INDIA Law and Practice Contributed by: Malathi Lakshmikumaran, Vindhya S Mani, Pallaash Shankhdhar and Khushi Lokwani, Lakshmikumaran & Sridharan Attorneys
for submitting such structured result summaries on the CTRI. 2.4 Use of Online Tools to Support Clinical Trials In India, the use of online and digital tools in clinical trials is subject to a defined regulatory framework. The study design – including elements such as digi- tal participant recruitment, electronic informed con- sent (e‑consent) and remote monitoring – must first be reviewed and approved by the Ethics Committee and CDSCO, in accordance with the NDCT Rules for drugs and the MDR for medical devices. Once regula- tory approval is granted, any digital collection, use or processing of participant data must comply with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the rules thereunder (DPDP Rules). Accordingly, data fiduciaries must comply with core requirements, including: • providing clear notice and obtaining free, informed and express consent; • processing data only for approved and specified purposes; • implementing appropriate technical and organisa- tional security measures; • ensuring contractual safeguards with third‑party processors; • implementing adequate breach reporting mecha- nisms; • erasing personal data once the purpose of pro- cessing is fulfilled; and • enabling data principal rights, such as access, cor- rection, erasure, grievance redressal, nomination and withdrawal of consent. 2.5 Use of Data From Clinical Trials The information generated in a clinical trial qualifies as personal data when it can reveal an individual’s identity and indicate the health condition they are experienc- ing. Sharing such data with third parties may trigger legal obligations. This assessment is context‑specific and depends on the type of data produced during the trial. For instance, raw datasets often contain person- ally identifiable details, which would be considered personal data under the DPDP Act and the DPDP Rules.
In light of the provisions of the DPDP ACT and the DPDP Rules, all or any instances of cross-border data transfer of personal data shall be restricted to regions and/or nations restricted by the central government by means of a special or general order. In addition, it is mandatory to inform the individual about all or any forms of cross-border data disclosure prior to seeking informed consent. In addition to the obligations of a data fiduciary under the DPDP ACT, it is mandatory for the data fiduciary to deploy adequate technical measures, including but not limited to encryption, masking, access restriction, etc, to ensure the security, confidentiality and integrity of the personal data at rest as well as in transit. If such cross-border data transfer is undertaken to a data processor based outside India, the data fiduciary shall be responsible for ensuring compliance on behalf of the contractually appointed data processors. 2.6 Personal or Sensitive Data The IDPDP ACT and the DPDP Rules do not establish any forms of segregation between personal data and sensitive personal data, so the obligations of a data fiduciary under the DPDP ACT shall be applicable irre- spective of the type of personal data collected and processed. Therefore, no forms of additional or further requirements shall be triggered under the DPDP ACT. However, it may be noted that the provisions of the DPDP ACT are not yet in effect; until they come into effect, the provisions of the Information Technology Act, 2000 (including the SPDI Rules, 2011) would be in effect. The SPDI Rules do, however, segregate per- sonal data into normal and sensitive personal data.
3. Marketing Authorisations 3.1 Product Classification
The assessment process for determining whether a product is a pharmaceutical or a medical device is as follows. Pharmaceuticals If a product is intended for the diagnosis, treatment, mitigation or prevention of disease by pharmacologi- cal, immunological or metabolic action, it is deter-
142 CHAMBERS.COM
Powered by FlippingBook