Resource Data

Cross-Border Medical Data Compliance in a New Era of Regulation

JLast year saw China’s data security framework take shape, increasing compliance requirements for entities involved in data processing, with the entry into force of the Data Security Law and the on the Protection of Personal Information (PIPL), supplemented by the Cybersecurity Act, the Protecting the Security of Critical Information Infrastructure Regulations, the Measures for Assessing the Security of Transferring Data Abroad ( Draft for Comments) and Regulations for Cyber ​​Data Security Administration (Draft for Comments).

As a lawyer practicing in the field of medical law, the author will discuss the transfer of medical data from the perspective of Chinese pharmaceutical companies during cross-border approvals of Investigational New Drug Applications (IND) and New Drug Applications ( NDA), as well as the latest trends in data security regulation.

Cross-Border Data Transfer

Cross-border transfer of medical data in the IND and NDA processes mainly occurs when applying to overseas drug regulatory authorities for IND and drug clinical trials and submitting the NDA to regulatory authorities drugs abroad.

Zhou Hanshuo
Jingtian and Gongcheng

When applying for an IND, pharmaceutical companies are typically required to submit preclinical test data (e.g. data from animal pharmacology/toxicology studies), drug ingredient and production information, clinical protocol and investigator information. If clinical drug trials are conducted internationally at multiple sites, the trial data collected and generated at each site should be aggregated for statistical compilation, processing, analysis and monitoring.

If the trial sponsor sets up a unified data processing center overseas, clinical data generated in China must be transferred across the border. In addition, if the electronic data capture (EDC) system deployed on foreign servers is used in the trial, cross-border transfer of domestic clinical data will also be involved.

In NDA applications, it is usually necessary to provide foreign regulatory authorities with information such as: drug production information; non-clinical pharmacological and toxicological data; human pharmacokinetic and bioavailability data generated in clinical trials; microbiological data; clinical data; security update reports; statistical data; case report forms; relevant patents; samples; and packaging and labels.

Is a security assessment required?

From a personal information perspective: Clinical trials of new drugs in China involve the collection and processing of basic information, physiological indicators, test results and other medical and health data from subjects. However, in accordance with the requirements of Chinese Good Clinical Practice, Technical Guidelines for Clinical Trial Data Management and other specifications, clinical protocols and databases have been designed to protect subjects’ personal information, including by replacing subject names with identifiers, which also applies to adverse events and other trial data.

Therefore, test reports and documents contained in IND and NDA applications generally do not include personal information that directly identifies subjects, and the number of subjects involved is relatively limited.

Application materials will also include ordinary personal information, such as names and emails of sponsors, investigators and CRO staff. However, the overall scale is very limited and is unlikely to reach the threshold specified in the security assessment measures mentioned above (i.e. the cumulative transfer of personal information of more than 100 000 people).

Being an R&D company on a new drug, the scale of personal information it processes in China rarely exceeds the threshold of one million subjects. Therefore, unless the parties concerned are identified as operators of critical information infrastructures, it is not necessary to declare a security assessment for the cross-border transfer of data.

In addition, clinical trial data may also include information about subjects’ human genetic resources. The Biosafety Law and the Regulations on the Administration of Human Genetic Resources provide approval or filing and safeguard requirements for overseas transfer of China’s human genetic resources information under different scenarios.

Subject to the principle that “Specialized laws prevail over general laws”, and according to the provision of Article 2 of the Safety Assessment Measures that “if laws and administrative regulations provide otherwise, these provisions shall prevail” , to the knowledge of the author, transfer in such scenarios will be subject to the requirements of the Department of Science and Technology.

From a big data perspective: According to the drafts for comments of security evaluation measures and cyber data security regulations, as long as the data transferred overseas includes important data, it is necessary to declare security. However, what exactly constitutes important data and how to identify it requires clarification by regional and industry authorities.

Although a national standard – draft for comment – published on the Internet, when describing the characteristics of important data, mentions that “investigational drug data concerning national strategic safety submitted for a new drug application” are important data , it also provides that the categories/characteristics of important data in an industry/area should be defined by regional and sectoral authorities. Therefore, it remains to be clarified and guided by the catalog of important data by the relevant authorities (i.e. National Medical Products Administration and National Health Commission).

Other obligations

According to the new regulations, parties involved in R&D on new medicines are also required to comply with the following obligations regarding the cross-border transfer of data:

  • In addition to disclosing the cross-border transfer of data in trial subject consent forms and obtaining express consent, where personnel personal information is involved, personnel must also be notified of such transfers in writing and express consent.
  • Establish a self-assessment system within the institution, triage cross-border data transfer activities involved, perform risk self-assessment in accordance with PIPL, security assessment measures and others requirements, and retain evaluation reports.
  • Update contractual arrangements with foreign partners in the IND, clinical trial and NDA application process (such as foreign institutions in clinical trials, overseas registration agents and overseas technical services), and stipulate their security protection obligations for data received from China.
  • Retain logs and records of cross-border data transfers involved in the relevant scenarios for at least three years.

Zhou Hanshuo is a partner at Jingtian & Gongcheng


Jingtian and Gongcheng

45/Floor, K.Wah Center

1010 Huai Hai Road (M)

Shanghai 200031, China

Tel: +86 21 5404 9930

Fax: +86 21 5404 9931


[email protected]