Do’s and Don’ts of Consent Management in EU
34
Do’s and Don’ts of Consent Management in European Union A changing landscape
Transcript of Do’s and Don’ts of Consent Management in EU
Do’s and Don’ts of Consent Management in European Union
A changing landscape
AGENDA Consent Management need definition - Ned Regulatory side of the Privacy Laws in EU - Maite Focusing on stakeholders - Ned Q&A
Consent Management – need definition
Consent Management is in focus in 2016
Consent Management – need definitionThe European Pharmaceutical Industry Association (EFPIA) has preempted government sunshine regulations in Europe by providing a directive to disclosing transfers of value between healthcare professionals (HCPs) and organizations (HCOs) for its members in 33+ countries. There are specific consent related requirements to support the disclosure of transfer of value. The rate of consent is the key in success or failure of this directive, failing which the government sunshine regulations in Europe may be imposed.
2015Consent Ratio’s
35%
65%
Summary of Numbers from 2015 EFPIA data
• The national press has reported that in in UK a total spend of £300+ M were reported where 70% of physicians consented to have their data included.
• In Germany 20,000 of the 71,000 reportable physicians consented. With data disclosed by 54 companies that represent 75% of the market.
• We found that the ratio’s may be lower.
575M 20,000
Spend amount as the basis for consent ratio• Calculation: Total amount of spend (for consented physicians) /Total amount of General spend (consented + non consented)*Research payments excluded from the formula
Result:
CalculationCompany Name Consent Amount Non Consent Amount Consent %Alexion 0.00 € 756,814.00 € 0.00%Seqirus GmbH 0.00 € 7,125.00 € 0.00%Aegerion Pharmaceuticals GmbH 1,653.40 € 0.00 € 100.00%MediGene AG 34,033.77 € 1,943.60 € 94.60%Baxter Deutschland GmbH 38,097.74 € 161,070.81 € 19.13%Eisai GmbH 39,453.59 € 214,496.26 € 15.54%GlaxoSmithKline GmbH & Co. KG 130,649.08 € 266,433.34 € 32.90%Lundbeck GmbH 189,041.12 € 809,967.23 € 18.92%Shire 218,132.01 € 878,083.34 € 19.90%Roche Pharma AG 252,433.83 € 2,692,411.98 € 8.57%ACTELION Pharmaceuticals Deutschland GmbH 269,632.02 € 620,066.39 € 30.31%
MSD SHARP & DOHME GmbH 1,978,646.18 € 4,672,909.29 € 29.75%Berlin-Chemie AG 2,106,647.64 € 5,824,356.26 € 26.56%Novartis Pharma GmbH 3,570,612.08 € 8,605,871.45 € 29.32%
23,099,253.78 € 257,848,556.46 € 29.57%
----------------------------------- ----- ------- --
€ value based onsent %:
23,099,253.78 € /257,848,556.46 € =
9%
75% of pharmaceutical industry drug manufacturers reported
25% of spend data not reported
Subtract 25 % from:
9% = 6.7%
ConsentedNon Consented
Germany
35%
65%
The rate of consent is the key in success or failure of this directive.
In 2016 EFPIA and members are shifting focus on improving consent rates.
Spain introduced new regulation to improve consent.
EU introduced new regulation to increase data privacy and protection.
Regulatory side of Consent• The current consent regulation• NEW EU Regulation and its impact• Consent best practice SOPs• NEW consent regulation in Spain
Regulatory Side of Privacy Law in EU• Current Situation
These Data privacy concerns are a major challenge because reports capture personal information. Reports require the disclosure of full names, addresses, specialties and some country-specific identifiers.
Currently in Europe, the capture of personal information at a granular level must observe the 1998 European Data Protection Directive 95/46/EC. The Directive stipulates that individuals consent must be received before their personal information may be disclosed.
Regulatory Side of Privacy Law in EU• Current Situation
Scenario Category # of Countries Affected1 no Consent Required FIVE countries: France,
Netherland, Portugal, Denmark, and Romania
2 do not mention consent at all in their local regulation
EIGHT countries
3 “recommend” entities obtain consent FOUR countries4 pharmaceutical companies must obtain
consent from the HCO as wellFIVE countries: Austria, Greece, Hungary, Luxembourg, and Switzerland.
5 have a local law or code FOURTEEN countries
Consent requirements are widespread across Europe and different countries have different rules.
Regulatory Side of Privacy Law in EU• New Regulation adopted in EU
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
After over four years of discussion, the new EU data protection framework has finally been adopted. It takes the form of a Regulation – the General Data Protection Regulation (GDPR). The GDPR will replace the current Directive and will be directly applicable in all Member States without the need for implementing national legislation. It will not apply until 25 May 2018. However, as it contains some onerous obligations, many of which will take time to prepare for, it will have an immediate impact.
Regulatory Side of Privacy Law in EU• New Regulation adopted in EU
“Now that the GDPR has been adopted, the shape of the EU’s future data protection framework is clear and preparations for implementing the new Regulation should begin.” David Smith, legal advisor.
“…a major step towards a Digital Single Market.” Andrus Ansip, Vice President for the digital single market, European Commission
Regulatory Side of Privacy Law in EU• New Regulation adopted in EU - Consent
• A data subject’s consent to processing of their personal data must be as easy to withdraw as to give consent.
• Consent must be “explicit” for sensitive data. • The data controller is required to be able to demonstrate that consent was
given. • Existing consents may still work, but only provided they meet the new
conditions. • There has been much debate around whether consent provides a valid legal
ground for processing where there is a significant imbalance between the data subject and data controller. The GDPR states that in assessing whether consent has been freely given, account shall be taken, for example, of whether the performance of a contract is made conditional on the consent to processing data that is not necessary to perform that contract.
• The Recitals add that consent is not freely given if the data subject had no genuine and free choice or is unable to withdraw or refuse consent without detriment.
Regulatory Side of Privacy Law in EU• New Regulation adopted in EU - Fines
• The GDPR establishes a tiered approach to penalties for breach which enables the DPAs to impose fines for some infringements of up to the higher of 4% of annual worldwide turnover and EUR20 million (eg breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent).
• Other specified infringements would attract a fine of up to the higher of 2% of annual worldwide turnover and EUR10m. A list of points to consider when imposing fines (such as the nature, gravity and duration of the infringement) is included.
• The increased fines are certainly attracting the attention of board level executives.
Regulatory Side of Privacy Law in EU• New Regulation adopted in Spain
• Farmaindustria’s Assembly gave the green light to the amendment of the Code of Practice by which all companies adhered to it will inform healthcare professionals that transfers of value made from January 1st 2017 (to be disclosed in 2018) derived from their collaboration as far as education, scientific-professional meetings and services provision will be disclosed in an individual manner.
How will the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons affect this code of Practice adopted by Farmaindustria.
Consent – Best Practice SOPs
As a guideline, the following ten (10) SOPs could help collect physician consent to support EFPIA transparency directive:
1) Pharmaceutical manufacturer should receive HCP consent before disclosing payment details.
2) Pharmaceutical manufacturer must maintain the documentation on spend data certain years and retain the corresponding HCP consent records for as long as the spend data is kept.
3) Pharmaceutical manufacturer should offer HCP opportunity to easily revoke consent.4) Pharmaceutical manufacturer should report payment details for those HCP’s who consent to
payment disclosure.5) Pharmaceutical manufacturer should report aggregated payments for those HCP’s who do
NOT consent to payment disclosure.
Consent – Best Practice SOPs6. If an HCP revokes his disclosure consent, the pharmaceutical manufacturer must remove the
HCP’s payment information from the detailed report and add the payment information to the aggregate report. This change must be made within a reasonable period from the date the HCP revokes his consent.
7. Pharmaceutical manufacturers are encourage by EFPIA and member organizations to receive HCP consent and report detailed payment disclosures.
8. Digital signature, digital image of paper signature, electronic recording of consent through a secure system are examples of legally acceptable forms of documentation to record HCP consent.
9. HCPs can offer general consent for disclosure, as long as the extent and the duration of this consent is clearly stated, or the HCP may consent for disclosure of specific event.
10.Pharmaceutical manufacturer should prepare the appropriate detailed or aggregate report based on the type of the HCP disclosure consent, general or specific; status of the HCP disclosure consent, approved or revoked; and duration and extent of the disclosure consent.
Consent Management in the context of stakeholder focus
Leaders focus on stakeholders, while others focus on reports
Physician disclosure has been gaining momentum for several years, EFPIA finally issued its transparency directive in 2014, the first report was published in June of 2016. Now leading pharmaceutical compliance executives are focusing on managing relationships with their key HCPs and HCOs, while others are content with just reporting on their HCPs.
Seeing the physician disclosure from HCPs point of view would help clarify why compliance leaders are focusing on the “physician” in physician disclosure.
Jose GarciaOphthalmologist
Physicians Quandary
Ophthalmology practice
Billing and Collections.
Reading, authoring, speaking, investigating clinical trials .
Physicians Quandary
Physician Transparency Challenge and Pharmaceutical Industry’s role in this partnership
Physician is thinking, Transparency,Patients,Finances,Regulations,Medicines,Clinical TrialsAndHis personal commitments
Progressive Pharmaceutical Manufacturers are looking for ways to streamline HCP interactions
Solution Blueprint
Cloud InfrastructureCelgene Data
Source
Receive HCP and Spend Data
Upload HCP Updates and Consent DataConsent Management Application
Sales Rep taking consent from Physician
Admin using Consent Web Portal
1 2
Physician access Consent Management Portal using provided credentials
3
Consent Management Solution
Internet
OR Phone, mail, email
OR Phone, mail, email
Solution Blueprint
• All communication between mobile app and server components is done on secure connection.Secure
• Solution will be available in English and Spanish languages. Multilingual
• The mobile application will support iOS, android and windows platform.Interoperable
• Customer data is to be stored in encrypted format.Encrypted
• The application will function in both online and offline mode.Offline Functionality
• The application will be deployed on cloud and will work under SAS model.Cloud
• The application will enrich HCP master list. New HCP list will be provided through a DB export.Master Data Enrichment
