8. Data Management

8.1 What data privacy and/or technology regulations need to be complied with in order to run a trial in the countries of interest? 

The PRC Personal Information Protection Law (PIPL) (A full translation)

https://www.china-briefing.com/news/the-prc-personal-information-protection-law-final-a-full-translation/

8.2 What are the data locality rules within each jurisdiction?  

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

Per the regulations, in order to send personal information outside of China, the sponsor must meet one (1) of the following conditions:

• Pass the security assessment organized by the national cybersecurity and informatization department.
• Conduct personal information protection certification by professional institutions in accordance with the requirements of the Cyberspace Administration of China.
• Enter into a contract with the overseas recipient in accordance with the standard contract formulated by the Cyberspace Administration stipulating the rights and obligations of both parties.
• Other conditions stipulated by laws, administrative regulations, or national cyberspace administration departments.
• Where China’s international treaties and agreements permit providing personal information to foreign recipients.

The sponsor must inform the participant of the name of the foreign recipient, contact information, processing purpose, processing method, and types of personal information. In addition, the foreign sponsor must appoint a representative located in China to be responsible for matters related to personal information protection and report the representative’s contact information to the data protection regulators—the Cyberspace Administration.

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

There are no specific guidelines around this.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

Data should typically remain within China.

• Does data need to be collected in the country? Do the servers need to be in the country?

Yes, typically data needs to be hosted within China.

• Are there data storage and transmission requirements (for data transfer out of the country)?

Yes, as above.

• Are there any exceptions made for research to the local privacy regulations?

No.

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

The sponsor should select qualified personnel to supervise data processing, data verification, statistical analysis, and the writing of trial summary reports. Access to the data can only be granted by the PI.

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

There is no specific standard that defines the verification/validation requirements. Sponsors must use an electronic data management system that passes reliable system verification and meets the pre-set technical performance to ensure the integrity, accuracy, and reliability of the test data, and to ensure that the system is always valid for verification during the entire test process.