Start of main content

Challenges for the compliance officer in the protection of trade secrets in the pharmaceutical sector

| News | Corporate Compliance

José Ignacio Olleros analyses the functions of the compliance officer in relation to the need to protect business secrets in the pharmaceutical sector

This article provides a brief overview of the important functions of the compliance officer in relation to the need to protect trade secrets in the pharmaceutical sector, explaining their compatibility with the transparency obligations of pharmaceutical entities, and the protection of these invaluable intangible assets.

The first thing that calls attention is the breadth of the concept of trade secret referred to in the preamble and Law 1/2019 which includes "business data relating to customers and suppliers", "business plans" and "any information or knowledge, including technological, scientific, industrial, commercial, organizational or financial" therefore "subject to reasonable measures on the part of its owner to keep it secret".

What measures are considered reasonable to take to keep secret what the company needs to protect? The word "reasonable" is somewhat ambiguous. The Act makes it clear that information of little importance, experience and skills acquired by employees during the normal course of their professional career and information that is generally known or easily accessible in circles where the type of information in question is normally used is excluded from the scope of protection. For its part, the jurisprudence of the Supreme Court, prior to the entry into force of the aforementioned Law, established that business secrets are those that, if known against the will of the company, may affect its competitive capacity.

The preamble to Law 1/2019 lists a series of factors that contribute to the fact that innovative entities are increasingly exposed to risks derived from unfair practices that pursue the improper appropriation of trade secrets. There are also circumstances that aggravate these risks such as globalization, the growing outsourcing of services, etc.

It is clear that in the pharmaceutical sector we must take into account, among the information to be protected, that relating to the cost of medicines, business plans, merger processes, reports on pharmacomonitoring - without prejudice to the duty to share the information contained therein with the competent authorities, where appropriate. In addition, special attention needs to be paid to the protection of confidential information, including sensitive personal data, or business secrets that we entrust to third parties or suppliers to whom the company outsources certain services.

It is true that, in the field of clinical trials, EU Regulation 536/2014 imposes the obligation to place on a single public portal of the European Union data of great relevance that could border the limits of business secrets that companies legitimately want to preserve. To this end, it is important to bear in mind that Article 81(4) of the aforementioned Regulation justifies the confidentiality of fragments of these trials, among other reasons, not only for the necessary protection of personal data but also to protect the confidential commercial information contained therein.

It is important to mention the Transparency Law 19/2013, as it is clear from its reading, in particular article 14 j), the need to protect trade secrets and intellectual and industrial property. In this regard, and as an illustrative example, resolution 478/2019 of the Council for Transparency and Good Governance of 26 September 2019 states the need for pharmaceutical entities to carry out informative restrictions when economic and commercial interests could be harmed in public tenders. In conclusion, despite the need for transparency, there is compatibility with the protection of trade secrets.

What measures and controls must the company and the compliance officer take to protect themselves against these risks? Let us not forget that it can incur responsibility if it is not proactive in carrying out these controls or if, knowing that an illegal act is being carried out by the Company, it does nothing to prevent it.

Any diligent and responsible company director will consider company secrets important to the business he or she manages and directs. The first thing you should do is to make an inventory of the secrets that are being protected, which can take a lot of effort. It is essential to distinguish between confidential information and business secrets, which may seem the same, but should be treated differently if we want to be practical and not stifle our companies. Identifying secrets requires internal reasoning by asking ourselves questions such as Would we be willing to initiate legal proceedings if an employee/ex-employee took this information to a competitor? If the answer is no, it is that we are dealing with information that should be classified as confidential but not secret. On the other hand, if the answer is yes, we must get down to work. The next step is to inventory all the information analyzed and establish reasonable security measures in order to protect this information. Fortunately, we have all done a sprint with the RGPD and we have clear security controls that our company has, and we can take advantage of the synergy.

It is frequent to classify the controls from four points of view: Technical, legal, organizational and formative.

The scope of technical controls should include cybersecurity measures, email monitoring, and regular preventive internal audits.

Legal controls should include clauses to be included in employment contracts that impose the duty of confidentiality of workers and disciplinary measures to be imposed in case of breach of this obligation.

Within organizational controls, it is possible to evaluate the category with which we inventory information by establishing groups of users who have access to certain information and decide who is given permission to access it. It may be advisable for a single employee to have full knowledge of all the Company's industrial and business processes. Let us not forget that the leakage of protected information is carried out by employees, former employees and collaborators of companies with direct access to sensitive information.

If there are differences of opinion when it comes to the implementation of controls, we can rely on the Compliance Committee or create a Subcommittee that is specific to Business Secrets.

Should we have a contingency plan in case of information leakage? We can have a specific one or include it in the company's crisis manual, but what is clear is that there must be coordination with the Human Resources Area.

Finally, let's not forget that all the previous controls would fall on deaf ears if active information and training initiatives are not taken and the complaints channel is activated in the event of any breach of the obligation to maintain secrecy.

You can see the article in diariofarma.

End of main content