1. Governing Texts

The health sector is heavily regulated, including but not limited to the protection of personal data. The regulations governing the health sector, which are relevant to privacy and data protection are those related to pharmacovigilance, clinical trials, and telemedicine.

Data relating to health are considered sensitive data and are treated in accordance with the following regulations:

• Law No. 26842 on General Health (only available in Spanish here) ('the General Health Law');
• Law No. 29733 on the Protection of Personal Data 2011 (only available in Spanish here) ('the Law');
• Regulation of the Law under Supreme Decree No. 003-2013-JUS (only available in Spanish here) ('the Regulation');
• Law No. 30421 on Telehealth (only available in Spanish here) ('the Telehealth Law');
• Law No. 30024 Establishing the National Register of Electronic Health Records  (only available in Spanish here) ('the National Register Law') and its regulations; and
• Ministerial Resolution No. 688-2020-MINSA adopting Directive No. 294-MINSA/2020/OGTI on the processing of health data  (only available in Spanish here) ('the Directive').

Health-related personal data is defined as information concerning past, present, or the predicted physical or mental health of a person, including the degree of an individual's disability and their genetic information. Health-related personal data should be kept confidential.

1.1. Legislation

The regulations governing the health sector, and specifically those which are relevant to privacy and data protection are those related to pharmacovigilance, clinical trials, and telemedicine.

Pharmacovigilance

• The General Health Law;
• Law No. 29459 on Pharmaceutical Products, Medical Devices and Sanitary Products (only available in Spanish here);
• Supreme Decree No. 016-2011-SA on Regulations for the Registration, Control and Sanitary Surveillance of Pharmaceutical Products, Medical Devices and Sanitary Products (only available in Spanish here) and amendments;
• Supreme Decree No. 013-2014-SA with Provisions referring to the Peruvian Pharmacovigilance and Technovigilance System (only available in Spanish here); and
• Resolution No. 1053-2020/MINSA, Manual of Good Pharmacovigilance Practices (only available in Spanish here).

Clinical trials

• The General Health Law;
• Supreme Decree No. 021-2017-SA on Regulations on Clinical Trials (only available in Spanish here); and
• Resolution No. 279-2017-J-OPE/INS, Manual of Procedures of Clinical Trials (only available in Spanish here).

Telemedicine

• The Telehealth Law;
• National Register Law; and
• Supreme Decree No. 005-2021-SA on the Regulation of the Telehealth Law (only available in Spanish here).

1.2. Supervisory authorities

The Ministry of Health ('MINSA') is responsible for policy formulation, development, and review of legislation pertaining to pharmacovigilance, clinical trials, and telemedicine.

The General Directorate of Medicines, Supplies and Drugs ('DIGEMID'), a public entity that is part of MINSA, is the competent national authority in charge of pharmacovigilance and technovigilance.

Regarding clinical trials, the responsible supervisory authority is the National Institute of Health.

Likewise, the General Directorate of Telehealth, Reference and Emergencies is responsible for formulating and implementing telehealth policy in the health sector.

The General Directorate for Transparency, Access to Public Information and Protection of Personal Data is the body responsible for exercising the National Authority for the Protection of Personal Data ('ANPD'), which is part of the Ministry of Justice and Human Rights, monitors and sanctions any non-compliance in this matter.

1.3. Guidelines

In the COVID-19 context, the ANPD issued a press release (only available in Spanish here) reminding citizens that health information is sensitive, confidential and, that data security should be ensured. Therefore, sharing the identity of a COVID-19 medical patient will lead to sanctions ranging from approximately USD $6,150 to USD $62,430.

In addition, MINSA approved the privacy policy of the Single Consultation service for the COVID-19 vaccine registry (only available in Spanish here). The document contains the privacy policy of the digital service called 'Single Consultation of the Vaccine Register against COVID-19'. It establishes that the owner of this database is MINSA, which will process personal data to manage the service to verify if people are registered in the Universal Vaccination Register against COVID-19, make the registration in the Universal Registry of Vaccination, and inform about the schedule vaccination (date and place).

1.4. Definitions

Personal data: Any information regarding a natural person ('data subject') that identifies him/her or makes him/her identifiable through reasonable means (Article 2(4) of the Law).

Sensitive data: Includes biometric data, data related to racial and ethnic origin, income, opinions or convictions regarding politics, religion, philosophy or morality, union membership, and information related to health or sexual life. The Regulation states that 'sensitive data' is also information that refers to the physical and emotional characteristics of an individual, the facts and circumstances of his/her personal and family life, personal habits, and information that corresponds to an individuals' most intimate sphere (Article 2(5) of the Law).

Data processing: Any operation or technical proceeding, automated or not, that allows the collection, storage, organisation, modification, usage, suppression, among other actions, that allow the access, correlation, or interconnection of personal data (Article 2(17) of the Law).

Anonymisation procedure: Anonymisation is an irreversible procedure that prevents identification or does not make any data subject identifiable (Article 2(12) of the Law).

Database: An organised set of personal data, automated or not, regardless of the support, be it physical, magnetic, digital, optical, among others, whatever the form of its creation, storage, organisation and access (Article 2(1) of the Law).

The processing of personal data requires the prior, free, informed, express, and unequivocal consent of the data subject. Sensitive data requires that the consent of the data subject is expressed in writing. Sensitive data includes racial and ethnic backgrounds, income, political or religious opinions or creed, union membership, data relating to health or sexual orientation and, in general, physical, mental and emotional characteristics, facts or circumstances of emotional or family life, and personal habits corresponding to the most intimate sphere of private life, among others.

However, the consent of the data subject is not necessary when:

• the data is compiled or transferred for the fulfilment of governmental agency duties;
• the data is contained or destined to be contained in a publicly available source;
• the data is necessary for a contractual, scientific or professional relationship with the data subject, provided that such data is necessary for the development, entering into and complying with such a relationship;
• the data is needed to protect the health of the data subject, and data processing is necessary, in the circumstances of risk, for prevention, diagnosis, and medical or surgical treatment, provided that the processing is carried out in health facilities or by professionals in health sciences observing professional secrecy;
• the data is needed for public interest reasons declared by law or public health reasons (both must be declared as such by MINSA) or to conduct epidemiological studies or the like, as long as dissociation procedures are applied; or
• the data is dissociated or anonymised.

On 2 September 2020, Ministerial Resolution No. 688-2020-MINSA approved Directive No. 294-MINSA/2020/OGTI, which establishes the rules for the processing of health-related personal data or personal data in health.

Its main objective is to establish the administrative criteria for the adequate processing of health-related personal data or personal data in health.

The Directive is applicable to public and private establishments that develop activities in the National Health System, and classifies the information of individuals into two categories:

• Health-related personal data ('HPD'): Data related to the health or disease status of a person, which identifies and makes them individually identifiable. This information may correspond to past, present or forecasted health and disease, physical or mental, degree of disability and generic information (e.g. diagnoses, treatments, prognoses, medications, surgeries, tests, etc.); and
• Health information or information on health matters: A set of statistical data, dissociated or anonymised health-related data, which do not allow the individual identification of one or more persons or users, including administrative and financial data of the management of the organisation or entity of the health sector (e.g. information on budget, logistics, human resources, infrastructure, etc.).

HPD is sensitive personal data and, therefore, its processing (including the transfer itself) requires the consent of the data subject in writing. It will only be possible to process the HPD without the consent of the data subject when a law authorises it for reasons of public interest or when the MINSA determines that there are reasons of public health in the corresponding resolution act.

Finally, the Directive indicates that health establishments must appoint a responsible person for data security ('Data Security Officer') to implement measures to ensure the protection of the HPD.

2. Clinical Research and Clinical Trials

The existing governance framework for clinical trials carried out in Peru is provided by the following regulations:

• General Health Law;
• Supreme Decree No. 021-2017-SA on Regulations on Clinical Trials; and
• Resolution No. 279-2017-J-OPE/INS, Manual of Procedures of Clinical Trials.

A clinical trial in Peru can only begin if it has been authorised by means of a Directorial Resolution issued by the Office of Research and Technological Transfer ('OGITT') of the National Health Institute ('INS'). The authorisation must be granted after the competent Institutional Research Ethics Committee and INS resolve that the benefit/risk ratio is appropriate for the trial subject or society. Moreover, it can only continue if this condition is permanently maintained.

As set forth in Peruvian regulations, clinical trials are understood to mean every research involving human beings, conducted to determine or confirm clinical, pharmacological and/or other pharmacodynamic effects, detect adverse reactions, analyse the absorption, distribution, metabolism, and excretion of one or more investigational products in order to determine their efficacy and/or safety. Investigational products are previously assigned to trial subjects and the assignment is determined by the research protocol.

With regards to the persons and entities participating in clinical trials, the sponsor is responsible for obtaining INS's authorisation to carry out the clinical trial before the trial begins. They must have a legal representative in Peru, duly registered on the corresponding public register, for the duration of the clinical trial, if the sponsor is a foreign national. The legal representative channels all communications with INS's OGITT for the duration of the clinical trial unless this responsibility is delegated to a contract research organisation ('CRO').

The sponsor can legally transfer any or all of its tasks and duties related to the clinical trial to a CRO, being ultimately responsible for the implementation of the research protocol and the results of the clinical trial.

To request authorisation to carry out a clinical trial, the sponsor or CRO must submit the following documents, which must be duly numbered:

• application for the authorisation of a clinical trial, using for such purpose the Registration Card included on the Peruvian Clinical Trial Registry ('REPEC');
• copy of the valid registration certificate issued in favour of the research centre or centres authorised to conduct clinical trials;
• copy of the document of approval issued by the legal representative of the research institution or institutions where the clinical trial will be carried out, using the form included in the Clinical Trial Procedures Manual;
• copy of the document of approval of the research protocol and informed consent form(s) issued by the respective Institutional Research Ethics Committee ('CIEI') accredited by INS, using the form established in the Clinical Trial Procedures Manual;
• affidavit issued by the sponsor, stating that it has complied with the obligations contemplated in the Regulations on Clinical Trials, using the form included in the Clinical Trial Procedures Manual;
• for foreign sponsors: copy of the certificate of delegation of duties in favour of the sponsor's representative, duly authenticated and bearing the Hague Apostille;
• affidavit signed by the principal investigator stating that it has complied with the obligations and requirements set forth in the Regulations on Clinical Trials, using the form contained in the Clinical Trial Procedures Manual;
• affidavit signed by the sponsor and the main investigator, establishing that no financial conflict of interests exists in the conduct of the clinical trial, using the form contained in the Clinical Trial Procedures Manual;
• affidavit signed by the sponsor and the principal investigator stating that the research centre where the clinical trial will be conducted has been duly fitted out, using the form contained in the Clinical Trial Procedures Manual;
• copy of a valid insurance policy (insurance contract) taken out by the sponsor;
• affidavit signed by the sponsor stating that it has a financial fund in place to guarantee that the trial subject will receive medical care and treatment immediately and in a timely fashion if he/she suffers any adverse effect from the clinical trial, while the insurance policy is activated, using the form contained in the Clinical Trial Procedures Manual;
• research protocol, both in Spanish and in its original language if it is different from Spanish (in printed and digital form);
• informed consent form(s);
• updated Investigator Brochure, both in Spanish and in its original language if it is not Spanish (in printed and digital form);
• information related to the quality of the investigational product;
• updated non-documented curriculum vitae of the whole research team working at each research centre, as per the form contained in the Clinical Trial Procedures Manual;
• copy of the documents proving that the whole research team received training in Good Clinical Practices and Research Ethics in human beings, the validity of which will not exceed three years;
• total detailed budget of the clinical trial at the national level, using the form contained in the Clinical Trial Procedures Manual;
• list of supplies required for the clinical trial, as per the form contained in the Clinical Trial Procedures Manual; and
• voucher evidencing payment of the processing fee. For clinical trials to be conducted in a plurality of research centres, the processing fee will be paid for

2.1. Data collection and retention

The Law establishes a general principle that provides that personal data should not be kept for longer than is necessary for the purpose for which it is processed (Article 8 of the Law). Note that storing personal data is considered an act of processing as well. As a result, one will want to ensure that this element of data is kept for as long as is necessary for a particular purpose and should not be kept for longer than is necessary for that purpose.

Also, under Annex 5 of the Research Protocol Guide (only available in Spanish here) ('the Protocol Guide') data controllers should explain the data collection method and retention.

Data collection methods include plans to assess and collect both the initial variables and the evolution variables and other study data, including any process required to improve the quality of the data (for example, duplicate measurements, training of evaluators) and description of the tools used in the study (for example, questionnaires, laboratory tests) along with their reliability and validity, if known. It should also indicate where the data collection manners can be found, if they are not included in the protocol.

In addition, the Protocol Guide should detail the plans to encourage participants to stay in the study and manage to carry out a complete follow-up, listing the data to be collected from participants abandoning the trial or deviating from the protocol.

2.2. Consent

As a general rule, the processing of personal data requires the prior, free, informed, express, and unequivocal consent of the data subject. Sensitive data requires that the consent of the data subject is expressed in writing.

Informed consent following the definitions set out in Peruvian regulations, is the process whereby an individual voluntarily agrees to participate in a clinical trial, after having received information and a detailed explanation of all the aspects of the research. The decision to take part in a research project is to be made without coercion, undue influence, or intimidation. Informed consent is to be documented by a written consent form, to be signed and dated.

All trial subjects must freely give their informed consent in writing before being included in a clinical trial.

If the trial subject cannot read and write, then they will affix their fingerprint to signify their concurrence. If the trial subject is unable to sign or affix their fingerprint, then another method attesting to their consent can be accepted. In both cases, another person designated by the trial subject, other than a member of the investigation team, must sign as a witness.

If the trial subject is a minor, the informed consent of both parents or of the guardian of the underage child must be obtained, but said consent can be withdrawn at any time, without the decision affecting the parents or guardian. The consent of either the father or mother can only be excused in case of death, loss of rights under the legal rules in force, or duly documented irrefutable inability. The informed consent of the parents will not be required if the trial subject is 16 years old or more and their relative incapacity has ceased because they got married or otherwise got a degree authorising him/her to exercise a profession or trade, according to the provisions set forth in the Civil Code (only available in Spanish here).

A trial subject can abandon the clinical trial at any time, without a justified reason and without said decision causing them any harm, by withdrawing their informed consent personally or through their legally appointed representative. Their withdrawal of informed consent will not affect the activities they have carried out and the use of the data obtained as a result of their informed consent prior to their withdrawal.

2.3. Data obtained from third parties

The transfer of personal data should be carried out based on the consent of the data subject. However, the consent of the data subject is not necessary in certain cases, as described in section on Definitions above. The transfer of personal data must be conducted in a manner that shows that the recipient was informed of the conditions under which the data subject consented to the processing of their data. Following a transfer of personal data, the recipient must process such data in line with the law and the terms under which consent was granted to the transferor by the data subject.

Also, confidentiality should be kept during the processing of personal data. The obligor may be relieved from the confidentiality obligation in case of prior, informed, express and unequivocal consent of the data subject, among others.

Therefore, obtaining personal data through a sample must follow the above rules.

3. Pharmacovigilance

The purpose of the Peruvian Pharmaceutical and Technical Surveillance System is to oversee and evaluate the safety of pharmaceutical products, medical devices, and sanitary products, to adopt measures that may enable the prevention and reduction of risks and increase benefits for the population.

Reporting of suspected adverse reactions from pharmaceutical establishments should be made to regional pharmacovigilance and techno-surveillance reference centres ('CRR') using DIGEMID-approved formats.

Within the established deadlines, these reports of adverse drug reactions ('ADR') suspected of occurring are sent to the National Center for Pharmacovigilance and Technovigilance where they are registered, coded, and analysed.

In these reports, patient data is anonymised using a Patient Identification Code. This code is the initials of the patient or some other form of identification.

4. Biobanking

Not applicable.

5. Data Management

Financial

If the processing of personal data of financial entities falls within the scope of the Law, there are certain obligations that will be applicable to such processing. The main obligations are as follows:

• Data controllers must register their databases containing personal data and report cross-border transfers of personal data to the ANPD by filing the applicable form. Databases should be kept for a legitimate purpose.
• The processing of personal data should be carried out based on the consent of the data subject. However, the consent of the data subject is not necessary in certain cases, as described in the section on Clinical Research and Clinical Trials above.
• The data controller must refrain from making cross-border transfers of personal data if the destination country does not provide adequate protection levels. If the destination country fails to provide adequate protection levels, the data exporter must guarantee that the processing of personal data meets adequate protection levels.
• Confidentiality should be kept during the processing of personal data. The obligor may be relieved from the confidentiality obligation in case of prior, informed, express and unequivocal consent of the data subject, among others.
• There are solely provisions of a general nature in the Directive enacted by Directorial Resolution No. 019-2013-JUS/DGPDP (only available in Spanish here) establishing the security standards for the processing of personal data. Data controllers must adopt technical, organisational and legal measures necessary to guarantee the security of the personal data they hold. The measures taken must ensure a level of security appropriate to the nature and purpose of the personal data involved.
• Personal data shall be collected for a specific, explicit and lawful purpose. Processing shall not occur for any purpose other than that unequivocally set forth at the time of the collection of such personal data, except in the case of activities with an historical, statistical or scientific value in which a dissociation or anonymisation procedure is used.
• The transfer of personal data must be conducted in a manner that shows that the recipient was informed of the conditions under which the data subject consented to the processing of his/her data. Following a transfer of personal data, the recipient must process such data in line with the law and the terms under which consent was granted to the transferor by the data subject.
• The data subject has the right to the updating, inclusion, rectification, suppression of their personal data, the right to prevent their personal data from being disclosed. The data subject can oppose the processing of their personal data. Also, the data subject has the right to be informed and have access to their personal data.

6. Outsourcing

Generally, the obligations of the data processor under the Law are limited (the majority of them have to be fulfilled by the data controller). The processing of personal data should be carried out within the boundaries of the data processing agreement and the instructions of the data controller. Otherwise, the data processor will become directly liable for data protection non-compliance. Confidentiality should be kept during the processing of personal data and the security of the data must be ensured. Please note that data processors are subject to a two-year storing term from when the request of the data controller comes to an end. According to Article 36 of the Regulations, the data processor cannot transfer personal data to third parties, unless the data controller authorises it and the data subject has provided his /her consent, in the cases where said consent is required by Law.

7. Data Transfers

Please see the section on Data obtained from third parties above.

8. Breach Notification

The data controller must inform the data subjects of any incident that significantly affects their property or moral rights, as soon as the occurrence of the incident is confirmed. The minimum information requirements in a notice are:

• a description of the incident;
• disclosed personal data;
• recommendations to the data subject; and
• implemented corrective measures.

Health providers will also have to report security incidents before the National Center for Digital Security and to the ANPD if it involved personal data.

9. Data Subject Rights

The data subjects have the right to the updating, inclusion, rectification, suppression of their personal data, the right to prevent their personal data from being disclosed. The data subject can oppose the processing of their personal data. Also, the data subject has the right to be informed and access their personal data.

10. Penalties

There are administrative and criminal penalties. On the administrative side, the ANPD may impose fines on the employee that vary between 0.5 tax units ('UIT') (approx. USD 598) and 100 UIT (approx. USD 119,600) depending on the specific violation. On the criminal side, relevant authorities may impose imprisonment for a period of no less than one year and no more than three years depending on the particular breach. The person affected by non-compliance with the Law may also file a judicial claim arguing damages or distress.

Between 2018 and 2019, the ANPD audited 120 institutions regarding health data, in order to verify irregularities in the handling of patients' data. Of those audited, 40 of which were health establishments, including hospitals, clinics, and public and private clinical analysis laboratories.

For instance, the ANPD imposed a fine of USD 49,148.93 in 2019 to the laboratory Synlab Peru S.A.C for a breach of the duty of confidentiality, when transmitting sensitive data related to the HIV status of one of its patients to another company. In this case, Synlab Peru S.A.C performed medical examinations on applicants for a job role at the travel agency Domiruth Travel Service S.A.C. and forwarded this information to the company without the patient's consent.

11. Other Areas of Interest

The health sector in Peru is still not heavily technology-based in comparison to developed countries. However, when making use of technological tools that process personal health-related data, it is important to bear in mind that it is considered sensitive information and, as such, there are a series of requirements that must be fulfilled, as described above.

Maritza Reátegu Partner
[email protected]
Iván Blume Associate
[email protected]
Cecilia Alarcón Consultant
[email protected]
Rodrigo, Elias, & Medrano Abogados, Lima