8. Data Management

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

Data collection from clinical trials is governed mostly by Thailand's Personal Data Protection Act (PDPA) 2019. Please see the below relevant sections.

Section 26 - Any collection of Personal Data pertaining to racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the Committee, is prohibited, without the explicit consent from the data subject, except where: it is to prevent or suppress a danger to life, body or health of the Person, where the data subject is incapable of giving consent by whatever reason; it is carried out in the course of legitimate activities with appropriate safeguards by the foundations, associations or any other not-for-profit bodies with a political, religious, philosophical, or trade union purposes for their members, former members of the bodies, or persons having regular contact with such foundations, associations or not-for-profit bodies in connection with their purposes, without disclosing the Personal Data outside of such foundations, associations or not-for-profit bodies.

No. 136 Chapter 69 Gor Government Gazette 27 May 2019

1. it is information that is disclosed to the public with the explicit consent of the data subject;
2. it is necessary for the establishment, compliance, exercise, or defense of legal claims;
3. it is necessary for compliance with a law to achieve the purposes with respect to:
   1. preventive medicine or occupational medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care, medical treatment, and the management of health or social care systems and services. In the event that it is not for compliance with the law, and such Personal Data is under the responsibility of the occupational or professional practitioner or person having the duty to keep such Personal Data as confidential under the law, it must be for compliance with the contract between the data subject and the medical practitioner.
   2. public interest in public health, such as protecting against cross-border dangerous contagious diseases or epidemics which may be contagious or pestilent, or ensuring standards or quality of medicines, medicinal products, or medical devices, on the basis that there is a provision of suitable and specific measures to safeguard the rights and freedom of the data subject, in particular maintaining the confidentiality of Personal Data in accordance with the duties or professional ethics.

8.2 What are the data locality rules within each jurisdiction? 

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

Yes, data must remain within Thailand.

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

There are no specific guidelines on this topic.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

There are no specific regulations regarding the use of cloud servers.

• Does data need to be collected in the country? Do the servers need to be in the country?

Yes, the data needs to be recorded and retained in the country.

• Are there data storage and transmission requirements (for data transfer out of the country)?

Yes, the data needs to be recorded and retained in the country.

• Are there any exceptions made for research to the local privacy regulations?

No.

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

Access to data should be managed by the sponsor and only granted to those with due reason to view it.

https://insightplus.bakermckenzie.com/bm/data-technology/thailand-new-cross-border-data-transfer-rules-officially-published-as-law

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

Clinical trial software is not considered a clinical device. It is therefore subject to the standard requirements for computer validation, but nothing more.