Contents x
    8. Data Management
    • 3 Mins to read
    • Dark
      Light
    Contents

    8. Data Management

    • 3 Mins to read
    • Dark
      Light
    Article summary

    8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

    Personal Data Protection Act 

    The Personal Data Protection Act covers the processing of personal data, whether written or electronic, of trial subjects. The investigator should comply with:

    • Obtaining the subjects’ consent for their personal data to be processed.
    • Using personal data only for the purposes set out in the protocol and the information and consent form.
    • Ensuring that personal data are relevant to the trial, accurate, not excessive, and kept for no longer than necessary.
    • Keeping paper and electronic documents in lockable offices, archives, or storage cabinets, and allowing access only to authorized people.
    • Ensuring that personal data stored on computers are secure so that only authorized people can change or delete them.
    • Telling subjects in the information and consent form that they may see information about themselves on request.
    • Entering details in a national register, when available.

    8.2 What are the data locality rules within each jurisdiction?

    • Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

    The PDPA prohibits the transfer of personal data out of Malaysia unless such transfer is to a country that has been specified and recorded in the Official Gazette by the Minister. Currently, no countries have been officially specified.

    • Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

    There are no specific regulations on this matter. 

    • Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

    There is no specific regulation on this matter.

    • Does data need to be collected in the country? Do the servers need to be in the country?

    There is no specific regulation on this matter. 

    • Are there data storage and transmission requirements (for data transfer out of the country)?

    Yes. Transfer of personal data outside of Malaysia is only permitted where there is a legal basis for the transfer. Such reasons may include:

    • The data user has reasonable grounds for believing that in all circumstances of the case:
    • The transfer is for the avoidance or mitigation of adverse action against the data subject.
    • If it is not practicable to obtain consent in writing for the data subject to that transfer, and
    • If it was practicable to obtain such consent, the data subject would have given his consent.
    • The data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of the PDPA.
    • The transfer is necessary in order to protect the vital interests of the data subject.
    • The transfer is necessary for the public interest.
    • Are there any exceptions made for research to the local privacy regulations?

    No, clinical trials must comply with the Personal Data Protection Act (PDPA) which covers the processing of personal data, whether written or electronic, of trial subjects. The investigator should comply with:

    • Obtaining the subjects’ consent for their personal data to be processed.
    • Using personal data only for the purposes set out in the protocol and the information and consent form.
    • Ensuring that personal data are relevant to the trial, accurate, not excessive, and kept for no longer than necessary.
    • Keeping paper and electronic documents in lockable offices, archives, or storage cabinets, and allowing access only to authorized people.
    • Ensuring that personal data stored on computers are secure so that only authorized people can change or delete them.
    • Telling subjects in the information and consent form that they may see information about themselves on request.
    • Entering details in a national register, when available.
    • Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

    The PI must authorize all access to patient data.

    8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

    Malaysia generally follows the ICH guidelines for GCP. Clinical trial software is NOT considered a clinical device.

    Was this article helpful?
    What's Next