GDPR and incident reporting for medical devices

On 25 May 2018 the General Data Protection Regulation (GDPR) will become enforceable in all EU Member States. GDPR is designed to harmonise data privacy laws across Europe and to protect the data privacy of all EU citizens. Although GDPR might seem daunting at first, the changes for those already compliant with the Swedish Personal Act aren’t huge. Setterwalls welcomes the change and believes it is a good way for companies to review their processing of personal data and create procedures to ensure proper processing. However, implementation of GDPR has already raised some concerns for producers of medical devices regarding the processing of personal data in relation to requirements under Swedish law to report incidents concerning medical devices.

Background
To process personal data in accordance with GDPR (or the current Data Protection Act for that matter), a company needs to have a legal basis for doing so. An example of a legal basis is that the person concerned has given their consent to such processing, or that there is a legal requirement to do so. Furthermore, GDPR contains fundamental principles for the processing of personal data, for example that the person concerned has to receive information about why and how their personal data is being processed.

GDPR also contains certain regulations regarding the processing of special categories of personal data, or sensitive data. Such sensitive personal data consists, for example, of information on racial or ethnic origin, political opinions and data concerning health. The rules concerning the processing of such data are strict and often require the informed consent of the individual.

For life science companies, the combination of a broad definition of personal data, the requirement to inform those individuals concerned and the strict rules on the processing of sensitive data could create unforeseeable and complex issues that are not easily resolved.

Medical devices and personal data
The development and sale of medical devices is a continually growing market and an important part of the life sciences industry. The term ‘medical devices’ covers a wide range of products. Medical devices can be anything from simple plasters and stethoscopes to advanced systems such as magnetic cameras and automated surgical systems, as well as apps for medical use.

In Sweden, producers of medical devices are required to maintain ongoing monitoring of how their products function and to report any incidents in which their medical device product has been involved to the Swedish Medical Products Agency. As part of such incident reporting, producers of medical devices may have to process sensitive health data about the patient concerned.

Until the implementation of GDPR, producers of medical devices have relied on for the legal basis health and medical care purposes in the Swedish Personal Data Act when processing sensitive personal data as part of incident reporting. This legal basis states that sensitive personal data may be processed for health and medical purposes where it is necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health care services.

The legislation is based on Article 8.3 of the Data Protection Directive. Article 8.3 of the Data Protection Directive prescribed that personal data may be processed if necessary with regards to preventive medicine, medical diagnosis or the provision of care or treatment or the management of healthcare services where such data is processed by a health professional subject under national law to complying with the obligation of professional secrecy, or “equivalent obligation of secrecy”. This was reflected in the Swedish Personal Data Act, which also made it possible to process data on persons subject to ‘equivalent secrecy”,’ if the sensitive data was processed on behalf of a healthcare professional. Private life science companies that are not bound by professional secrecy, have therefore been able to rely on the exemption in the Swedish Personal Data Act when processing sensitive personal data as part of incident reporting.

Under GDPR, the processing of sensitive data is allowed only under the circumstances listed in Article 9.2. Article 9.2 h), which corresponds to Article 8.3 of the Data Protection Directive and relates to health data, contains a requirement that it may only be applied by an entity that is subject to professional secrecy. However, there is no clause in the government bill (2017/18:105) for the new Swedish Personal Data Act (which will apply in parallel with GDPR and fill out the gaps where GDPR allows for that on national basis) allowing for entities under equivalent secrecy obligations (such as private companies) to process personal data.  Reviewing the other legal bases for processing of special categories of data, it becomes clear that producers of medical devices cannot realistically rely on any other legal basis for such processing. Consequently, there is currently no way for a private company producing medical devices to gather all the data necessary to fully comply with the requirements of incident reporting while adhering to the relevant personal data obligations.
As the report on the new Privacy Act was referred to the relevant authorities and industry actors for comments (S2017/04726/SAM), The Swedish Association of the Pharmaceutical Industry brought up this issue, urging for legislation allowing for private entities to process sensitive data for the purpose of adhering to obligations on incident reporting.

Regulation (EU) 2017/745 concerning medical devices, which will enter into force on 26 May 2020, involves rules binding all operators, including producers and distributors of medical devices, by secrecy obligations. As GDPR will be directly applicable in Sweden, the gap between the application of GDPR and that of the regulation concerning medical devices mentioned above is an issue for producers of medical devices until the new rules on privacy obligations for producers are in place. Producers will then be obliged under Swedish Medical Products Agency rules to report incidents involving their medical device product, but they may no longer apply the exemption in the Swedish Personal Data Act that allowed them to process such sensitive personal data.

Producers of medical devices rarely have contact with patients and it is difficult to obtain consent from a person to share their personal data when reporting an incident. In addition, obtaining consent poses difficulties as an individual may withdraw their consent. We therefore welcome the proposed changes in (EU) 2017/745. During the two years between the implementation of GDPR and the implementation of the regulation on medical devices however, producers of medical devices seem to have to balance their interests in complying with the personal data act with their interests in complying with incident reporting requirements and try not to gather more data than is necessary, while ensuring reliable means for incident reporting.