Points of View Toward Further Utilization of Medical Information From the Perspective of Personal Information Protection

Printable PDF

Masami Morita, Senior Researcher, Pharmaceuticals and Industrial Policy Research Institute
Takayuki Sasaki, Senior Researcher, Pharmaceuticals and Industrial Policy Research Institute
Yasuhiko Nakatsuka, Senior Researcher, Pharmaceuticals and Industrial Policy Research Institute

The Japanese government included the sentence "Transform the pharmaceutical industry into an industrial structure with high drug discovery capabilities by promoting innovation and other measures" in its "Basic Policies for Economic and Fiscal Management and Reform 2019" (KOTA Policy) ^{1), which} was decided on June 21, 2019. The policy clearly states the need to support drug discovery through the use of data and technology, including cancer genomics. The subtitle of the policy is "A New Era of '2021': The Challenge of 'Society 5.0.'" The key to the movement toward the realization of Society 5.0 is data distribution.

It is still fresh in our minds that Prime Minister Shinzo Abe proposed the phrase "Data Free Flow with Trust" in his speech at the World Economic Forum Annual Meeting (Davos Meeting) ²⁾ held in Geneva, Switzerland, last January 2019. At the G20 Summit held in Osaka last June, the Prime Minister also stated, "I want this to be long remembered as the occasion where global data governance began," and expressed his intention to lead the creation of international rules to ensure the security of personal information and the advancement of data management.

In fact, the international community has been developing rules for data governance along with advances in data technology, and these rules are unique to each pole. For example, in the case of the U.S., with its giant IT companies such as GAFA, companies that accumulate and manage data are allowed to promote the use of personal data while taking privacy into consideration, based on the premise of self-management of personal data. On the other hand, in Europe, where privacy and the handling of personal information are strictly regulated, the perspective of "personal information protection" is considered important, and stricter rules have been established through the "GDPR. In China, the importance of national data management has been strongly emphasized, and the Chinese government has adopted a policy of national data management and data enclosure through the Cyber Security Law enacted in 2017, which restricts the export of data collected domestically out of the country for the purpose of national security.

In December 2019, the Outline of System Revision of the Act on the Protection of Personal Information will be issued, In December 2019, the Outline of System Revision of the Act on the Protection of Personal Information was issued, and the certification of anonymous processing business operators under the Next Generation Medical Infrastructure Act, which had been long overdue, is being implemented. In this report, we will discuss what issues are necessary for the pharmaceutical industry to further utilize health and medical data, focusing on the revision of the Act on the Protection of Personal Information and the Next Generation Medical Infrastructure Act.

Amendments to the Act on the Protection of Personal Information

The Act on the Protection of Personal Information (hereinafter referred to as "Personal Information Protection Act") was promulgated in May 2003 and fully enforced in April 2005, directly following the revision of the Basic Resident Ledger following the introduction of the Basic Resident Ledger Network System. Since then, rapid changes in the environment, such as the development of information and communication technology and the globalization of business activities, have brought about significant changes in the expansion of the handling of personal information, including the ability to utilize big data in ways that were not envisioned when the Personal Information Protection Law was first enacted.

Against this backdrop, the Revised Personal Information Protection Law (2017 version) was promulgated in September 2015 to promote industry and protect the rights of individuals with respect to data-driven utilization, and came into full force in May 2017. During the discussions at that time, it was decided that the Personal Information Protection Law would be reviewed every three years, taking into account international trends. The "Personal Information Protection Law Revision Outline for the So-Called Triennial Review" ³⁾ was issued on December 13, 2019, and public comments were solicited until January 14, 2020. Table 1 below lists some of the points of interest to the pharmaceutical industry in this revision of the Personal Information Protection Law.

The first and most noteworthy point is the inclusion of "pseudonymized information (tentative name)" in Section 4, Paragraph 2. Under the Personal Information Protection Law, personal information including medical history was positioned as "personal information requiring special consideration," and the consent of the individual was necessary for companies and others to utilize medical data. The Next Generation Medical Infrastructure Act (see below) was enacted to promote research utilization, and secondary utilization is being promoted through careful opt-out collection at medical institutions and anonymous processing by certified service providers. However, it is expected that the requirements for secondary use will be improved in the future.

In the past few years, a business model has emerged in which user data that is not personal information linked to identifiers such as cookies is provided to other businesses, knowing in advance that the data will become personal data when collated with other information at the recipient. In order to regulate such a method of collecting personal information without the involvement of the individual, Section 4.4(3) is based on the source standard and incorporates disciplines that restrict the provision of personal data to third parties. Such discipline will ensure that personal data is appropriately provided under the control as personal information.

In addition, Section 4, Paragraph 3, "Clarification of the Operation of Exceptions to Handling of Personal Data for Public Interest Purposes," addresses as a specific case "the use by medical institutions or pharmaceutical companies for the purpose of contributing to the development of medical research in order to realize high-quality medical services, drugs, medical devices, etc., in terms of safety and effectiveness. If the concept of so-called public interest is expanded and some of the activities of private companies are also considered as public interest activities, accessibility to private companies' data in secondary use can be expected to be improved. As mentioned in the examples, we would like to see clarification of activities with high public interest, such as the use of data by private companies for the purpose of creating pharmaceuticals and other products that contribute to the development of medical research, through guidelines or other means.

In addition, Section 6.3, "Strengthening Restrictions on Provision of Personal Data to Third Parties Located in Foreign Countries," would require clarification of the destination in the event of extraterritorial transfer when consent is obtained. Generally, in the research and development of pharmaceutical products, there are cases where data obtained in Japan through clinical trials are provided (transferred) to overseas entities or review authorities. However, at the time of obtaining the consent of subjects to participate in clinical trials, the country of application for approval has not yet been determined, and it is difficult to provide a detailed explanation of the destination for the provision (transfer) of personal data. It is hoped that the burden and practice of the entity handling the data will be fully considered when transferring the data overseas, and that consideration will be given so as not to impose an excessive burden on the entity.

Section 7, Paragraphs 2 and 3, states that the regulations for the protection of personal information should be consolidated and integrated. As has been pointed out in the past, Japan's personal information protection legislation is said to consist of as many as 2,000 laws and ordinances due to the different regulations and jurisdictions of administrative agencies and local public entities (the 2,000 Personal Information Protection Laws Problem). For example, very few ordinances adopt the term and concept of "personal identification code," which was newly introduced in the 2015 amendment, so that genome information and feature information generated by biometric identification systems, etc., which fall under personal identification codes, do not fall under "personal information" in some municipalities, and there is a lack of uniformity in Japan. In addition, the situation has not been standardized in Japan. In addition, there are many personal information protection ordinances that do not have the "exemption for academic research purposes" stipulated in Section 4.3 above, and the application of the ordinances of each municipality is imposed on academic research use by public research institutes, public universities, and public hospitals, which requires the approval of the personal information protection review board of each municipality. This is a hindrance to the development of academic research. In the pharmaceutical industry, it is expected that big data analysis will be conducted effectively across fields ranging from medicine to daily life. Therefore, it will be necessary to unify the rules that form the basis for data utilization so that data utilization will not be hindered by the uneven handling of personal information by each municipality.

Efforts under the Next Generation Medical Infrastructure Act

One of the expected initiatives for the utilization of medical data in Japan is the development of infrastructure based on the "Act on Anonymously Processed Medical Information for the Purpose of Contributing to Research and Development in the Medical Field (hereinafter referred to as "Next Generation Medical Infrastructure Act " ⁵⁾. The revised Act on the Protection of Personal Information, which came into effect in May 2017, defines personal information, including medical history, as "personal information requiring special consideration" and prohibits the provision of such information to third parties on an opt-out basis, raising concerns that this may hinder the use of medical information in medical research and other activities. The importance of building a nationwide database centered on electronic medical records that includes outcomes of medical treatment has long been recognized, and there have been discussions about efforts to build such a ^database6).

Against this backdrop, the Next Generation Medical Infrastructure Act was enacted in May 2018 to promote research and development in the medical field. This law establishes a system for certifying businesses that meet certain standards, such as high security and anonymized processing technology (certified anonymized processed medical information providers (hereafter, "certified providers " ⁷ )), and also allows medical institutions to provide medical information, including personal information requiring special consideration, to certified providers on an opt-out basis. The system also stipulates that medical institutions, etc. can provide medical information that includes personal information requiring special consideration to the certified entity on an opt-out basis, and that such information can be provided for research and development in the medical field after being anonymized (Figure 1).

In December 2019, certified business operators under the Next Generation Medical Infrastructure Act were approved, and activities of certified business operators under this infrastructure act began in January 2020. The first of these certified business operators is Life Data Initiative, a general incorporated association, and this business operator is based on the Millennium Medical Record ^Project8) led by Kyoto University. Life Data Initiative, Inc. aims to "conduct business that can contribute to the development of healthcare in Japan by developing services for users and participating facilities that utilize information on all aspects of health and medical care, as well as to improve the quality and efficiency of healthcare and the convenience of patients and the public, to enhance R&D such as clinical research, industrial competitiveness, and to realize a sustainable utilization system. The purpose of ^the business is to "contribute to the development of medical care in Japan.)

The company is expanding its network of medical facilities, accumulating electronic medical record information, and cleansing accumulated data, and initially plans to provide "market research services" and "academic support services" to assist in the preparation of papers based on database research at the start of the project. Once the system is in place, the company plans to start providing "post-marketing surveillance support," "provision of anonymized processed information, " ^{10 and other} services on a full scale. At this point, it is unclear what kind of items and granularity of data will actually be available for use. It will be necessary to deepen cooperation with private companies that will utilize the data, for example, by sharing data contents and needs during the initial preparation period.

While it is hoped that the services of the above-mentioned certified providers will facilitate the utilization of medical information, there are several issues to be addressed in the Next Generation Medical Infrastructure Act.

The first is the handling of highly specific and personally identifiable information (including information on rare diseases and the very elderly) and image data (brain scans, X-rays, organ photos, etc.), which are anonymized. In order to prevent identification of individuals, such information may be anonymized by deleting or rounding off descriptions and images, and there is a risk that the original information may not be obtained as provided data. In particular, in anticipation of future research and development for rare diseases, progress in medical stratification, and utilization of advanced technologies such as image analysis AI, the value of "narrow but deep data" is expected to increase, and it will be necessary to further discuss the use (possibility) of secondary use of highly specific medical information.

The second point is the provision of information on genomic (omics) data. In general, genomic information falls under the category of personal identification code and cannot be processed anonymously itself. In other words, it is personal information itself, and without the consent of the individual, it cannot be used in the scheme of the Next Generation Medical Infrastructure Act. In future medical research and drug discovery research, it is an important theme to link genomic (omics) data with medical data and daily life data to predict the mechanism of disease onset and deterioration, prognosis, and discover new biomarkers. Further study of a mechanism that enables the provision of genomic (omics) data will be necessary.

Third, since the data handled by certified providers is general medical information (electronic medical record information, etc.) collected from several hundred facilities, there may be inconsistencies in data accuracy, missing measurement items, units of test values, and codes. This is not so much an issue of the Next Generation Medical Infrastructure Act as an issue of data quality in the first place, such as standardization and structuring of electronic medical records and EHRs, but there is concern that the scope of utilization of anonymized processed medical information may be limited to specific areas such as post-marketing and market research. In the operational scheme of the Next Generation Medical Infrastructure Act, it may be necessary to devise ways to improve the quality of data, such as collecting data by using a template-like format of collected data in advance for some diseases, as in the case of registries.

Finally, in the area of post-marketing and market research, there are private companies such as Medical Data Vision and JMDC that are already using commercial databases and conducting database utilization projects, and it is expected that they will differentiate themselves from existing companies in terms of data quality and quantity, as well as data usage fees for certified companies. The new law is expected to make it easier for the companies to differentiate themselves from the existing companies in the market.

Establishment of a system for utilizing "pseudonymized information

Another important theme for the pharmaceutical industry to consider is the development of a system to enable the collection and analysis of "pseudonymized information" in the medical field, which will be set up as a result of the recent revision of the Personal Information Protection Law.

Unlike non-personal information such as anonymized processed information, "pseudonymized information (tentative name)" as indicated in the Outline of Amendment to the Personal Information Protection Law is "personal information" and still requires the consent of the individual to be provided to a third party. However, pseudonymized information is information in which the name, address, medical record number, etc. are deleted so that the individual cannot be identified at first glance, and it is information that is expected to be used in secondary use as is with accurate historical data of each individual under certain obligations. Therefore, just as the Next Generation Medical Infrastructure Act was enacted as a special law in the medical field in response to the Personal Information Protection Act (a general law), the enactment of a new law that can handle pseudonymized information would be one measure.

Of course, it goes without saying that pseudonymized information is personal information and should be used within the scope of appropriate purposes of use. It is expected that this "appropriate purpose of use" will be clarified in consideration of the guidelines and detailed notices such as Q&A that will be presented in conjunction with the revision of the Personal Information Protection Law, but the key points will be to consider "what the target is" and "what kind of use" should be limited to. In other words, it is necessary to take a cautious stance to consider the establishment of rules for the provision of personal information in the form of "pseudonymized information" under various statutory restrictions, such as limiting the "target," which is the entity that handles pseudonymized data, to those with pre-designated qualifications (such as doctors and designated researchers) and limiting "purposes of use" that have a high social and public nature. For example, the purpose of use should be to provide information on the axis of public interest.

For example, with public interest as the axis of the purpose of use, (1) academic research purposes and public health purposes (development of exemption clauses) and (2) return of analysis data to data providers (provision of data leading to treatment and prevention) should be allowed. Next, while seeking to build a social consensus, the following types of utilization should be considered: (3) drug discovery purposes for private companies, followed by (4) health solution development purposes, etc., and then the utilization should be considered in accordance with a certain public interest evaluation axis.

Proposal of a new concept of data governance

As a more in-depth concept of data utilization in the healthcare area, the World Economic Forum (WEF) reported a new concept of data governance called Authorized Public Purpose Access (APPA) ¹¹⁾. In this report, APPA is presented as an example of what data utilization should be like, as well as a concrete component of an appropriate data governance model and avoiding inappropriate data use.

APPA is a new governance model that does not necessarily rely solely on "individual" opt-in consent as a way to respect individual human rights. It is a model that realizes the intended value by granting access to data without necessarily requiring explicit individual consent.

In this report, the three elements of the governance model for utilization are organized as individual, data holder, and public interest, and APPA is positioned as one way to address problem cases where each is overly biased (individual bias, data holder interest bias, and public interest bias).

The APPA model is positioned as one of the ways to deal with the problematic cases of excessive bias in each of the three elements (individual bias, data holder's interest bias, and public interest bias). It is believed that the APPA model will be more reliable in the future. On the other hand, the report also cites various issues, such as the construction of an economically sustainable model, efficient acquisition of consent, and the use of technology to minimize privacy risks, and further discussion is desirable.

Summary

In this issue, from the perspective of promoting the utilization of health and medical information, we touched on the revision of the Personal Information Protection Law, the issues of the Next Generation Medical Infrastructure Law, and the concept of APPA. Health and medical information is usually considered sensitive information, and it is necessary to promote data utilization on the premise that privacy is protected. In other words, it is not enough to have data portability, but "trust" in how the data is used, viewed, and fed back, and by whom, is also an important element of the data ecosystem.

However, these elements cannot be defined only by law, but it is most important to implement them as a social mechanism. The U.S., Europe, China, and the rest of the world are putting in place systems for data use. In Japan, too, it is necessary to "design a society" that combines various elements such as more efficient acquisition of consent, construction of an economically sustainable model, and use of technology to minimize privacy risks, and it will be necessary to start discussions with various stakeholders as soon as possible.

Return to News List

TOP