8. Data Management

1 Mins to read

Share
Dark
Light

Article summary

Did you find this summary helpful?

Thank you for your feedback

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest?

The legal framework for data protection is found in Articles 6 and 16 of the Mexican Constitution, as well as in the Federal Law for the Protection of Personal Data Held by Private Parties, published in July 2010, and its Regulations, published in December 2011.

https://www.constituteproject.org/constitution/Mexico_2015.pdf?lang=en

8.2 What are the data locality rules within each jurisdiction?

Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

The transfer of data to other jurisdictions is not restricted.

Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

There is no specific guidance on this matter.

Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

The transfer of data to other jurisdictions is not restricted and there is no specific regulation around the need for secure transfers.

Does data need to be collected in the country? Do the servers need to be in the country?

No. There is no restriction on the location of servers (except for government agencies where the servers must be located within the facilities of that entity).

Are there data storage and transmission requirements (for data transfer out of the country)?

The transfer of data to other jurisdictions is not restricted.

Are there any exceptions made for research to the local privacy regulations?

No, health research data is considered to meet the highest level of personal privacy.

Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

The PI is responsible for determining who can view data from the study.

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

CRO software is not considered a clinical device, but it is required to meet the basic requirements of GCP.

Was this article helpful?

What's Next

9. Subject Considerations

Table of contents

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 
8.2 What are the data locality rules within each jurisdiction?
8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)