Ensuring Data Privacy in Pharma World

In light of the Digital Personal Data Protection (DPDP) Rules 2025, Nishi Sharma, Associate Vice President (Digital Governance), Alpha MD shares her insights with India Pharma Outlook to empower Clinical Research Organizations (CROs) and Pharma companies with the right knowledge and tools to ensure seamless compliance. The company has introduced its data protection service, OIDPM (ORCHA INDIA DATA PROTECTION MARK), which is a cutting-edge assessment framework meticulously tailored to simplify the complexities of data protection with confidence and enhance adherence to DPDP Rules.

Digital Personal Data Protection Act received the assent of the President on 11th August 2023. This Act provides for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such data for lawful purposes. After 16 months, on 3rd January 2025, Ministry of Electronics and Information Technology published draft of Digital Personal Data Protection Rules 2025. Rules are published to receive public opinion/comments and the deadline is now extended to 5th March 2025.

Setting the necessary context for the clinical & real-world studies industry, DPDP Rules applies to the processing of all personal data within India, both whether collected in digital form or non-digital but digitized subsequently. It also applies to processing of digital personal data outside the territory of India if it is related to offering goods or services to Data Principals (individual to whom the personal data relates) within India.

The provisions of DPDP Rules revolves around various operational requirements such as Data Security, Consent Management, Exemptions for Data of Child and Persons with Disability, Retention and Erasure, constitution of the Data Protection Board of India which will be responsible for implementing the DPDP act provisions.

The Indian pharmaceutical industry is currently ranked third in pharmaceutical production by volume and is estimated to touch $1.30 billion in value by end of 2030. One of the key factors contributing to India’s success in pharmaceutical sector is its strong contract research organizations. Pharma companies collaborate with Clinical Research Organization to outsource end to end management of their clinical & real-world studies.

Success of clinical trials depends heavily on the way data is collected, managed, cleaned and analyzed. In addition to ALCOA, data privacy has become indispensable in the current realm. Hence, compliance with HIPAA, GDPR, privacy rule and all laws regarding data protection and patient confidentiality becomes the most important factor when selecting CROs for their studies.

Key Features Of DPDP Rules 2025 Notice & Consent Requirements (Rule 3)

DPDP Rules establish that ‘notice’ should be given by pharma companies (acting as Significant Data Fiduciary) to clinical & real-world studies subjects prior to obtaining their consent for clinical & real-world studies.

a. Notices should be understandable, given in clear and plain language

b. Notices should include itemized description of personal data with purpose, itemized description of goods and services provided.

c. Notices must provide a communication link for accessing the website of pharma company using which the clinical & real-world studies subject may    

i. Withdraw their consent with the same ease as consent was given.     

ii. Exercise their rights under the Act.    

iii. Make a complaint to the Board.

Registrations And Obligations Of Consent Manager (Rule 4)

DPDP rules introduce the concept of consent managers to ensure clinical & real-world studies subject consent is valid, informed and revocable at any time. They must be registered with the data protection board and maintain records of consents.

Important obligations of consent managers:

• Required to be data-blind

• Avoid any conflict of interest with clinical & real-world studies sponsors

• Must be Indian-incorporated companies

• Must disclose key information about their company

• Must implement effective audit mechanisms

Data Processing (Rule 5)

Clinical & real-world studies sponsor must define Data retention policies which must align with the purpose of collection.

Security Safeguards (Rule 6)

During CRO selection, clinical & real-world studies sponsor must ensure that CRO has implemented reasonable security safeguards to protect trial subject data which shall include at the minimum:

• Encryption: Securing personal data through encryption, obfuscation, masking, or virtual tokens mapped to personal data.

• Access control: Appropriate measures to control access to the computer resources used by CRO or clinical & real-world studies sponsor.

• Data logs: Monitoring and reviewing of data logs to detect unauthorized access. Such logs should be retained for a period of one year.

• Confidentiality: Reasonable measures for continued processing in the interests of confidentiality. Backups to preserve data in the event of its loss.

• Contractual Provisions: The Act requires clinical & real-world studies sponsors to enter into a contract with CROs for taking reasonable security safeguards to prevent data breaches.

• Observance: Technical and organizational measures to ensure effective observance of security safeguards.

Intimation Of Personal Data Breach (Rule 7) Notification to trial subjects:

In case of any personal data breach, clinical & real-world studies sponsor would be required to notify affected trial subjects without delay and through their user account or registered mode of communication.

Notification to Board: Clinical & real-world studies sponsor shall intimate to the Board

a) Without delay, a description of the breach (nature, extent, timing, location of the breach and the likely impact.

b) Within 72 hours of becoming aware or longer, it must provide the board with  

i) updated and detailed information  

ii) measures implemented to mitigate risk and prevent recurrence  

iii) findings regarding the person who caused the breach, and  

iv) intimations given to affected Data Principals.

Contact Information Of Person To Answer Questions About Processing (Rule 9)

Clinical & real-world studies sponsor shall publish on its website or app, and mention in every response, the business contact information of the data protection officer who is able to answer on behalf of Sponsor the questions of trial subjects about processing of personal data.

Undertake Data Protection Impact Assessment And Audit Once In 12 Months (Rule 10)

Clinical trial sponsor shall, once in every 12 months from the date on which the sponsor is notified or included in the class of Data Fiduciary, undertake a Data Protection Impact Assessment and an audit to ensure observance of this Act. This should be followed by furnishing a report containing significant observations in the data protection impact assessment and audit by person carrying out the assessment and audit.