CHINA Law and Practice Contributed by: Alan Zhou, Charlene Huang, Jenny Chen and Stephanie Wang, Global Law Office
Personal Data Protection According to the laws in the PRC, healthcare institutions and professionals have to protect the personal data and privacy of patients. For pharmaceutical companies processing the per- sonal data of patients, informed consent typi- cally serves as the legal basis. An individual or entity that illegally processes personal data incurs administrative or criminal liabilities. Phar- maceutical companies commonly and strictly prohibit their employees from illegally collecting or further using or sharing the personal data of patients, thereby preventing liabilities (see 4.1 Legal Risks of Digital Healthcare ). Digital patient management programmes Pharmaceutical companies often have to engage vendors to establish and maintain platforms on smartphone applications or WeChat mini pro- grammes. The primary purpose of these digital patient management programmes is to assist healthcare professionals in optimising patient management. These programmes typically involve the collection of detailed personal infor- mation from patients, such as diagnosis results, dates of visits, medical histories, treatment responses and other health-related data. This comprehensive data collection is achieved by providing digital platforms where both patients and healthcare professionals can log informa- tion, track the treatment process in real time and communicate effectively. However, when vendors neglect to provide patients with sufficient information regarding how their personal data will be collected, stored, processed and shared and therefore fail to obtain legally required consent, significant risks of per- sonal data infringement are created. Given that these vendors are entrusted by pharmaceutical companies, any non-compliance or data-related mishandling may result in the transfer of these
From a general perspective, following two important data protection laws which took effect in 2021 (the PIPL and the Data Security Law of the PRC), a series of measures and guides have been promulgated since 2022 regarding detailed regulations on data protection, security assess- ment measures and the execution of standard contracts for cross-border data transfer. Human genetic resources (HGRs) are primarily governed by the Biosecurity Law, the Adminis- trative Regulation on Human Genetic Resources (the “HGR Regulation”) and the implementa- tion rules issued in 2023. Foreign parties with established or controlled entities in the PRC are only permitted to use Chinese HGR upon filing/ approved by the HGR authority and are prohib- ited from collecting, storing and making cross- border transfers of the HGR. The NMPA issued Implementation Measures for the Protection of Drug Trial Data (for Trial Imple- mentation) for public comment in March 2025, aimed at optimising the protection framework for drug trial data further. The aim was to encour- age the research and development of innovative drugs and accelerate pharmaceutical innovation. 5.2 Recent or Imminent Reform Pharmaceutical companies have recently shown an increasing dependence on digital tools when engaging with healthcare professionals and patients. Data collection via digital tools serves as a key element in analysing healthcare profes- sionals’ and patients’ perceptions of treatment alternatives and drug dosage, market share, etc. These data collection activities are associated with a variety of risks and are subject to regula- tory supervision.
34
CHAMBERS.COM
Powered by FlippingBook