Privacy Laws: Impact on the Pharmaceutical Industry

1
Privacy LawsImpact on the Pharmaceutical
Industry
Presentation to PBIRG Annual General
Meeting Boston, Massachusetts May 11, 2005

Hilary M. Wandall, J.D., M.B.A Director,
Corporate Legal/Merck Privacy Office Merck Co.,
Inc.
2
Overview

• Privacy Laws Around The World
• U.S.
• Europe
• Other International Markets
• Basic Privacy Principles Fair Information
  Practices
• Pharmaceutical Marketing Impacts
• Market and Marketing Research
• Secondary Uses of the Research Data

2
3

• Privacy Laws
• A Global View

4
U.S. Federal Privacy Laws

• Federal Trade Commission Act of 1914
• Fair Credit Reporting Act of 1970 (as amended
  2003)
• Privacy Act of 1974
• Federal Education Rights and Privacy Act of 1974
• Cable Communications Policy Act of 1984
• Electronic Communications Privacy Act of 1986
• Video Privacy Protection Act of 1988
• Telephone Consumer Protection Act of 1991
• Health Insurance Portability and Accountability
  Act of 1996
• Childrens Online Privacy Protection Act of 1998
• Gramm Leach Bliley Act of 1999
• CAN-SPAM Act of 2003

4
5
Categories of U.S. State Privacy Laws

• Medical Privacy
• Data Security
• Security Breach Notification
• Online Privacy
• Unfair and Deceptive Trade Practices
• Condition-Specific Medical Privacy (e.g.,
  HIV/AIDS, mental health)
• Genetic Privacy
• Unsolicited Commercial E-mail

5
6
European Privacy Laws

• European Economic Area (as of May 2004)
• Other European Countries/Territories
• Albania, Bosnia and Herzegovina, Bulgaria,
  Greenland, Guernsey, Isle of Man, Jersey, Monaco,
  Macedonia, Romania, San Marino, Switzerland,
  Serbia and Montenegro

• Austria
• Belgium
• Czech Republic
• Cyprus
• Denmark
• Estonia
• Finland
• France
• Germany
• Greece
• Hungary
• Iceland
• Ireland
• Italy

• Latvia
• Liechtenstein
• Lithuania
• Luxembourg
• Malta
• Netherlands
• Norway
• Poland
• Portugal
• Slovenia
• Slovakia
• Spain
• Sweden
• United Kingdom

6
7
Privacy Other International Markets

• Africa and Middle East Israel, Mauritius,
  South Africa, Tunisia
• Asia Australia, Azerbaijan, Hong Kong,
  Japan, New Zealand, Russia, South Korea,
  Taiwan, Thailand
• North America Canada (Federal and Provincial)
• Latin America Argentina, Brazil, Chile,
  Paraguay, Peru
• Similar to comprehensive European approach

7
8
Comparative Analysis

• Summary
• Privacy and data protection laws ingt60 countries
  and territories worldwide. Unlike the sectoral
  U.S. approach, most (50) of these laws are based
  on the comprehensive European model including
• Broad definition of personal information to
  include any data that identifies, or that may be
  used to identify, an individual natural person.
• Restrictions on cross-border flows of personal
  information unless the recipient country has an
  adequate or equivalent level of data protection.

8
9
Comparative Analysis
Legislative approaches apply common principles
but create significantly different administrative
requirements
9
10

• Privacy Principles
• Fair Information Practices

11
Privacy Principles

• Necessity Determine the legitimate and
  necessary business purposes for which the
  personal information will be collected, used and
  disclosed. Collect only the elements of personal
  information necessary for such purposes. Retain
  it in identifiable form only as long as
  necessary.
• Notice Inform individuals of who is collecting
  the personal information, the purposes for which
  it will be used, who will have access to it, and
  how to exercise individual privacy rights.
• Choice Enable individuals to choose whether to
  participate or to affirmatively consent to
  participate, and to opt-out of future collection,
  use and disclosure of the personal information.

11
12
Privacy Principles

• Data Integrity Ensure that personal information
  is used and disclosed consistent with the
  purposes for which it was collected and/or the
  notices provided and choices exercised. Keep
  personal information accurate, complete, and
  current.
• Access and Correction Allow individuals to
  access personal information about themselves, and
  to correct/amend factually inaccurate or
  incomplete data.
• Security Implement reasonable administrative,
  technical and physical safeguards to protect
  personal information from loss, misuse, and
  unauthorized access, disclosure, alteration or
  destruction. Such safeguards shall be appropriate
  to the sensitivity of the information.

12
13
Privacy Principles

• Onward Transfer Contractually ensure that any
  third parties who handle personal information for
  or on your behalf adhere to the same privacy
  standards and provide appropriate security
  measures to safeguard the personal information.
• EEA, Australia, Argentina, Canada, Mauritius,
  Romania, Switzerland ensure that standards of
  adequate protection have been met.
• Enforcement Through training, audits, as well
  as complaint and dispute resolution mechanisms,
  ensure that your organization complies with
  applicable privacy requirements. Laws and
  regulations also may impose criminal civil
  penalties for non-compliance.

13
14

• Pharmaceutical Marketing
• Privacy Impacts

15
Market Research

• Benchmark studies
• Agency provides notice to respondents of who is
  conducting the study, choices regarding
  participation (including right to opt-out of
  receiving invitations to participate in future
  surveys), any rights of access and correction
  (including limitations on such rights), and
  ensures that the data is secured adequately.
• Contracts between the agency and the
  pharmaceutical company should ensure that data
  provided to pharmaceutical company from these
  studies is anonymous.

15
16
Marketing Research

• Focus groups
• Agency provides notice to respondents of who is
  conducting the study, who will have access to the
  data (including any observation real time or
  video), choices regarding participation, any
  rights of access and correction (including
  limitations on such rights), and ensures that the
  research data is secured adequately.
• Contracts between the agency and the
  pharmaceutical company should represent that data
  provided to the pharmaceutical company from these
  studies does not violate any law or the rights of
  a third party.

16
17
Marketing Research

• Surveys (Agency Conducted)
• Agency provides notice to respondents of who is
  conducting the study, with whom the identifiable
  results will be shared (if applicable), choices
  regarding participation (including right to
  opt-out of receiving invitations to participate
  in future surveys), any rights of access and
  correction (including limitations on such
  rights), and ensures that the research data is
  secured adequately.
• Contracts between the agency and the
  pharmaceutical company should represent that data
  provided to the pharmaceutical company from these
  studies does not violate any law or the rights of
  a third party, and if data provided is intended
  to be anonymous, contract should ensure that the
  data provided is anonymous.

17
18
Marketing Research

• Surveys (Company Conducted)
• Company provides notice to respondents of who is
  conducting the study, with whom the identifiable
  results will be shared (if applicable), choices
  regarding participation (including right to
  opt-out of receiving invitations to participate
  in future surveys), any rights of access and
  correction (including limitations on such
  rights), and ensures that the research data is
  secured adequately.

18
19
Marketing Research

• Surveys (Online) Additional Requirements
• Notices may have two components
• Point of collection notice
• Privacy Policy should explain any use of
  cookies, web tags or other online tracking
  mechanisms
• E-mail invitations should explain that the
  communication is one-time only or provide an
  online opt-out mechanism for future e-mail.
• E-mail subject lines should be clear and
  accurately represent the content of the message.
• Internet transmissions of personal information
  should be encrypted and databases containing
  personal information should be appropriately
  secured, including technical and administrative
  access and authentication mechanisms.

19
20
Marketing Research

• Database Analyses (Agency Conducted)
• Prior notices and choices exercised may permit
  database analyses on identifiable data such
  analyses must be consistent with these prior
  notices/choices.
• If additional notice and choice are
  impracticable, analyses should be conducted with
  anonymized data (e.g., by gender, age, country,
  condition, specialty).
• Contracts between the agency and the
  pharmaceutical company should represent that data
  provided to the pharmaceutical company from these
  studies does not violate any law or the rights of
  a third party, and if data provided is intended
  to be anonymous, contract should ensure that the
  data provided is anonymous.

20
21
Marketing Research

• Database Analyses (Company Conducted)
• Prior Company notices and choices exercised may
  permit analyses on identifiable data in the
  Companys databases such database analyses must
  be consistent with these prior notices/choices.
• If additional notice and choice are
  impracticable, analyses should be conducted with
  anonymized data (e.g., by gender, age, country,
  condition, specialty).
• Contracts between the pharmaceutical company and
  any third party that conducts analyses for the
  company on data provided by the company must
  ensure that the third party uses the data solely
  for these purposes, in accordance with applicable
  privacy standards, and that the third party
  implement administrative, physical and technical
  safeguards to secure the data.

21
22
Secondary Uses of Research Data

• Secondary uses of research data are permissible
  where such uses are consistent with prior notices
  provided and choices exercised. If no prior
  notice applies, additional notice should be
  provided with communications regarding
• Additional unrelated market research
• Scientific/medical education
• Online services and offerings
• Product promotion

22
23
Thank You!Hilary M. Wandall, Esq.hilary_schock_at_
merck.com 908-423-4883This presentation is
not intended as legal advice. Participants
should consult with their legal counsel for
advice on specific privacy matters.
23