EudraVigilance: security principles and responsibilities
The EudraVigilance system contains multiple components using a range of technologies. While the European Medicines Agency (EMA) has put in place adequate measures to prevent, detect and address any potential security incidents, including personal data breaches, all authorised users need to cooperate in ensuring the security of EudraVigilance, in line with their legal obligations.
A large number of authorised stakeholders interact with the various components of EudraVigilance for the electronic reporting of suspected adverse reactions and signal management, including medicines regulatory authorities, marketing authorisation holders and sponsors of clinical trials. These stakeholders access data in EudraVigilance in accordance with the EudraVigilance access policy.
The security and confidentiality principles that stakeholders using EudraVigilance need to comply with are listed here:
- protecting confidentiality of individual case safety reports (ICSRs) and the rights of the data subjects, in accordance with the applicable laws on the protection of individuals with regard to the processing of personal data;
- providing transparent information in their data protection notices on their pharmacovigilance and clinical trials activities regarding the flow of data to EudraVigilance;
- implementing appropriate technical and organisational measures to protect information and personal data against unauthorised or unlawful access, disclosure, dissemination, alteration, destruction or accidental loss;
- notifying the Agency immediately of any security incident, including personal data breaches, leading to the above in relation to personal data transmitted to, stored in or otherwise generated from EudraVigilance.
In line with the EU ICSR implementation guide , each party should implement and maintain security procedures and measures to ensure the protection of safety and acknowledgement messages against the risks of unauthorised access, disclosure, alteration, delay, destruction or loss. They need to ensure the verification of integrity, non-repudiation of origin and receipt and confidentiality of these messages.
Parties and users should also safeguard electronic data from tampering or unauthorised disclosure in accordance with the appropriate data protection legislation. This protection must extend beyond transactions to any files or databases that contain information conveyed via electronic data interchange.
Parties should also promote 'security awareness' within the organisation against the risk of social engineering and 'spear phishing', by educating and instructing users on recognising malicious emails and sites that are not filtered by organisational technical controls.
Parties must also maintain the confidentiality of passwords and other codes used for accessing this information. If an intermediary performs any services in respect of such confidential information, these should be subject to equivalent security measures.