What’s new for Data Privacy under Medical Device Regulation?
What’s new under Medical Device Regulation in terms of Data Privacy?
December 14, 2021
The regulatory wave hit the world of Medical Devices on May 26, 2021 with the application of the new MDR 2017/745 regulation. You probably didn’t have the opportunity to assess the impact of The GDPR 2016/679 on your clinical research or materiovigilance activities. This article summarize the problematics and challenges, to help you to become compliant.
On 26 May 2021 the EU Medical Device Regulation (EU) 2017/745 (MDR) came into force. The new MDR calls for stricter rules, more transparency and increased availability of quality data together with more rigorous clinical evidence for class III and implantable medical devices.
It is important to know that the MDR implementation results in the need to process more personal data; it also mandates a higher level of protection for the patient personal data than previously. MDR clearly refers to the applicable data protection framework and points to the Regulation (EU) 2016/679 on the protection of natural persons regarding the processing of personal data (“GDPR”).
Many device manufacturers and their vendors are not based in EU? So, how far GDPR would even apply and to which activities?
GDPR applies to EU organization and non-EU organization that offer goods and services to individuals in the EU or monitor their behaviour (including patient’s health data for study or vigilance purpose).
Specific types of processing activities mandated by MDR:
- 2. Legacy Devices Reassessment
- 3. Demonstration of Equivalence through New Investigation and Use of data from similar devices
- 4. Post market Clinical Follow-Up Under The MDR
- 1. Premarket Clinical Investigations
Since there is no grandfathering, legacy medical devices will need to go through the same initial MDR conformity assessment procedure as novel devices.
EU MDR may require reassessment of clinical data for devices already on the market if the data do not meet the new requirements, devices will be required to undergo additional testing to be recertified.
to avoid a potential negative impact on the healthcare industry in Europe and to provide a better understanding , the MDCG 2020-6 guidance document on sufficient clinical data for legacy devices was published. This document aims to provide guidance for manufacturers and notified bodies to prepare for the conformity assessment procedure according to the MDR
The reassessment (new study) and performance of additional analysis on existing data are considered data processing activities.
To comply with this requirement, device manufacturers frequently turn to the hospitals having used the device to acquire datasets collected in the scope of the standard case and, not primarily for research. In the sense of GDPR, this is considered as indirect data collection for the use for another purpose. The fact that data are coded does not as such release drug manufacturers, as data controllers from the need to transparently inform data subjects, unless the exception of the article 14.5.b can be applied.
According to article 61.5 of the MDR, the equivalence route is still feasible, but it is no longer possible to demonstrate equivalence solely on a descriptive comparison of the two devices. The MDR requires manufacturers to demonstrate a sufficient level of access to the data pertaining to the proposed equivalent device.
In cases where equivalence cannot be demonstrated under the MDR, the data from similar devices may be useful. All the clinical data, both favourable and unfavourable must be identified. This applies to clinical data from both the existing device and the device for which equivalence can be demonstrated. If the data meet the definition of clinical data as defined in the MDR, it shall be used to evaluate whether they are providing sufficient clinical evidence to confirm the conformity with the relevant general safety and performance requirements (GSPR).
These processing activities require the re-use of personal data previously collected for new purposes and, potentially by a data controller different from the first one (manufacturer of original device). Data re-used will not be considered as personal data if they are fully anonymized; meaning that it is not possible anymore to link the data to the individual, single out any individual nor infer new information out of the data.
The MDR now includes increased scrutiny of clinical data in the postmarket setting. Depending on the risk class, a manufacturer must provide a summary of the postmarket data and an updated benefit-risk analysis coming from a partially updated clinical evaluation annually or biannually in a Periodic Safety Update Report (PSUR). For implantable devices, these PSURs shall undergo a mandatory assessment by the Notified Body that issued the EC-Certificate. This hightened scrutiny increases the obligations of the manufacturer to collect and process patients’ health data. Moreover, the MDR now specifically includes device registries as a source for real-world data in the postmarket setting. Per definition, a registry is a data collection that does not have a specific endpoint and includes all patients treated with a specific medical device or procedure.
With the increasing demand for more long-term data from physicians and legislators in Europe, implant registries, like some national joint registries in Europe, started collecting patient-reported outcome measures (PROMs) besides the sole implant survival rates. Even when a medical device is covered in a register, there could still be unanswered questions that might require an additional PMCF study.
For manufacturers, even if they had a transition period to adapt, there remain grey zones regarding how to practically implement post-market surveillance in a way that fully complies with GDPR, as this collection and use are also types of processing of personal data.
MDR (Art 61.4) states that for implantable and class III devices, a premarket clinical investigation shall be performed. The more stringent requirements to demonstrate equivalence under the MDR,-will likely increase the number of premarket clinical investigations.
Clinical investigation cannot be envisaged without processing personal data. Data processed are usually coded. However, per GDPR, coded data are still personal data insofar they can be linked, included indirectly, to a person. Therefore collecting, storing, and analyzing these data to comply with MDR requirements are processing activities. Thus, premarket clinical investigation is a form of processing of personal data.
Do GDPR requirements apply to processing of personal data mandated by Medical Device Regulation?
Where in the scope of premarket clinical investigation, reassessment of legacy data, demonstration of equivalence or post marketing clinical follow-up, GDPR would apply to the EEA based organization responsible for these assessment without any doubt.
What about the application to non-EEA organizations? From our point of view, the example 25 of the EDPB guideline 3/2018 on the applicability of GDPR to the sponsor of the drug clinical trial can be fully transposed to the investigations with medical devices. Indeed, the EDPB considers clinical trials and other investigations as a form of monitoring of health and therefore a form of monitoring of behavior. wearable and smart devices are the most obvious examples that EDPB used to clarify the notion of monitoring of data subjects’ behaviour.
Outside the interpretations of the art 3 of GDPR, the MDR emphasizes the principle of confidentiality in its Art 72 stating that all clinical investigation information shall be processed, by the sponsor or investigator, in such a way that the confidentiality of records and the personal data of the subjects remain protected in accordance with the applicable law on personal data protection. Art 109 and Art 110 specifies that all parties must respect confidentiality of personal data. This statement does not restrict the application of GDPR to the confidentiality and should be considered as emphasis of one of GDPR principles.
What about online shops located outside EEA?
MDR and GDPR apply to all devices (used for diagnostic or therapeutic services) “offered by means of information society services to a natural or legal person established in the Union” as per MDR Article 6.
- Online shop
- any other media for which buyer and seller are not physically present