8. Data Management

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

The Act on the Protection of Personal Information (APPI) regulates privacy protection issues in Japan. 

All health information relating to the conduct of a clinical trial must be handled in accordance with the Act. 

8.2 What are the data locality rules within each jurisdiction?

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

There are no statutory requirements for data localization or data residency. However, some sectorial guidelines (e.g., healthcare/medical sector) have rules on data localization.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

☒ approved adequate/whitelisted jurisdictions

☒ to holders of specific certifications or followers of specific code of conduct programs each approved by the relevant data protection and security authority

☒ approved standard contractual clauses

☒ binding corporate rules

☒ derogations, such as consent, contract performance, necessity to establish, exercise, or defend legal claims

☒ other solutions

☒ indicates the data for which transfers to third-party countries are allowed

Taking adequate precautionary measures for the protection of Personal Data, as specified by the PPC, is one of the legal bases for cross-border data transfers. This includes executing a data transfer agreement or an internal rule that provides obligations equivalent to those provided under the APPI. In addition, under the amended APPI that will become effective from April 1, 2022, information concerning the data protection regime of the country where the data recipient is located must be disclosed to the data subjects when the cross-border transfer is made based on the consent. If the cross-border transfer is made based on executing a data transfer agreement, information concerning the data transfer agreement must be disclosed upon a request of the data subject.

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

There are no specific guidelines on this matter.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

There are no specific laws relating to cloud computing. 

• Does data need to be collected in the country? Do the servers need to be in the country? 

See previous responses under Section 8.2 above.

• Are there data storage and transmission requirements (for data transfer out of the country)?

See previous responses under Section 8.2 above. 

• Are there any exceptions made for research to the local privacy regulations?

No, data from human research is considered amongst the highest level of sensitivity. 

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

Data should be held securely and permission granted by the PI only to access the data. 

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

A method of using an electronic data processing system of either (a) or (b): 

(a) A method where the information is transmitted from a computer used by the person who intends to sponsor a clinical trial to a computer used by the head of the medical institution via a telecommunication line connecting the computers and the information is recorded in a file on the computer used by the recipient. 

(b) A method where the information stipulated in the preceding paragraph that is recorded in a file on a computer used by the person who intends to sponsor a clinical trial is made available for access by the head of the medical institution, and the information as stipulated in the preceding paragraph is recorded in a file on the computer used by the head of the medical institution (if the head of the medical institution notifies the person who intends to sponsor a clinical trial of the decision on whether or not to accept the transmission of documents by electromagnetic means, then including the method of recording the notification in a file on the computer used by the person who intends to sponsor a clinical trial).

https://www.pmda.go.jp/files/000152996.pdf