What You Need to Know About Using an Electronic Trial Master File (eTMF) and Electronic Investigator Site File (eISF) in China for Clinical Trials

In recent years, there has been an increase in clinical trial activity in China. At Florence, our mission is to advance cures for diseases and therefore we have been researching applicable regulations in China to understand how we can support compliance usage of electronic Investigator Site Files (eISF) and electronic Trial Master Files (eTMF) in China. 

The privacy landscape in China is evolving, with an increasing number of regulations and guidelines available:

Under PIPL, a Personal Information Processor refers to an organization that autonomously determines the purposes and means of personal information processing. For those familiar with the General Data Protection Regulation (GDPR) terms ‘Controller’ and ‘Processor’, a Personal Information Processor under PIPL is in line with the GDPR term ‘Controller’, rather than ‘Processor’ as may be presumed. The term “Processor” in GDPR terms is synonymous with an Entrusted Party under PIPL. 

Sensitive Personal Information is a specific type of personal information that  includes information such as biometrics and medical health status, as well as the personal information of a minor under 14 years of age. Protected Health Information (PHI) collected during a clinical trial would be considered Sensitive Personal Information. Similar to GDPR, there are specific requirements for Personal Information Processors to process Sensitive Personal Information. 

The term Important Data refers to data that may endanger national security, economic operation, social stability, public health and safety, etc. if it is tampered with, destroyed, leaked, or illegally obtained or used. With the inclusion of health data, certain types of PHI collected during a clinical trial may be considered Important Data. 

Human Genetic Resources (HGR) broadly includes HGR information, or the data and other information generated from the utilization of materials of human genetic resources. The HGR Implementing Rules narrow the scope of HGR information, excluding clinical data, imaging data, protein data and metabolic data. This means that under the Implementing Rules, a smaller proportion of PHI collected and stored for clinical trials falls within the scope of HGR information, and therefore it is not subject to the strict data localization requirements of HGR. 

A Critical Information Infrastructure is any information infrastructure that may endanger national security, people’s livelihoods, or the public interest if such infrastructure is destroyed, loses its function, or experiences data leaks. As health data is not included in Critical Information Infrastructure, Florence is not a Critical Information Infrastructure Operator (CIIO). 

To understand the Data Localization Requirements in China, it’s important to understand that Florence acts as a Personal Information Processor related to Personal Information provided upon login, however Florence customers assume that role for the eISF/eTMF records they upload into Florence. 

When Florence acts as a Personal Information Processor, Florence​ is not collecting Important Data.  This means that the Data Localization requirements aren’t as strict, although there are still controls in place to ensure the cross-border transfer of personal information is in compliance with applicable regulations, especially since this data could be Sensitive Personal Information. Before using Florence for the first time, customers are informed of the purposes and means of processing, and consent to this processing. 

When a Florence customer uploads documents into their eISF or eTMF, they are acting as a Personal Information Processor and have full control over the documents uploaded. Because the Florence customer can upload any document necessary for the conduct of their trial, this means that a customer could upload Sensitive Personal Information or Important Data, and the latter carries additional Data Localization considerations. 

Florence’s first priority is to enable the use of Florence for essential documents that do not meet the definition of Important Data. Florence intends to comply with these requirements as of June 1, 2023. 

When a Florence user is acting as a Personal Information Processor, Florence is considered an Entrusted Party and takes the necessary measures to ensure the security of the personal information being processed.

As Personal Information Processors of documents uploaded into the system, Florence customers need to understand their requirements to ensure full compliance with regulations in China, which includes the following:

• Obtaining specific consent before processing Sensitive Personal Information and/or Important Data, which can be done through inclusion in current consenting workflows. 
• Completing a Personal Information Protection Impact Assessment as necessary. 
• Only uploading Important Data after sufficient assessments are completed with controls in place for that data to leave mainland China. 
• Florence customers should not upload data that is HGR information under the Implementation Rules.

Through implementation of ICH GCP E6(R2) on July 1, 2020 and the Guiding Principles for Centralized Monitoring and Statistics of Drug Clinical Trials, China supports centralized monitoring; however, it is important to define a risk-based monitoring strategy. This means that when Data Localization requirements for the processing of data are followed, clinical trial data in China can be monitored from anywhere in the world through systems like Florence. 

Through the Drug Records and Data Management Requirements, the National Medicines Product Administration (NMPA) in China has confirmed that to ensure the uniqueness and traceability of logged-in users, when electronic signatures are used, they must comply with the Electronic Signature Law. Electronic signatures requirements outlined in this law are consistent with 21 CFR Part 11 signature requirements in the US and Advanced Electronic Signatures within the EU with which Florence complies:

• Uniquely linked to the signatory;
• Capable of identifying the signatory;
• Can confirm use under sole control; and
• Subsequent change in the data is detectable

At Florence, we know compliance is crucial and we are committed to transforming the way sponsors, CROs and sites work together in traditional site-based and decentralized trials. If you’re looking for more information on using Florence for your eISF and eTMF workflows in China (or globally), take the first step towards enhancing your clinical trial management today. Click here to schedule a demo and discover how Florence’s Site Enablement Platform can work for you.