8. Data Management

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

Data protection is governed in Korea by the Personal Information Protection Act (General Law) as well as the Act on Promotion of Information and Communications Network Utilization and Information.

8.2 What are the data locality rules within each jurisdiction? 

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

Yes, data localization laws mean that the data should remain in the local jurisdiction.

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g., for vacation)? Does the CRO have to honor the destination country’s rules?

There is no specific guidance on this matter.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

The regulations state the following:

The term "third country" is not defined in the Personal Information Protection Act or any other applicable laws and regulations. Any country other than the Republic of Korea is referred to as a "foreign country," so any country other than the Republic of Korea is a third country.

a)  Transfers of personal data to third countries are permissible only if there is a legal basis for the processing/transfer and one of the following applies:

• Approved adequate/whitelisted jurisdictions 
• To holders of specific certifications or followers of specific code of conduct programs each approved by the relevant data protection and security authority 
• Approved standard contractual clauses 
• Binding corporate rules 
• Derogations, such as consent, contract performance, the necessity to establish, exercise, or defend legal claims 
• Other solutions

There is no distinction between the transfer of personal data to third parties and the transfer of personal data to third countries, other than the following: when an information and communications service provider obtains consent, the relevant third countries, time of transfer, and method of transfer also need to be notified to the data subject.

• Does data need to be collected in the country? Do the servers need to be in the country?

In 2015, the South Korean government enacted the Act on Promotion of Cloud Computing and Protection of Users which “require data localization as cloud computing networks serving public agencies have to be physically separate from networks serving the general public.” Networks supporting government agencies must be located in Korea, whereas those supporting general businesses do not.  

• Are there data storage and transmission requirements (data transfer out of the country)?

See above.

• Are there any exceptions made for research to the local privacy regulations?

No, human research data is considered “sensitive information" and is treated with the highest level of privacy regulations.

• Who is allowed to view data (including the PI) and have access to PII?

According to the Korean GCP guidelines, access to data should be limited and controlled by the PI.  

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

There is no specific guidance around this.