Online Class Notes (Ally)

Writing:

l As we discussed in our previous meeting, Veeva Medical system will be used only to GEMMEI Wave 1 Phase 4 project. GEMMEI W1P4 is the project to create affiliate specific contents repository and material review workflow. Therefore, generally, we will not take care any personal information in this system. So I assume that the laws and regulations about outbound transfer of personal information will not be the issue for Veeva Medical system. Ø With situation above, we still need to collect internal colleagues information such as name, e-mail address, affiliation etc. to create internal users’ account. Is this info collection still be regarded as the concerns from the personal information protection law perspective?

LA：Yes, your understanding is correct. Internal colleagues information such as name , e-mail address, affiliations which can be used to identify specific individuals, is also subject to the Personal Information Protection law. The personal information of all individuals, including HCPs, subjects, and internal colleagues are the subject to the jurisdiction of this law.

Regarding the life science data/information protection policy, are there any possible ways to avoid or resolve the risk caused by use of Veeva Medical other than launching physical servers in China?

LA：中国政府近些年来，人类遗传资源、数据安全、个人信息保护方面已加强管控，故相关法律法规在逐渐出台。事实上，关于life science data方面，目前尚无明确的法律法规禁止使用境外服务器（仅存在相关审批或备案），但结合中国对以上相关方面的管控力度，不排除后续逐渐出台相关细则。如目前项目继续推进，后续如出台相关法律法规，则项目须予以终止。 In recent years, Chinese government has been strengthening the management and control of human genetic resources, data security, and personal information protection,etc., so relevant laws and regulations are continuously issued. In fact, in terms of life science data, right now there are no specific laws and regulations prohibiting the use of overseas servers (only relevant approval or filing exists), but taking into account China’s control of the above related aspects, we cannot rule out the issuing of new laws or regulations in the future. If the current project continues to advance, the project must be terminated if relevant laws and regulations are issued.

l Regarding GEMMEI Wave 2, this project purpose is to create global centralized medical inquiry management system. For this project, we are sure that we will collect some personal information such as HCP name or affiliation who made some inquiries through the system. Therefore, we need to consider the personal information protection law very carefully. Our selected vender for GEMMEI W2 called SciMax, confirmed that they actually can launch physical servers in China as needed. ü With the situation above, since we can launch the physical server in China, there is no other concerns regarding personal information protection law. Is my understanding correct?

A: Yes, with a physical local server, we could avoid the risks regarding personal information protection law at this time. However, as I stated in the above response, there is no guarantee that new laws may be introduced.