Russia: Health and Pharma Overview
1. Governing Texts
Please note that some of the Russian Government's websites are not working, therefore some of the hyperlinks to Government departments and official documents may not be available at the moment
Currently, data protection and pharmaceuticals regulations in Russia are closely connected. Russian privacy and data protection law is constantly evolving, and these amendments tremendously affect the health and pharmaceuticals industry. Issues may arise in different spheres, e.g. medicine, evoking such concepts as medical data and medical secrecy, communications services, employment relations, etc.
Data protection regulation
The three principal legal acts relating to personal data protection and information security in Russia are:
- Federal Law of 27 July 2006 No. 152-FZ on Personal Data (as amended) (only available in Russian here) (an unofficial English version is available here) ('the Law on Personal Data');
- Federal Law of 27 July 2006 No. 149-FZ on Information, Information Technologies and Protection of Information (only available in Russian here) ('the Law on Information'); and
- Federal Law of 26 July 2017 No. 187-FZ on Security of Critical Information Infrastructure of the Russian Federation (only available in Russian here) ('the CII Law').
The Law on Personal Data encompasses the purposes, conditions, and principles of personal data processing, which are to be observed by data controllers, irrespective of the particular area in which they carry out activities. Moreover, in 2014, the Law on Personal Data was amended by the data localisation requirements prescribing that the personal data of Russian citizens (including medical data) must be kept in Russia once it is collected.
The CII Law provides for additional cybersecurity obligations for Russian legal entities and (or) individual entrepreneurs that own information systems, information-telecommunication networks, and computer-assisted management systems functioning in the sphere of healthcare.
Specific regulations aimed at data protection in medicine are implemented in respective statutory acts, such as the Federal Law of 21 November 2011 No. 323-FZ on the Basics of Health Protection of Citizens of the Russian Federation (only available in Russian here).
A separate and increasing issue in the Russian medical industry concerns biobanking and, in particular, biomedical cell products. On 1 January 2017, the Federal Law of 23 June 2016 No. 180-FZ on Biomedical Cell Products (only available in Russian here) ('the Biomedical Act') entered into force. The Biomedical Act establishes key principles of circulation of biomedical cell products and in particular, covers such products under medical secrecy.
One more important statutory act in the sphere of healthcare and personal data is the Federal Law of 12 April 2010 No. 61-FZ on Medicine Circulation (only available in Russian here) ('the Medicine Circulation Act'). It introduces the concept of processing personal data within the context of clinical research and clinical trials.
A further rapidly growing issue in the Russian healthcare sector relates to telemedicine. On 1 January 2018 the Federal Law of 29 July 2017 No. 242-FZ on Amendments to Certain Legislative Acts of the Russian Federation on the Application of Information in Health Technology (only available in Russian here) ('the Law on Telemedicine') entered into force. The Law on Telemedicine aims to define telemedicine technology and its regulation.
Another big part of the legislation is formalised in the regulatory acts issued by the Russian Government, such as government decrees, as well as regulations and guidance issued by state regulators, including:
- the Ministry of Health ('Rosminzdrav');
- the Federal Service for Surveillance in Healthcare ('Roszdravnadzor');
- the Federal Service for Supervision of Communications, Information Technology, and Mass Media ('Roskomnadzor');
- the Federal Security Service ('FSB'); and
- the Federal Service for Technical and Export Control ('FSTEC').
Regulatory acts, regulations, and guidance issued by these authorities are considered as obligatory regulations aimed at the implementation of the provisions of the federal laws.
Moreover, in the performance of their controlling functions, Russian authorities are guided by another significant document in the sphere of healthcare, the Guideline for Good Clinical Practice (only available in Russian here) ('the EEC GCP') issued by the Eurasian Economic Commission ('EEC') of the Eurasian Economic Union ('EAEU'). The EEC GCP is an international ethical and scientific quality standard for designing, conducting, recording, and reporting trials that involve the participation of human subjects. Compliance with this standard provides public assurance that the rights, safety, and wellbeing of trial subjects are protected, consistent with the principles originating in the International Ethical Guidelines for Medical and Health Research Involving Human Subjects (2016), prepared by the Council for International Organizations of Medical Sciences in collaboration with the World Health Organization, on ethical principles for medical research involving humans, and that the clinical trial data is credible.
The Constitution of the Russian Federation of 12 December 1993 recognises international treaties as an integral part of the Russian legal system. Russia is a member to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data 108/81 ('Convention 108') elaborated and adopted within the Council of Europe (ratified by Russia in 2005). General principles of Convention 108 were integrated into the framework of the Law on Personal Data. On 10 October 2018, the Russian Federation signed an additional Protocol modernising Convention 108, namely the Protocol Amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('the Protocol'). Furthermore, the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding Supervisory Authorities and Transborder Data Flows ('Convention 181') (yet to be ratified), signed by the Russian Federation on 13 March 2006, once in force, will significantly increase the level of data protection and will specify principles and requirements already implemented in the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Further to the signing of the Protocol and to formalise its ratification, the Draft Federal Law of 17 September 2019 No. 04/13/09-19/00095055 on Ratification of the Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (only available in Russian here) was elaborated in September 2019. At the moment there is no information about the progress of this bill. Russian regulators have also announced that amendments aimed at the harmonisation of the Russian data protection laws with the updated Convention 108 are being elaborated, which is believed to be a step towards the harmonisation of Russian data protection laws with those of the EU.
1.2. Supervisory authorities
The Roszdravnadzor has had powers to carry out company controlling audits since 3 October 2016. The Roszdravnadzor controls the activities of the following institutions:
- healthcare institutions;
- medicines wholesalers; and
- other organisations and individual entrepreneurs working in the field of healthcare.
The Roszdravnadzor has powers to check availability of written patients' consents for clinical trials and their compliance with regulatory requirements.
The Roskomnadzor is another Russian authority overseeing the protection of data subject rights. The Roskomnadzor, in turn, reports to the Ministry of Digital Development, Communications and Mass Media of the Russian Federation ('the Ministry of Digital Development'). The Roskomnadzor undertakes checks of data processing activities conducted by data controllers and has the power to impose mandatory orders to address violations of data protection rules. Its inspections can be either scheduled or extraordinary (e.g. upon receipt of a complaint from an individual). During inspections (both documentary inspections and field checks), the Roskomnadzor may review and request a data controller's documents describing data processing activities and inspect information systems used for data processing. Administrative cases relating to violations of data privacy are initiated by the Roskomnadzor and further considered by a competent court, which then makes an administrative ruling, for example, to impose administrative penalties.
Another important Russian authority is the FSTEC. The FSTEC is responsible for the development of technical regulations on data processing, including requirements for IT systems used in processing and measures required for the legitimate transfer of data. FSTEC is in some cases involved in the inspections carried out by the Roskomnadzor.
The FSB is responsible for the technical protection of personal data with the use of encryption. If personal data is processed with the use of encryption, the data controller shall implement the necessary organisational and technical measures for providing security of personal data in the course of processing such data in information systems.
- Rosminzdrav Order of 14 June 2018 No. 341n on the Approval of the Procedure for the Depersonalisation of Information on Persons who Receive Medical Care, as well as on Persons subject to Medical Expert Reviews, Medical Examinations, and Medical Certifications (only available in Russian here) ('the Order on Depersonalisation of Information'). The Rosminzdrav has defined methods for depersonalisation of information about persons in respect of whom medical expert reviews, medical examinations, and medical certifications are carried out, and medical assistance is provided in the Order on Depersonalisation of Information. The approved procedure in the Order on Depersonalisation of Information applies to the depersonalisation of information processed under the Federal Integrated Electronic Medical Card scheme. It determines the scope of information that must be depersonalised, the sequence of actions necessary for data depersonalisation, methods, and requirements for the result of depersonalisation.
- Rosminzdrav Order of 1 April 2016 No. 200 on Good Clinical Practice (only available in Russian here) ('the GCP Order'). The Russian national standard on the GCP Order is identical to the Consolidated Guidelines for Good Clinical Practice of the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use. On 6 May 2017, Decision No. 79 of 3 November 2016 of the Council of the EEC on Approval of Rules of Good Clinical Practice of the EAEU (only available in Russian here) came into force. The document is aimed at providing a unified approach to carrying out clinical trials.
- Roszdravnadzor Order of 20 December 2017 No. 10450 (only available in Russian here) sets out checklists used by the Roszdravnadzor in the course of its scheduled inspections in order to check whether medical and pharmaceutical organisation comply with quality and safety requirements.
- Roszdravnadzor Order of 9 November 2017 No. 9438 (only available in Russian here), establishes requirements, compliance with which is required by Russian law, and which are checked by the Roszdravnadzor during audits of companies (e.g. availability of patient consent in writing for clinical trials, performance of obligations according to outsourcing contracts by qualified personnel, and the obligation of researchers on the timely and accurate registration of data obtained and its reliability and objectivity).
- Roszdravnadzor Order of 15 February 2017 No. 1071 on Approval of the Procedure of Pharmacovigilance (only available in Russian here) ('the Order on Pharamcovigilance') provides for the Roszdavnadzor's supervision over pharmacovigilance.
- Decree of the Government of the Russian Federation of 1 November 2012 No. 1119 on Approval of the Requirements to Personal Data Protection in the course of its Processing in Personal Data Information Systems (only available in Russian here) establishes security levels, instructions on determination of appropriate security level for data controllers, and security requirements applicable to each security level.
- FSTEC Order of 18 February 2013 No. 21 (only available in Russian here) establishes the scope of organisational and technical measures for providing security of personal data in the course of processing in information systems.
- FSB Order of 10 July 2014 No. 378 (only available in Russian here) establishes the scope of organisational and technical measures for providing security of personal data with the use of encryption in the course of processing such data in information systems.
Biobank: A store of genetic material and information, which can then be used in research projects. A biobank forms a key part of the infrastructure supporting genetics and genomics research.
Biomedical cell product: A complex consisting of cell line(s) and additives of cell line(s), and additives in combination with the registered medicines for medical use (i.e. medicines), and/or medical products.
Biometric data: Data characterising physiological and biological particular features of a natural person enabling and is used for an individual's identification. This includes samples, models, fingerprints, and similarity scores.
Data controller (operator): A person (i.e. a public authority, municipal authority, legal entity or individual) that alone or jointly with others organises and/or processes personal data, and determines the purposes of personal data processing, scope of personal data to be processed, and operations performed on personal data.
Genetic data: Personal data relating to the inherited or acquired genetic characteristics of an individual which give unique information about their physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the respective individual.
Medical secrecy: Information about the facts of a citizen's appeal for medical care, their state of health and diagnosis, and other information obtained during their medical examination and treatment.
Personal data: Any information relating to directly or indirectly identified or identifiable individual (i.e. data subject).
Processing of personal data: Any action or operation, or set of actions or operations performed on personal data with or without the use of automated means, including collection, recording, systematisation, accumulation, storage, specification (update, modification), retrieval, use, transfer (dissemination, provision, access), depersonalisation, blocking, deletion, and destruction.
Special categories of personal data (sensitive personal data): Any information that relates to nationality, racial or ethnic origin, political opinions, religious or philosophical beliefs, and the state of health or private life.
The Law on Personal Data contains a rather broad definition of personal data, defining it as 'any information, relating to directly or indirectly identified or identifiable individual (data subject)'.
Processing of patient personal information can be carried out only on the grounds provided by the Law on Personal Data, which include processing of personal data, including sensitive personal data, if:
- the data subject provided their written consent;
- the data subject made their sensitive data publicly available;
- processing is performed pursuant to employment, pension, social security, or other legislation;
- processing is required for the protection of life, health, and the legitimate interests of the data subject, provided that it is impossible to obtain the subject's consent and in some other specific cases;
- processing for medical and preventative purposes, in order to establish a medical diagnosis, for the provision of health and medical and social services, provided that the processing of personal data is carried out by a person professionally engaged in medical activities who is obliged to maintain medical secrecy; and
- other cases.
Personal data shall be stored in a form that allows data subject identification no longer than is required to achieve the purpose of processing, unless a longer period for processing is established by federal law or agreement with the data subject. Personal data shall be destroyed or depersonalised when the purpose of its processing is achieved, or if the need for achieving such purpose is lost, except as otherwise established by law. Once the purpose of data processing is achieved, the controller shall cease the processing or ensure its ceasing by a third party (if applicable) within 30 days unless otherwise provided by federal laws or agreement with the data subject.
According to the Law on Personal Data, the data controller must ensure that certain processing operations on personal data belonging to the Russian nationals are performed with use of the databases located in Russia, once data is collected (including collection via the Internet). Such operations include:
- specification (update, modification); and
While the Law on Personal Data does not prohibit the cross-border transfer of Russian nationals' personal data, it requires that such data be initially processed in primary databases in Russia. Russian law does not require the data controller to set up its own database. It may be either the data controller or a third party's database (e.g. rented server facilities, cloud hosting etc.). Moreover, it is a feasible option to ensure compliance with the localisation requirement through the efforts of a third party, e.g. oblige a data processor contractually to ensure that data is processed in line with the localisation requirement.
The localisation requirements cannot be contracted out with the consent of a data subject.
As per the applicable legislation on clinical trials, a prospective participant must be provided with a variety of information related to a clinical trial, its potential effect, applicable insurance, etc. The scope of such information is set out in the relevant legislation on clinical trials. This information shall be provided in the Patient Information Sheet ('PIS'). Upon receipt of the above information and prior to the start of the clinical trial, the prospective participant must provide voluntary informed consent to participate in the clinical trial by signing the PIS. The PIS is a sufficient informed consent form ('ICF') compliant with the applicable legislation on clinical trials.
Before the beginning of the trial and communication with the clinical trial subjects, the investigator must obtain the written approval of the draft ICF by the Institutional Review Board, also known as the Independent Ethics Committee ('IEC'), which is an independent body, ensuring the protection of clinical trial subject/participant rights in the course of the trial. It is required that only approved forms are used for the provision of information to the participants and for seeking their respective consent.
Specifically, as regards to the processing of personal data in the course of clinical trials, the law is silent. For this reason, the general regulations of the Law on Personal Data taken together with the applicable legislation on clinical trials apply. By its nature, such data shall be defined as sensitive data. Therefore, its processing is strictly restricted and, in most cases, requires obtaining written consent.
Written consent shall be executed in hardcopy with the data subject's wet signature or in electronic form with the data subject's digital signature. For written consent to be valid, it must contain the following information:
- the name, passport details, and address of the data subject;
- the name, passport details, and address of the data subject's representative, as well as details of the document confirming his/her authorisation (in case the consent is provided by a representative);
- the full name and address of a data controller;
- the categories of personal data to be processed;
- the types and purposes of personal data processing;
- the data processor, including its name and registered address;
- the actions (operations) on personal data;
- the term for which the consent is valid; and
- the procedure for its withdrawal.
Thus, with respect to the above, to make sure that participation in clinical trials is lawful, it is necessary to obtain the participant's ICF and consent to the processing of their sensitive data. As per the relevant legislation, the participant is allowed to terminate their participation in the clinical trial and withdraw consent at any time. In such scenario, the processing of their data collected in the context of the clinical trial shall be terminated and data shall be destroyed, unless there are other legal grounds allowing further processing of this data.
2.3. Data obtained from third parties
As per the relevant legislation, personal data shall be obtained directly from the data subject. In the meantime, from a practical perspective, there might be certain cases where the data is obtained from third parties.
The Law on Personal Data requires notification to the data subject on obtaining their data from a third party, unless the data subject is already notified about the processing by this data controller, that the data is processed for scientific research or statistical purposes (provided that the rights and legal interests of data subjects are not violated), or other exceptions set out by the Law on Personal Data apply. Such notification shall contain a number of mandatory elements set out by the Law on Personal Data. In the meantime, such notification is not equal to data subject giving consent or any other lawful basis. Therefore, along with notifying the data subject, there shall also be a lawful basis for the processing of this data by a third party.
With regard to medical secrets, such data may be obtained only in case the disclosing entity has legal grounds for such disclosure under the applicable legislation (see the section on Data Management below). Given that medical secrets contain personal data and industry-specific laws and regulations do not set out any exemptions in this regard, the notification prescribed by the Law on Personal Data will be also be needed in case of receipt of medical secrets from the third party.
According to the Order on Pharamcovigilance, the supervision activities of the Roszdavnadzor include analysis of information on drugs safety, scientific and methodical activities related to drug safety expertise, preparation of expert opinions, and information reference materials on adverse reactions and drug safety. There are two categories of information that are submitted by parties involved in the circulation of drugs:
- periodic drug safety update reports; and
- occasional notifications (reports).
The periodical drug safety update reports are prepared in accordance with the good practices approved by the EAEU, and the occasional reports are submitted in accordance with the standard forms, approved by the Roszdravnadzor.
Sponsors of clinical trials shall submit reports on safety of medicine being subject to trial to the Roszdravnadzor. These reports are registered in its data system and then submitted to the Rosminzdrav. The Roszdravnadzor analyses the information provided concerning adverse drug reactions and determines a company's compliance with the drug quality, clinical trial, import, and sales requirements of the relevant legislation. The main requirement for reports is that trial participant/subject data be kept confidential. For this reason, in the beginning of each clinical trial, each subject must be provided with a unique subject identification code.
These reports are necessarily taken into account in the process of decision-making on registration, i.e. authorisation of pharmaceutical products, as well as on termination of their circulation in Russia. The periodical safety update reports are prepared in accordance with the good practices approved by the EAEU, while the occasional reports are submitted in accordance with the standard forms approved by the Roszdravnadzor. Generally, such reports include information about:
- adverse drug reactions;
- drug safety and efficiency; and
- the facts of transferring disease through the drug itself.
The laws on clinical trials distinguish terms of data retention for different participants of the clinical trial procedure. The IEC shall store documentation relating to the trial, in particular, written procedures, committee member lists, documents provided for examination, and minutes of hearings and correspondence, for a period of not less than three years following the date when the trial was completed and shall provide such documentation to the authorised governmental bodies upon request.
Sponsors shall retain the essential documents, i.e. documents separately or jointly allowing to estimate the course of the trial and quality of its results, for at least two years following the date when the final application on registration of the pharmaceutical product was approved, or following the date when clinical development of the product subject to trial was officially ceased. In any event, essential documents shall be retained until all applications are considered, and no other applications are planned to be filed. Longer terms are allowed if the sponsor requires this. The same terms apply to retention of essential documents by scientists, i.e. medical organisations. Meanwhile, the sponsor is under the duty to inform the scientist, i.e. medical organisation, on the termination of the retention period.
EAEU laws set out the following retention rules with regard to the documents relating to clinical trials:
- the owner of the registration certificate must ensure retention of the main documentation relating to the clinical trials (including personal registration cards) for:
- 15 years following termination of the clinical trial;
- two years following the last date of registration in EAEU Member States (provided that there are no pending applications in the EAEU); and
- two years following the date when clinical development of the product subject to the clinical trial is formally terminated; and
- certain documents must be stored by the sponsor as long as the product is registered; such documents include:
- the protocol containing the reason and purpose(s) of the clinical trial;
- the statistical plan and methodology of the clinical trial (with the clinical trial conditions);
- the organisation (management) of the clinical trial;
- detailed information on the product under trial and applied standards;
- standard operational procedures;
- all written feedback to the protocol and procedures;
- the investigator's brochure;
- personal registration cards of each participant (subject);
- the final report; and
- the audit certificate (if any).
Sponsors of the clinical trial, or their successors, shall retain the final report for five years following the termination of the registration certificate of the medicine in question.
For non-compliance with the procedure for submitting pharmacovigilance information, an entity can be fined up to RUB 70,000 (approx. €824).
Although biobanking in Russia is one of the least regulated health-related activities, it is a promising area for future developments. The following policies provide the basis for future regulation over biobanking:
- Strategy of Medical Science Development for the Period to 2025 (only available in Russian here); and
- Roadmap on Development of Biotechnologies and Genetic Engineering (only available in Russian here).
On 1 January 2017, the Biomedical Act entered into force. Although the Biomedical Act does not directly introduce the notion of biobanking, it states the core principles of activities in the area of circulation of biomedical cell products. These are:
- donation of biological materials shall be voluntary and shall be free of charge;
- the secrecy regime, including for medical secrecy, shall apply;
- the sale and purchase of biomedical material is prohibited;
- the creation of human embryos for the production of biomedical cell products is prohibited;
- the development, production, and use of biomedical cell products with the use of biomedical materials obtained as a result of interruption human embryo development or its disorder is prohibited;
- safety requirements in relation to donors, medical workers, patients, and individuals involved in the process of biomedical cell products production must be satisfied; and
- safety requirements regarding the environment shall also apply.
Furthermore, the samples relate to special categories of personal data, namely sensitive personal data, and in cases where this information can be used for identification, to biometric data. Therefore, the owners of the samples are entitled to all rights granted to data subjects under the Biomedical Act. Processing of samples and related information is generally allowed with the written consent of data subjects.
In addition, under the Biomedical Act, the following biomedical cell products shall be subject to state registration and, conditional to such registration, may be produced, sold, used, stored, transported, and imported to or exported from Russia:
- all biomedical cell products being put into circulation in the Russian Federation for the first time; and
- earlier registered biomedical cell products, in case of changing the type of the biomedical cell product, its qualitative and/or quantitative composition (except for the composition of additives), and biological or other parameters of cell line(s).
The Biomedical Act contains provisions on 'data exclusivity' that are similar to those contained in the Medicine Circulation Act. Information on the results of pre-clinical and clinical trials of biomedical cell products provided by the applicant for state registration of the product cannot be used for commercial purposes without the applicant's consent within six years from the date of registration.
Furthermore, the draft Bill No. 744029-7 on Amending Article 11 of the Federal Law on Personal Data regarding the Processing of the Biometric Personal Data (the progress of this draft law through the legislative process may be tracked, only available in Russian, here) ('draft Bill Amending Article 11') was approved by the Russian Parliament in the first hearing and then was postponed for an indefinite period. Under the draft Bill Amending Article 11, genetic data is considered biometric data, therefore, the written consent of subjects is required for its processing. This corresponds to the requirements of the Protocol.
General obligations in the area of personal data protection
The Law on Personal Data sets out the following obligations of data controllers:
- Ensure there is a lawful basis for processing of personal data: Personal data may be processed where there is a lawful basis for data processing. The Law on Personal Data sets out an exhaustive list of such legal grounds. These grounds are, for example, data subject's consent to processing personal data, necessity to perform the contract with the data subject, etc.
- Implement data security measures: A basic obligation of the data controller is to ensure security and confidentiality of the processed personal data, in particular, by taking legal, organisational, and technical measures of personal data protection. The exact scope of measures that shall be applied by the data controller shall be determined based on the audit of the data controller's data processing activities.
- Appoint a data protection officer ('DPO'): The Law on Personal Data requires that the data controller appoints the officer responsible for arranging processing of personal data. This may be an individual (data controller's employee) or a legal entity (outsourced DPO). The DPO is responsible for carrying out control over the data controller's processing activities, and compliance with Russian laws in the area of data protection, familiarising employees with the legal requirements concerning data protection, and handling data subject requests.
- Register with the Roskomnadzor: There is a basic requirement of the Law on Personal Data to file a notification with the Roskomnadzor when processing personal data and thereby to register as a data controller. There are, however, some exceptions to this rule, which are construed very narrowly and practically applied very rarely. Notification must be filed by the data controller once and with respect to all data processing activities. If there are any changes in data processing activities, the data controller must notify the Roskomnadzor of those changes within ten business days.
- Ensure localisation of Russian citizens' personal data upon its collection: The data controller must ensure that certain processing operations on Russian citizens' personal data are performed with use of a database located in Russia, once data is collected. Afterwards, the data can be transferred outside Russia for further processing.
- Notion of anonymised data under the Law on Personal Data: The Law on Personal Data does not expressly mention or otherwise use the term 'anonymised data', however, it provides for the notion of 'depersonalised data'. Data is considered depersonalised where identification of a particular individual without any additional information is not possible. The Roskomnadzor considers that depersonalised data is still personal data, so general requirements to its processing apply.
- Anonymisation of data relating to participants of clinical trials: The legislation on clinical trials sets out that an investigator (medical organisation) shall assign an identification number or 'ID' to each patient participating in the clinical trial. Such ID shall be used instead of the name, surname, and patronymic (if any) of the participating patient in order to ensure the confidentiality of the patient's personal data during the clinical trial.
- Data anonymisation in the unified system in healthcare: Russian legislation on healthcare implies that there is a Unified State Information System for Healthcare ('USIS'). Along with other information, this system must contain information relating to individuals to whom healthcare assistance is provided, as well as the ones subject to medical expertise and medical examinations. Given that the personal data of these individuals contained in the USIS should be depersonalised, the Rosminzdrav has adopted comprehensive guidelines on data depersonalisation. These guidelines include requirements to the result of data depersonalisation, the sequence of actions in the course of data depersonalisation, and data depersonalisation methods.
- Important legislative initiatives concerning data anonymisation and depersonalisation: In September 2019, Draft Federal Law No. 04/13/09-19/00095069 on Amending the Federal Law on Personal Data (only available in Russian here) was published for public discussion. The draft law contemplates the introduction of the notions of depersonalised personal data and depersonalised data into the Law on Personal Data. These notions are based on the concepts in EU law of pseudonymised and anonymised data. Depersonalisation rules will be elaborated by the Russian Government and the Roskomnadzor.
Sharing data with third parties
- General rules: As per Russian laws, transfer or disclosure of personal data is considered processing. The laws set out different rules in terms of lawful bases for disclosure of purely personal data and data considered as medical secrets. Where personal data is in question, the data controller shall ensure that there is a lawful basis to transfer personal data to a third party as per the Law on Personal Data (e.g. data subject consent, etc.). With regard to medical secrets, there is an exhaustive list of lawful bases where such information may be provided to a third party. Such bases include:
- the data subject (patient) provided THEIR written consent to provision of such information to a third party;
- it is needed for the purpose of medical examination and treatment of a citizen who is unable to express THEIR will;
- to prevent a risk of spread of infectious diseases, mass poisoning and injuries; and
- provision at the request or inquiry of Russian investigative bodies or a court in connection with investigative or judicial proceedings, at the request of the bodies of the procurator's office in connection with the exercise of supervision by them, etc.
- Sharing of data with the Ministry of Internal Affairs ('MVD'): The Federal Law of 22 December 2020 No. 438-FZ on Amendments to Federal Law on the Essentials of Public Health Protection in the Russian Federation (only available in Russian here) has been recently adopted. Accordingly, starting from 1 January 2021, medical organisations must transfer the following data to the territorial bodies of the MVD:
- on the admission of patients who, for health reasons, age, or other reasons, cannot provide their personal data;
- death of patients whose identity has not been established; and
- information about patients with signs of harm to their health due to illegal actions.
- Sharing of data with relatives: As per Russian healthcare laws, it is required with sensitivity to communicate information on unfavourable patient's disease to the patient or their spouse, close relatives (children, parents, adopted children, adoptive parents, siblings, grandchildren, or grandparents), unless the patient has forbidden this and/or has not identified another person to whom such information should be transferred.
- Record keeping: As per Russian healthcare laws, medical organisations are required to ensure accounting and storage of medical records. This implies keeping of personal medical records of patients to whom medical assistance is provided.
The laws prescribe the categories of data to be kept. These categories include data such as name, gender, date and place of birth, place of residence and registration, diagnosis, anamnesis, type of medical assistance provided, conditions of medical assistance, information on medical organisation provided such medical assistance, etc. The key requirement with regard to such data is that it shall be kept confidential and its processing shall be in line with Russian laws on personal data.
As a rule, the term of handling personal data shall be limited to its processing. In other words, personal data can be processed as long as it is necessary to achieve the specific purpose of its processing. Once the purpose is achieved, processing shall be terminated and the data shall be destroyed, unless there is another specific purpose to its processing and respective legal grounds.
In addition to the above general rules, Russian healthcare laws require certain specific retention terms, including archive retention terms. Such terms, for example, include 25 years for the medical files of in-patients, ten years for the medical cards of minors, three years for the log of issued medical certificates, etc. For the moment, there is no complete systematised list of medical documents and their respective retention terms. For this reason, the Rosminzdrav has issued the list of the main accounting documents and terms of their retention in its Letter of 7 December 2015 No. 13-2/1538 (only available in Russian here).
Electronic health records
Russian healthcare laws imply that there is the USIS for healthcare, as mentioned earlier. This system is designed to ensure access to the medical services in digital form, as well as the interconnection of healthcare information systems. This system systematises:
- information contained in state information systems maintained by state executive bodies;
- information on medical organisations;
- information of individuals engaged in providing medical assistance;
- depersonalised patient data;
- information on medical documents (provided that such documents do not allow establishing the diagnosis) and on the medical organisations that issue these documents;
- information on statistical monitoring in the area of healthcare;
- aggregated information on carrying out medical activities and provision of medical assistance;
- information on provision of high-tech medical assistance; and
- information required for carrying out monitoring and control over procurement of medicines for state and municipal needs, etc.
Further to the general rules implying the establishment of the USIS, the Russian Government has issued specific regulations setting out the order of provision of information to USIS, rules of access to such information, requirements to hardware and software tools used, and information security. As of November 2018, the rules on the provision of information to USIS also apply to state medical organisations.
Since 1 January 2019, the aforementioned rules have also come into force for private medical organisations. This implies that such medical organisations will have to provide this information to the USIS, unless they have previously decided to do this. Furthermore, on 19 August 2020, Recommendations for the Organisation of Informational Interaction of Medical Information Systems of Medical Organisations of the Private Health Care System with the USIS (only available in Russian here) were elaborated. These recommendations provide for the basic principles of interaction between the information system of a private health care organisation and the USIS as well as requirements for the protection of information.
The engagement of third parties to assist with data processing matters and transfer of personal data to third parties must be done in a formalised manner in accordance with the law. In particular, when personal data is transferred to third parties, and the data controller assigns data processing to a third party (i.e. data processor), the following conditions must be met:
- Data subject's consent is required for assignment of processing personal data to a third party. Where personal data falls under medical secrecy, the specific requirements of Russian healthcare laws shall be also taken into account. Given that the exceptions to the consent requirements are quite narrow, the applicable lawful basis will be the written consent of the patient/data subject.
- There must be a data transfer/processing agreement concluded between the data controller and the receiving third party (data processor or other data controller). Such agreement and/or the data controller assignment shall contain specific information provided for under the Law on Personal Data, in particular, the confidentiality and security obligations of the data processor, the obligation of the data processor to ensure a level of protection as required by the Law on Personal Data, the purposes of processing, and information as to the operations with personal data.
- The data controller is liable for the actions of data processors vis-à-vis data subjects, while data processors may be held liable vis-à-vis data controllers on a contractual basis.
Requirements for data transfers depend on the destination country to which data is transferred. The key criterion in this regard is the adequacy of the protection applied to the data. In the absence of adequate protection, cross-border transfers may be allowed, if necessary, to perform an agreement with a data subject or upon the data subject's written consent.
According to the law, countries providing adequate protection of personal data are those who are parties to Convention 108, as well as other countries approved by the Roskomnadzor (including Australia, Canada, Chile, Israel, Japan, Kazakhstan, New Zealand, Singapore, South Korea, etc.). If personal data is transferred to countries considered as providing adequate protection, general legitimate grounds for data processing are applicable.
Additionally, in order to transfer data for processing by third parties, the controller must conclude contracts with such third parties, e.g. through data processing or data transfer agreements. The EU standard contractual clauses may be used after some adaptation to the Russian law. Security measures must be implemented in order to protect data in the course of those transfers.
Transfers of medical data require mandatory written consent of data subjects, irrespective of the country to which data is being transferred. It is also recommended to be more prudent with regard to ensuring security and confidentiality of such data in the course of its transfer.
Currently, Russian laws do not provide for mandatory data breach notification of data subjects (or involved data controllers). However, these notifications may be required under agreements with respective data subjects or data controllers or internal policies of the data controller.
Notwithstanding the above, the Law on Personal Data requires the data controller to notify a data subject on the elimination of a data breach, where such breach was revealed upon a data subject's respective complaint addressed to that controller. Likewise, in case such complaint was filed by the Roskomnadzor, the data controller would be required to notify Roskomnadzor along with the respective data subject.
As mentioned, Russia has signed the Protocol. Under the Protocol, the data controller shall without delay notify at least the regulator of data breaches, which may seriously interfere with the rights and fundamental freedoms of persons. The Protocol does not expand further on data breach notification.
Russian legal entities and (or) individual entrepreneurs that own information systems, information-telecommunication networks, and computer-assisted management systems functioning in the sphere of healthcare shall additionally comply with the CII Law.
Under the CII Law the companies must immediately inform regarding computer incident Russian authority responsible for ensuring of functioning of Russian state system of detection, prevention, and liquidation of consequences of computer attacks for information resources of Russia.
9. Data Subject Rights
Data subject rights in the area of data protection
The Law on Personal Data sets out the following data subject rights:
- The right to access information: The data subject is entitled to request from the data controller confirmation that their personal data is being processed by that controller and information on such processing. Likewise, as per the data subject's request, the data controller shall provide them with the copy of that data free of charge. There are statutory exceptions where the data subject's right of access to their personal data may be restricted in accordance with the federal laws. The data controller may refuse providing access to personal data in case of the repeated data subject's request within 30 days (starting from the date of initial data subject's request).
- The right to require rectification of incomplete or inaccurate personal data, as well as to require its blocking (i.e. restriction of processing) and destruction, in case of unlawful processing: This implies that the data controller must ensure that these actions on personal data are carried out by the controller itself and by the engaged data processors.
- The right to withdraw consent to data processing: In situations where personal data is processed based on the data subject consent, the data subject is entitled to withdraw such consent at any moment. In such a scenario, the data controller must terminate data processing, and ensure its termination by engaged data controllers, unless it has another lawful basis for processing it, or is required to do so by operation of the law. The general grace period for destruction is 30 calendar days. However, in certain cases there may be a different term, e.g. if it is agreed in the contract to which the data subject is a party, guarantor, or beneficiary.
- The right not to be subject to decision based solely on automated processing of personal data: As per the Law on Personal Data, such processing is allowed only upon the data subject's written consent or in case such processing is prescribed by laws. In any circumstances, the data subject is allowed to object the decision taken based on automated processing of personal data. In this case, the data controller shall handle such objection and communicate the result to the data subject within 30 calendar days.
- The right to object to direct marketing: Under the Law on Personal Data, processing of personal data for purposes of the direct marketing of goods, work or services is only allowed with the prior opt-in consent of a data subject. In addition, the data subject is entitled to withdraw their consent at any moment. In that case, the controller shall terminate processing of personal data for direct marketing immediately, the law does not provide any grace period in that case.
- The right of the data subject to redress: This involves the data subject's right to voice concern and file a complaint on the data controller's actions or omissions to the Roskomnadzor or the competent court.
The scope of the data subject rights is more limited in comparison to EU legislation. For instance, the right of data portability is not provided for in Russian legislation. As for the right to be forgotten, according to the Law on Information, an individual is entitled to file a request to a search engine to disable access to links containing information related to such individual, if:
- the information has been disseminated in breach of Russian law;
- the information is false/inaccurate; or
- the information is true/accurate but has become unimportant/irrelevant for the individual due to subsequent events/actions of this individual.
These grounds cannot be applied with respect to information related to criminal conduct/omission and crimes where limitation period has not expired or conviction has not been expunged.
Also from 1 March 2021, a personal data subject has the right to request to stop the transfer (distribution, provision, access) of their publicly available personal data to any person processing their personal data in violation of the law or to apply to the court with such a request.
Rights of minors
As per national legislation, minors are granted a number of rights in the area of healthcare. Such rights include the right to a medical examination and medical care, the right to obtain medical consultation, etc.
In addition to the above, each minor is entitled to obtain information with regard to their health status, including the results of a medical examination, the existence of a disease, a diagnosis and prognosis of a course of a disease, methods of treatment and medical invasion, as well as their implications and associated risks.
The law sets out certain age limitations. Minors can realise their right to access to information about their health status, as well as provide their informed consent to medical intervention, only where they have reached the age of 15, or 16 in cases of drug/substance dependence. Minors below these ages realise their rights through their parents or other legal representatives.
Processing of the personal data of minors
Currently, there is no provision under Russian laws on the processing of personal data relating to minors. Therefore, it is quite questionable to what extent they are allowed to realise their personal data protection rights, including in cases where processing is allowed only upon their written specific consent. Given the ambiguity at play, there is no unified approach in this regard, and market players tend to follow different approaches considering possible legal implications as their business risks. Many of the controllers are guided by domestic civil law provisions on questions of legal capacity.
In 2017, draft Bill No. 305068-7 on Amendments to the Federal Law on Personal Data (only available in Russian here) ('the Draft Bill') was developed to implement specific rules with regard to the personal data of minors. As per the Draft Bill, the personal data of minors is considered sensitive data (special categories of personal data). As for the lawful basis, such data may be processed upon the written consent of the minor's representative, unless otherwise prescribed by Russian laws. The Draft Bill is being considered in the second hearing (the progress of the Draft Bill may be tracked, only available in Russia, here).
Violation of Russian data protection and healthcare duties by medical organisations and healthcare professionals may result in civil, administrative, and, in certain cases, criminal liability.
The purpose of civil liability is to compensate a data subject's material losses and moral damage. Being purely a matter of private law, it does not aim at punishing the infringer.
To preserve their rights, an individual may claim recovery of damages caused by the infringer, including direct losses, lost profit, and moral damages. Practically speaking, it is quite clear how to prove the sum of direct losses suffered. However, where lost profit and moral damages are in question, there is always room for the court's discretion. Therefore, Russian courts do not tend to award high amounts for moral damage (usually several tens of thousands of Russian roubles).
Russian laws distinguish the liability depending on the type of breach. This sort of liability usually implies an administrative warning, or an administrative fine imposed on the legal entity and/or its officers. For example, processing of sensitive data without data subject written consent (where there is no other lawful basis for such processing) may entail a fine of up to RUB 150,000 (approx. €1,770) for a legal entity and up to RUB 40,000 (approx. €470) for its officers (may be imposed per data subject in case separate proceedings are initiated). In case of repeated violation, a fine of up to RUB 500,000 (approx. €5,890) for a legal entity and up to RUB 100,000 (approx. €1,180) for its officers may be imposed (may be imposed per data subject in case separate proceedings are initiated). Remedial intervention in the absence of the voluntary informed consent of the data subject may entail a fine of up to RUB 200,000 (approx. €2,350) for legal entities and up to RUB 10,000 (approx. €120) for its officers.
Certain grave violations by medical organisations may entail suspension and further withdrawal of the licence for carrying out medical activities. In such cases, medical organisation will be unable to carry out their activities.
In addition, the Russian data protection authority may order the ceasing of data processing until rectification. Individuals are also entitled to claim damages caused by illegal processing of their personal data (including moral damages) through the civil courts.
At the moment, there are the following fines for violating the requirements for the processing of personal data:
Violation: Processing of personal data in cases not provided for by the legislation of the Russian Federation, or processing of personal data incompatible with the purposes of personal data collection.
- Fine: Up to RUB 100,000 (approx. €1,180) for a legal entity. Up to RUB 20,000 (approx. €240) for its officers.
- Repeated fine: Up to RUB 300,000 (approx. €3,530) for a legal entity. Up to RUB 50,000 (approx. €590) for its officers.
Violation: Processing of personal data without the written consent of the personal data subject to the processing of his personal data in cases where such consent must be obtained.
- Fine: Up to RUB 150,000 (approx. €1,770) for a legal entity. Up to RUB 40,000 (approx. €470) for its officers.
- Repeated fine: Up to RUB 500,000 (approx. €5,880) for a legal entity. Up to RUB 100,000 (approx. €1,180) for its officers.
Violation: Non-fulfillment by the data controller of the obligation to provide the personal data subject with information related to the processing of his personal data.
- Fine: Up to RUB 80,000 (approx. €940) for a legal entity. Up to RUB 12,000 (approx. €140) for its officers.
Violation: Failure by the data controller to comply with the requirement to clarify personal data, block or destroy them.
- Fine: Up to RUB 90,000 (approx. €1,060) for a legal entity. Up to RUB 20,000 (approx. €240) for its officers.
- Repeated fine: Up to RUB 500,000 (approx. €5,880) for a legal entity. Up to RUB 50,000 (approx. €590) for its officers.
Violation: Failure by the data controller to fulfill the obligation to comply with the conditions that ensure the safety of personal data when storing material media and exclude unauthorized access to them when processing personal data without the use of automation tools.
- Fine: Up to RUB 100,000 (approx. €1,180) for a legal entity. Up to RUB 20,000 (approx. €240) for its officers.
Violation: Failure by the data controller to comply with the requirements for localization of personal data.
- Fine: Up to RUB 6,000,000 (approx. €70,580) for a legal entity. Up to RUB 200,000 (approx. €2,350) for its officers.
- Repeated fine: Up to RUB 18,000,000 (approx. €211,750) for a legal entity. Up to RUB 800,000 (approx. €9,410) for its officers.
The best-known examples of administrative responsibility are the cases of Twitter, Inc. (only available in Russian here) and Facebook, Inc (only available in Russian here). The companies did not comply with the localisation requirement when processing data of Russian users. For repeated violations, Facebook was fined RUB 15,000,000 (approx. €176,560), Twitter was fined RUB 17,000,000 (approx. €200,090).
Certain violations in the area of data protection and privacy may entail criminal liability for individuals. Russian law does not allow the imposition of criminal liability on legal entities, however their officers may be found liable.
Criminal liability arises from grave violations which are very intrusive to an individual's privacy. For this reason, the sanctions imposed are always much stricter. For example, the unlawful intrusion to an individual's privacy may entail a criminal fine of up to RUB 200,000 (approx. €2,400), disqualification for up to three years, or imprisonment for up to two years with disqualification for up to three years.
Blocking of websites or mobile phone applications
Where processing of personal data through a website or a mobile phone application targeting a Russian audience is not in line with Russian law on personal data, such website or application may be blocked. This implies that such information resource will not be available for access in Russia, unless its owner rectifies the violation. The most notorious example of blocking is Case No. 33-38783/16 of 10 November 2016 on the restriction of access to LinkedIn Corporation from Russia (only available in Russian here). In 2016, this popular social network was blocked for users from Russia due to its failure to comply with localisation requirements, and access to LinkedIn remains restricted to this day.
Responsibility for violation of requirements in the field of security of critical information infrastructure
Healthcare organisations are subjects of critical information infrastructure. In this regard, Russian legislation also imposes obligations on such organisations related to information security and notification of government agencies.
Violation of the requirements for the creation of security systems for significant objects of critical information infrastructure of the Russian Federation and ensuring their functioning or requirements for ensuring the security of significant objects of critical information infrastructure may result in a fine of up to RUB 100,000 (approx. €1,200) for legal entities and up to RUB 50,000 (approx. €600) for officials.
Violation of the procedure for informing about computer incidents, responding to them, taking measures to eliminate the consequences of computer attacks may result in a fine of up to RUB 500,000 (approx. €6,000) for legal entities and up to RUB 50,000 (approx. €600) for officials.
Violation of the procedure for exchanging information about computer incidents may result in a fine of up to RUB 500,000 (approx. €6,000) for legal entities and up to RUB 50,000 (approx. €600) for officials.
11. Other Areas of Interest
On 1 January 2018, certain amendments to Russian healthcare laws known as the Law on Telemedicine came into force.
According to those amendments, telemedicine technologies are information technologies that facilitate:
- remote communication between medical officers, or between medical officers and their patients;
- identification and authentication of these individuals;
- logging of actions on the part of medical professionals when providing medical advice or consultations; and
- remote medical supervision over patient health.
The amendments provide for a general legal framework for carrying out activities with the use of medical technologies. Further to these amendments, the Rosminzdrav has adopted the rules of organisation and provision of medical assistance with the use of telemedicine technologies. The rules define the types, conditions, and forms of provision of medical assistance in this way, set out the requirements to arranging of a real time consultation and order of such consultation, and the requirements with regard to the availability of remote medical assistance and the remote supervision over the patient's health. In addition, the rules provide for a number of requirements to logging and further retention of information obtained in the course of medical assistance with the use of the telemedicine technologies.
Processing of health data during the pandemic
During the outbreak of COVID-19, certain preventive measures were taken in Russia. For instance, in Moscow, an important role in the combating the spread of coronavirus was given to the employers.
In light of this, on 10 March 2020, the Roskomnadzor published clarifications regarding the peculiarities of the use of thermal imagers by employers (only available in Russian here). The Roskomnadzor stated that body temperature measurements relate to special categories of personal data, and their processing is allowed within the framework of labour legislation (e.g. for ensuring employees' safety) or upon employee's written consent. Temperature measurements concerning office visitors do not require a separate written consent, since such consent may be implied by conduct.
In the context of pandemic, many new obligations were imposed on Russian companies and individuals. In particular, Moscow employers are required to measure their employees' temperature (employers are required to measure the temperature of employees when they are admitted to workplaces). Apart from that, they must transfer employees, performers under civil law contracts to remote operation:
- at least 30 percent of employees (including citizens listed below); and
- all employees from among citizens over 60 years of age, as well as citizens with diseases, the list of which is determined by the Department of Health of the City of Moscow, with the exception of persons whose presence in the workplace is critically important for the functioning of organisations, individual entrepreneurs.
Furthermore, the pandemic has caused the expansion of health data processing by the state. For instance, the Government of Moscow has launched a mobile app for social monitoring. The app is developed for COVID-infected individuals and the persons who live with them. A few times a day, app users have to make photos of themselves to prove that they are staying at home and comply with self-isolation regime, and their location is sent automatically with the photos.
Moreover, the Russian Ministry of Digital Development has also launched a mobile app for COVID-19 tracking. Download and use of the app is voluntary, and it allows users to find out about possible contacts with COVID-infected individuals.
Finally, taking into account the sensitivity of health data, state bodies, medical organisations, and employers tend to pay more attention to the compliance with Russian data protection laws and implement additional data security measures during its processing.