8. Data Management

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

The Data Privacy Act needs to be complied with.

Further to this, according to the National Administration of Drugs, Foods and Medical Devices Regulation 6677/10, the following data record-keeping regulations must be complied with:

CLINICAL DATA RECORD-KEEPING 

The sponsor shall set out the proper procedures for obtaining and recording participants ́ clinical data, including the encoding system that will enable the preservation of their identity confidentiality. 

The investigator shall be responsible for the reliability, legibility, consistency, and opportuneness of clinical data records both in medical records (source documents) and clinical data forms (CDF). 

Both participants ́ clinical data and the description of procedures related to them, for example, the obtainment of the informed consent, pre-study evaluation, inclusion in the study, randomized assignment result, instructions for using the investigational product, treatment initiation and termination, control of product delivery and return, as well as the information provided to the participant, shall be documented in the same format as are the medical notes used for the rest of the patients receiving medical care at the center. 

The investigator shall be responsible for preserving the confidentiality of every participant ́s identity. No data on the participant ́s identity shall be contained in any document transmitted, reported, or taken away from the host institution. 

The changes or corrections of any of the study records shall not conceal or delete the original datum. Corrections shall be dated and signed with their author’s initials. 

In the case of using electronic direct data transmission automated devices to perform study-related exams such as an electrocardiogram and a spirometry, an identifiable printed source document of the process shall be obtained and filed in the medical record. 

In the case of using an electronic format for clinical data record-keeping and transmission, the system used shall comply with integrity, accuracy, reliability, confidentiality, and consistency requirements. 

Electronic record-keeping systems shall enable: 

1. The recording of all the editions of individual data, including the author and the edition date, without eliminating the original data.
2. A restricted access to enter or edit data. 
3. The obtainment of a data backup copy.
4. The protection of the treatment blind during data entry and processing, if appropriate.

The sponsor shall use an SOP to manage electronic systems and a list of the persons authorized to discharge such function. 

The study's final results must always be related to the study's clinical data, even when the variables were transformed at processing.

8.2 What are the data locality rules within each jurisdiction?

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

Data can be transmitted out of the country but only to countries that meet the defined criteria.

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

The CRO has to honor the destination country’s rules. However, as stated below, there are special regulations regarding countries that do not have adequate privacy regulations.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

1. The transfer of any type of personal information to countries or international or supranational entities that do not provide adequate levels of protection is prohibited.
2. The prohibition shall not apply in the following circumstances:
   1. International judicial cooperation.
   2. Exchange of medical information when so required for the treatment of the party affected, or in case of an epidemiological survey, provided that it is conducted in pursuance of the terms of Paragraph e) of the foregoing Section.
   3. Stock exchange or banking transfers, to the extent thereof, and in pursuance of the applicable laws.
   4. When the transfer is arranged within the framework of international treaties to which the Argentine Republic is a signatory.
   5. When the transfer is made for international cooperation purposes between intelligence agencies in the fight against organized crime, terrorism, and drug trafficking.

The Argentine Data Protection Regulations (ADPR) also consider that: 

• Sharing personal information with companies in the same group is the same as sharing information with independent third parties.
• Cloud storage is considered an international data transfer of data (under Provision 18/2015 of the AAPI).

• Does data need to be collected in the country? Do the servers need to be in the country?

No, data may be stored outside of the country. However, when this includes personal data, a copy should also be retained in the local jurisdiction.

• Are there data storage and transmission requirements (for data transfer out of the country)?

The Data Protection (DP) Law prohibits the transfer of personal data to countries that do not have an adequate level of protection. Under the Argentine Data Protection Regulations (ADPR), this prohibition does not apply when:

1. The data subject has expressly consented to the transfer.
2. Data is exported for outsourcing purposes, through an international transfer agreement between the transferor and the transferee under which the transferee undertakes to comply with the ADPR, among other obligations.
3. The transfer is among companies of the same economic group, which have executed binding corporate rules with the minimum content required by the AAPI or approved by it.

In view of the above, where data is transferred abroad for outsourcing purposes, data subject consent is not necessary. However, an International Data Transfer Agreement (IDTA) is necessary to transfer data to countries that do not have an adequate level of protection.

• Are there any exceptions made for research to the local privacy regulations?

The information provided in these sections is all relevant to research and medical trials.

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

The ethics committee determines who has access to the data.

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

In Argentina, CRO software systems are not required to meet GCP/GLP.