• Manoj Swaminathan

Source Documents, Data Privacy and Data Migration

Updated: Jul 25

Gone are the days when companies used to have complete access to all source documents (electronic and non-electronic), following any kind of M&A. One need not get surprised if the migrated data does not have even basic information such as the name of the patient. It is quite logical that one may get concerned if this will be acceptable during the inspection when someone is evaluating completeness of data.

The General Data Protection Regulation (GDPR) became effective in May 2018, in the European Union.


Ever since then, companies engaged in Pharmacovigilance services, and also the companies engage in safety databases have started taking measures to ensure that their processes and policies are GDPR compliant. Any non-compliance may have serious implications, both in terms of reputation and financial.


The Art. 5 of GDPR pertains to 'Principles relating to the processing of personal data', and this states the following:


"Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to the implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."


Based on this, companies need to redefine the way in which Pharmacovigilance case processing is managed. This may include updates to the case processing guidelines or even customization of safety database.


Coming back to data migration, it is quite likely that the companies gain access to complete legacy information during complete acquisitions or mergers. However, this may be equally challenging during scenarios such as product(s) acquisition. In such scenarios, it may be best to ensure a robust strategy for data migration, and also having proper agreements in place to ensure that the other company would provide access as and when required during inspections or legal issues necessitating the required information.


Needless to say, this agreement should also state that the company should not discard data or permanently delete the same, in case of hard or soft copies. This should continue until the product continues to remain authorized (for the acquiring MAH), and for at least 10 years after the marketing authorization ceases to exist, as mentioned in GVP Module VI. However, the documents would need to be retained for a longer period where Union law or national law so requires.