The decision of the Ombudsman concerned the difficult issue of how to balance the need for transparency with the need to protect personal data. The complaint concerned a refusal by the European Medicines Agency (EMA) to grant the complainant, a journalist with The New York Times, public access to an EMA database containing information on the side effects of medicines (the database is known as ‘EudraVigilance’).

The Ombudsman first recognised that EMA has already made public significant information from EudraVigilance (it publishes aggregated data derived from EudraVigilance). Regarding whether broader access can be granted, the Ombudsman noted that EudraVigilance contains vast amounts of highly sensitive medical data listed on a patient-by-patient basis. It is not a simple task to anonymise that detailed medical data. EudraVigilance is also a huge database, containing more than 10 million separate data entries. The Ombudsman considered that examining whether it can effectively anonymise the entire contents of the EudraVigilance database would require the use of vast resources by EMA. In this context, the Ombudsman found that there was no maladministration by EMA when it refused to grant access to the entire database.

However, the Ombudsman noted, should the complainant or another person make a new request for public access to adverse reaction reports contained in EudraVigilance on a specific medicine or substance, EMA should take into account the specific context of the request when evaluating if it can effectively anonymise the data falling under that request.

The background to the complaint

1. The complaint concerns the refusal by the European Medicines Agency (EMA) to grant the complainant, a journalist working with The New York Times, public access to the so-called ‘EudraVigilance’ database, which is a database containing information on adverse reactions to medicines (the information in that database is used to analyse and verify that medicines that are on the market in the EU are safe). Originally the complaint also concerned the refusal by EMA to grant the complainant access to all declarations of interests submitted to EMA by its staff.

2. EMA informed the complainant that it had already made public much of the requested information. It refused to give him access to any information that had not already been made public. The complainant then wrote back to EMA asking it to provide reasons for its refusal to grant him full access to the EudraVigilance database and the declarations of interest of all EMA staff.

3. In its reply, EMA confirmed that granting such public access would be contrary to the rules on the protection of personal data and privacy.

4. The complainant then turned to the Ombudsman. Concerning EMA’s argument that giving full public access would undermine the protection of privacy, he insisted that privacy could be easily safeguarded by not giving access to any data fields containing sensitive information. He argued that there was no legal basis for withholding access to an entire database. Concerning the public interest in obtaining access, the complainant stated that if public access was granted, interested parties could use automated means to analyse the data and could identify possible patterns in the data (the journalist had carried out ground-breaking work using these methods in other areas). In this way, he argued, interested parties could discover patterns in the data which the EMA itself had not even looked for.

The inquiry

5. The Ombudsman opened an inquiry into the complaint and identified the following allegation[1]:

EMA wrongfully refused public access to the entire EudraVigilance database.

6. In the course of the inquiry, the Ombudsman received the reply of EMA on the complaint and, subsequently, the comments of the complainant in response to EMA’s reply. In conducting the inquiry, the Ombudsman has taken into account the arguments and opinions put forward by the parties.

Allegation of wrongful refusal to give public access to the EudraVigilance database

Arguments presented to the Ombudsman

7. In its opinion, EMA stated that Regulation 726/2004[2] (the ‘EMA Regulation’) provided that only EMA, the EU Member States and the Commission enjoy full access to the EudraVigilance database. EMA noted that the Regulation stated that healthcare professionals and the public would have “appropriate levels of access”[3] to the database, subject to data protection rules. EMA added that it was working together with all relevant stakeholders to define the “appropriate level of access”.

8. In EMA’s view, the wording of the EMA Regulation suggested that the EU legislature had not intended to grant public access to all data contained in the EudraVigilance database. EMA added that it had fully complied with its legal obligations by adopting, in 2011, the EudraVigilance Access Policy[4] (a revised version, taking into account recommendations by the Ombudsman[5], was published in 2015[6]). EMA added that the public already had access to a wealth of data contained in EudraVigilance through a dedicated website[7].

9. By applying rigorous criteria for the aggregation of sensitive information, EMA considered that it complied with the EU’s rules on data protection[8]. EMA considered that it could legitimately invoke the need to protect personal data when denying access to those parts of EudraVigilance the disclosure of which would put at risk the privacy and confidentiality of health data of individuals.

10. Finally, EMA stated that the information in the database that it had already made publicly available provided interested individuals with comprehensive and understandable information concerning the safety of each medicinal product or active substance.

11. In his observations, the complainant repeated his position that the information contained in EudraVigilance should not be kept from the public. He argued that EMA should provide him with access to a redacted version of the database free from any personal data.

The Ombudsman's assessment

12. The key issue at stake in the present case is important and difficult. It is: how should a public authority such as EMA deal with requests for public access to data on the safety of medicines in those cases where that very data may constitute “personal data” of patients.

13. By way of general background, the Ombudsman notes that EMA’s work can be divided into two main areas.

14. First, EMA assesses the safety and efficacy of medicines before they can be placed on the market in the EU. If EMA considers that the medicine is safe and effective for the purpose of treating a specified illness, EMA issues a report which allows the European Commission to authorise the product for use regarding that illness. Clinical Study Reports submitted by the pharmaceutical company seeking marketing authorisations normally contain aggregated patient data. Exceptionally, Clinical Study Reports may sometimes contain limited information relating to individual patients, for example, in case narratives or tables of patient characteristics. EMA has published detailed guidance to the pharmaceutical industry regarding how best to aggregate and anonymise that patient data[9]. The pharmaceutical industry is thus required also to submit clinical reports that have been rendered anonymous so as to allow for publication. The anonymised clinical reports are essentially stripped of sufficient elements such that the patients can no longer be identified by using “all the means likely to be reasonably used”[10].

15. Second, EMA monitors the safety of medicines that are already on the market in the EU. This process of “pharmacovigilance” aims to prevent, detect and assess adverse effects to medicinal products. Since many more patients will take a medicine once it is on the market, compared to the period when it is being tested for authorisation purposes, pharmacovigilance is extremely important. Indeed, the Regulation creating EudraVigilance—the EU’s pharmacovigilance database—emphasises that the safety of a medicinal product can only be fully assessed after it is placed on the market[11]. Unlike the data presented in Clinical Study Reports, which is often aggregated data, the data in EudraVigilance is reported on a patient-by-patient basis[12] (EudraVigilance contains ‘Individual Case Safety Reports’ (ICSRs), which describe individual suspected adverse reactions to a medicinal product that occur in a single patient at a specific point in time[13]). It is also necessary to note that the data in EudraVigilance comes from various sources, namely the marketing authorisation holders, the sponsors of clinical trials and Member State authorities.

16. EMA should of course analyse carefully all the data it receives in the context of market authorisation procedures and in the context of pharmacovigilance. However, obviously, the more analysis, by different parties, of the data collected by EMA, the greater will be the likelihood that relevant information relating to the safety and efficacy of medicines will be revealed. If this were to occur, society and above all patients will benefit.

17. EMA is already aware that access to data from electronic health records has the potential to change the way medicines are monitored. In its own Consultation Draft for the EU Medicines Agencies Network Strategy to 2020[14], EMA notes that databases such as EudraVigilance have the potential to analyse safety issues and provide information about adverse effects much more quickly, allowing regulators and doctors to take appropriate action at an earlier stage.

18. Thus, there is consensus that broad public access to more information in EudraVigilance could contribute to the main goal of EU pharmacovigilance, which is safeguarding public health.

19. EMA currently makes publicly available aggregated data from EudraVigilance. It issues reports that use aggregated data broken down by adverse reaction, age group, sex, reporter group and geographic origin. For example, a web report would contain the information how many male patients between the ages of 65 and 85 suffered from anxiety as an adverse reaction to a given medicine. The Ombudsman strongly commends EMA for making this aggregated data proactively available to the public.

20. The complainant wishes, however, to have access to the non-aggregated data.

21. The Ombudsman is very aware of the extreme sensitivity of non-aggregated data in EudraVigilance. If any personal data in ICSRs were disclosed, either directly or indirectly, this would give rise to a very serious breach of the privacy of the patients concerned.

22. The first key question is, thus: can the data in EudraVigilance be anonymised so that it is not possible for the person seeking access, or anyone else, to identify to whom that data relates, if that data is made public[15]? At the same time, it is important not to go further than is in fact necessary. In that context, the additional question arises: how does EMA find the best balance between the need to anonymise data in EudraVigilance and the need to maximise access to scientifically useful information on medicinal products for the benefit of the public.

23. As a first point, the EU data protection rules do not, when seeking to determine if granting public access would lead to “personal data” being released, focus only on the intentions of and the means and methods available to the specific persons seeking access to the data. The rules require that if there are any “means likely to be reasonably used” by “any other person”[16] to link the requested data to identifiable persons (in this case, the patients), then the requested data becomes protected “personal data”. Moreover, that personal data falls under Article 10 of Regulation 45/2001, which states that the “processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life, are prohibited”. Once data falling within these specific highly protected categories are deemed to constitute personal data, its processing, which includes its transfer to a third party, becomes subject to extremely strict exceptions, such as where the data subject has given his or her express consent to the processing of his or her personal data; or where the data subject is not physically or legally capable of giving his or her consent but the processing is necessary to protect the vital interests of the data subject or of another person; or where the processing relates to data which are manifestly made public by the data subject; or where the personal data are processed by a health professional subject to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy and the processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services; or where, subject to the provision of appropriate safeguards, and for reasons of substantial public interest, additional exemptions are laid down by through EU law by decisions of the European Data Protection Supervisor. None of these strict exceptions apply to the present case. The key question that then arises for this inquiry is: are there means likely to be reasonably used, by any person (or entity), to identify the patients to whom the data in EudraVigilance relates. If that were the case, the “personal data” cannot be released.

24. Each adverse reaction report in EudraVigilance is assigned a code number (the patient’s name is never included in EudraVigilance). It would of course be possible to redact the codes, so as to ensure that the data cannot be linked directly back to the data subject by someone who has access to the original code. However, even if this were done, it may not suffice to ensure that the data in EudraVigilance is effectively anonymised. Advances in computing power and the availability of huge amounts of data on the internet regarding individuals (such as data on social media platforms)  may now make it technically possible, at least for some persons or companies with access to these technical means, to link what appears to be anonymised data from EudraVigilance to at least some identifiable persons. This process is often referred to as “data crunching”. While it is certainly the case that the complainant has expressed no wish to use these technical means to identify patients (he wishes to use the data for a laudable purpose), it cannot be overlooked that if this data is made publically accessible similar crunching of data could be undertaken by any other person or entity[17]. It is clear that such technical means of “crunching” data, and potentially linking it to persons, will only become more effective in time. In this context, and especially taking into account that the personal data at issue is sensitive medical information[18], the Ombudsman considers that a very prudent approach to the anonymisation of this type of data is appropriate. Such a prudent approach may not only be required by law, it may also be justified by common sense and the duty of care.

25. The Ombudsman does not take the view that effective anonymisation will never be possible. However, she is of the opinion that evaluating the adequacy of any specific anonymisation measures depends on the specific context.

26. Some medicines and active substances are widely used by tens of millions of people. It may be the case, in a very large patient group, that patient data from EudraVigilance cannot be linked back to a given patient in the same way that aggregated data cannot be linked back to a given patient. This will be the case where the patient group is so large that there are no unique patient data sets within that group, that is, where the group is so large that there are always several identical data sets. In other cases, very limited aggregation may be sufficient to ensure that the patient data cannot be linked back to an identified patient.

27. It is inherently different, however, as regards medicines used for treating rare conditions or as regards a rare or low frequency adverse reactions to a widely used medicine. A standard method of anonymisation may not serve, in such circumstances to ensure that the person remains non-identifiable. It may, for example, be necessary always to aggregate data on adverse reactions to medicines used to treat rare diseases to ensure that no data can be linked to a given person. In certain circumstances, for example when the medicine is used to treat a very limited number of people only, it may be justified to refuse all public access to such data.

28. A simple example would be where EMA needs to assess whether it is necessary to redact information on the Member State where the adverse reaction has occurred. In some circumstances, where the medicine, or the adverse event related to it, is reasonably uncommon, identifying the Member State may, in combination with other information, lead to the identification of a patient. However, in other cases, where the medicine is very commonly used and the adverse event in question is widespread, the redaction of the name of the Member State where the adverse event occurred may be unnecessary.

29. In conclusion, the Ombudsman is of the view that if a request for access to data in EudraVigilance is made concerning adverse reactions to a specific medicine, EMA should take into account the specific context when evaluating the extent of anonymisation that is appropriate.

30. The complainant recognises that certain data fields would need to be anonymised before public access could be granted. However, he implied that this anonymisation was not complex. He considered that EMA could simply identify the types of data fields in EudraVigilance that are problematic, redact those fields, and grant access to all other data fields. The Ombudsman disagrees. As is evident from the above analysis, the task of effectively anonymising the data is not in any way simple, given that it must take into account the specific context of each data set.

31. The request of the complainant is also extremely large. The Ombudsman notes that the complainant requested EMA to provide public access to the entire data contained in the EudraVigilance database. EudraVigilance contains a vast amount of data on a large number of medicines (namely, all medicines placed on the market in the European Economic Area). According to the 2015 Annual Report of EMA, over 1.2 million new adverse reaction reports were processed in EudraVigilance during 2015[19]. By the end of 2015, the EudraVigilance database held a total of 9.5 million adverse reaction reports, referring to 6.2 million individual cases[20].

32. It is permissible for an institution to exceptionally refuse to grant a request for public access that imposes a disproportionate administrative burden on the public body. The Ombudsman is of the view that EMA was entitled to refuse to deal with such a manifestly broad and complex request[21].

33. There was thus no maladministration by EMA.

34. The Ombudsman recalls that the complainant or any other person is free to submit new requests to EMA limited to a specific medicine or substance. Such requests should be dealt with on their own specific merits in accordance with the analysis set out above.

Conclusion

On the basis of the inquiry into this complaint, the Ombudsman closes it with the following conclusion[22]:

There was no maladministration by the European Medicines Agency concerning the allegation that it wrongfully refused public access to the entire EudraVigilance database.

The complainant and EMA will be informed of this decision.

 

Strasbourg, 05/12/2016

 

 

[1] Originally, the complaint also included an allegation concerning disclosure of staff declarations of interest. In the course of the inquiry the complainant informed the Ombudsman that he was no longer interested in obtaining access to the declarations.

[2] Article 24(2) of Regulation (EC) No 726/2004 of the European Parliament and of the Council of 31 March 2004 laying down Community procedures for the authorisation and supervision of medicinal products for human and veterinary use and establishing a European Medicines Agency, OJ 2004 L 136, p. 1. Consolidated version available at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2004R0726:20120702:EN:PDF

[3] Article 24(2), six subparagraph, of Regulation 726/2004.

[4] Available at: http://www.ema.europa.eu/docs/en_GB/document_library/Other/2011/07/WC500108538.pdf

[5] See Draft recommendation of the European Ombudsman in his inquiry into complaint 2493/2008/(BB)(TS)FOR  against the European Medicines Agency, available at: http://www.ombudsman.europa.eu/cases/recommendation.faces/en/4810/html.bookmark

[6] Available at: http://www.ema.europa.eu/docs/en_GB/document_library/Other/2015/12/WC500199048.pdf

[7] http://www.adrreports.eu/en/index.html

[8] Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ 2001 L 8, p. 1.

[9] See Chapter 3 (External guidance on the anonymisation of clinical reports for the purpose of publication) of the External guidance on the implementation of the European Medicines Agency policy on the publication of clinical data for medicinal products for human use, available at: http://www.ema.europa.eu/docs/en_GB/document_library/Regulatory_and_procedural_guideline/2016/03/WC500202621.pdf

[10] See Recital 8 of Regulation 45/2001.

[11] Recital 2 of Regulation 1235/2010 (Regulation (EU) No 1235/2010 of the European Parliament and of the Council of 15 December 2010 amending, as regards pharmacovigilance of medicinal products for human use, Regulation (EC) No 726/2004 laying down Community procedures for the authorisation and supervision of medicinal products for human and veterinary use and establishing a European Medicines Agency, and Regulation (EC) No 1394/2007 on advanced therapy medicinal products, OJ 2010 L 348, p. 1).

[12] As regards, generally, the issue of how data protection concerns arise in relation to EudraVigilance, see the Opinion of the European Data Protection Supervisor (EDPS) on a Notification for Prior Checking Received from the Data Protection Officer of the Agency regarding the EudraVigilance database available at: https://secure.edps.europa.eu/EDPSWEB/webdav/shared/Documents/Supervision/Priorchecks/Opinions/2009/09-09-07_EMEA_EudraVigilance_EN.pdf

[13] EU Individual Case Safety Report (ICSR) Implementation Guide, available at: http://www.ema.europa.eu/docs/en_GB/document_library/Regulatory_and_procedural_guideline/2014/04/WC500165979.pdf

[14] Available at: http://www.ema.europa.eu/docs/en_GB/document_library/Other/2015/03/WC500185138.pdf

[15] The Ombudsman notes that Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, as well as Regulation 45/2001, state in recitals that “To determine whether a person is identifiable, account should be taken of all means likely to be reasonably used either by the controller or by any other person to identify said person.”

[16] See Recital 8 of Regulation 45/2001.

[17] Examples include insurance companies or potential employers that may wish to assess if particular persons pose a greater health risk.

[18] As noted above, Article 10 of Regulation 45/2001 allows the processing of, among others, data concerning health under exceptional circumstances only.

[19] http://www.ema.europa.eu/docs/en_GB/document_library/Annual_report/2016/05/WC500206482.pdf

[20] http://www.ema.europa.eu/docs/en_GB/document_library/Report/2016/03/WC500203705.pdf

[21] In contrast, the Ombudsman notes that EMA is willing to agree to requests for anonymised data sets relating to adverse reactions to a specific medicine (see the Decision of the European Ombudsman closing his inquiry into complaint 2493/2008/(BB)(TS)FOR against the European Medicines Agency available at http://www.ombudsman.europa.eu/en/cases/decision.faces/en/11360/html.bookmark). In that case, the requested documents were released with certain redactions, such as the identity of the Member State where the adverse events occurred.

[22] Information on the review procedure can be found on the Ombudsman’s website: http://www.ombudsman.europa.eu/en/resources/otherdocument.faces/en/70669/html.bookmark