. If these clinical trial data are combined with other information, it is not impossible to identify the specific individuals behind the personal information. Therefore, the use of identification code may satisfy the “de-identification", but it can hardly meet the requirement of “anonymization" under PIPL.

The export need of clinical trial data and the high standard of anonymization under PIPL, combined with the low threshold for security assessment imposed on sensitive personal information, have increased the compliance cost of outbound transfer of clinical trial data. The pharmaceutical industry eagerly needs the relevant authorities to give specific guidance on the classification, anonymization or de-sensitization of medical personal information (including the clinical trial data) and its outbound transfer compliance methods, so as to realize the safe sharing of data and fulfill the scientific research purposes.

2. Informed consent, separate consent, and separate acquisition of consent

Under PIPL, except for exemptions clearly listed, the personal information shall be processed on the precondition of the voluntary and explicit consent of the individuals with full knowledge[8]. As the clinical trial data involves the sensitive personal information such as medical records and medication records of the data subjects, it is necessary to inform the trial subjects about the necessity of processing their sensitive personal information and the impact on their rights and interests[9].

In addition, PIPL requires that the separate consent of the data subject shall be obtained respectively when providing personal information to other personal information processors or to any overseas recipient[10]. Under GCP, it is also required to obtain the informed consent of the trial subjects. Only when the trial subjects are informed of all aspects that can affect their decisions to participate in clinical trials can they confirm to voluntarily participate in the clinical trials[11] and can the researchers collect their clinical data for research activities.

At present, the regulatory authorities have not explained the relationship between PIPL’s consent requirement and the informed consent requirement under GCP. We incline to think that the legal interests protected by PIPL and GCP cross with each other in the clinical trial scenario, since both of them need the voluntary consent of the trial subjects. However, the legislative purpose and scope of supervision under PIPL and GCP are mostly different in essence. Therefore, it is insufficient to simply expect the informed consent letter that meets the requirements of GCP to cover all kinds of protection requirements for personal information under PIPL.

We understand that there may be a series of practical difficulties in amending the informed consent letter to meet the requirements of PIPL and obtaining the consent of the trial subjects again in the clinical trials that have already started. On the one hand, not all trial subjects may be willing to sign the amended consent letter; the possibility of obtaining signatures of all trial subjects is low and the cost may be high. On the other hand, PIPL requires that the recipient’s name, contact information, processing purpose, processing method and types of personal information shall be informed to the trial subjects. When the recipient handles personal information beyond the scope of the informed processing purpose, processing method and types of personal information, it is necessary to obtain personal consent again. However, in practice, it may be difficult for domestic entities to ensure that the overseas recipient only processes the clinical data according to its promised scope and manner after receiving it.

In view of the above practical issues, it is imminent for the pharmaceutical industry to reach certain industrial consensus. At present, we suggest that the sponsors or research institutions shall at least disclose in the informed consent letter all processing purposes and scopes of all currently known overseas recipients and all possible subsequent overseas recipients, and provide update on whether the overseas recipients re-transfer and use clinical data for other purposes on a regular basis as much as possible for the trial subjects to check, and shall provide convenient contact information for the subjects to withdraw or modify their consents.

3. Self-assessment

The PIPL, the Accreditation Specification, the SCC Provisions, and the Measures for Security Assessment all require information processors to conduct personal information protection impact assessment (“PIPIA"). Considering that it is necessary to learn the overall landscape of the data flow and personal information protection activities of the assessed entity when conducting a PIPIA, and a PIPIA also involves assessment of the personal information protection environment of the overseas recipients’ jurisdiction, we suggest that clinical trial participants with the need of transferring data outside of PRC shall start the PIPIA process as soon as possible.

Under the background of continuous improvement and refinement of personal information and data protection laws and regulations in China, the outbound transfer of clinical trial data faces new compliance challenges. The previous approach of using informed consent letter to obtain the consent of the trial subjects and relying on compliance under the rules of providing human genetic resources information overseas cannot fully meet the requirements of the existing regulations on the cross-border data transfer.

Considering that PIPL has already come into effect on November 1, 2021, and the Measures for Security Assessment also took effect on September 1, 2022, we suggest relevant enterprises (1) starting updating the informed consent letter and collecting the signatures of the trial subjects as soon as possible according to the requirements of PIPL; (2) conducting required PIPIA, sorting out the important data, personal information and sensitive personal information involved, and analyzing the necessity of all data export; (3) investigating the three legitimate cross-border transfer methods of clinical trial data, and assess whether it has reached the threshold to trigger the obligation of the security assessment, as well as the feasibility of signing SCC or conducting the institutional certification. In the process of continuous integration of legislation and practice, enterprises may seek professional legal advice according to the characteristics of their own clinical trial projects and actual business needs, grasp and implement the new requirements put forward by PRC laws and regulations on personal information and data protection, and turn them into practical and operational compliance approaches.