Keeping your information safe: IP and data protections in China and across the globe

For global biopharma companies seeking to take advantage of China market opportunities for their large molecule therapies, collaborating with a strategic partner that has manufacturing operations in China and a long history of working in the region offers many obvious advantages. The local manufacturing presence can streamline the supply chain, reduce logistical complexities associated with importing and exporting materials, and speed time to market. A history of experience in the region ensures familiarity with the Chinese regulatory landscape and an understanding of the local market dynamics—both of which can help mitigate risks associated with market entry.

When outsourcing development and manufacturing capabilities, it is critically important to understand the measures that the manufacturing partner has in place to safeguard proprietary information, including research data, formulations, and manufacturing processes. Recently, a team from Thermo Fisher gathered to provide insight into the controls the company has across all sites in its global pharma services network, including the recently opened development and manufacturing facility in Hangzhou, China. Cross-functional teams participated in a global Q&A information session and described the rigorous contractual, project team, and data protections that are in place to keep customers’ intellectual property and confidential information secure.

Q: There is tremendous interest among biopharma companies to enter the China market and use our recently opened state of the art development and manufacturing facility in Hangzhou. How does this new facility adhere to Thermo Fisher global standards and what controls does Thermo Fisher have in place to safeguard customers’ proprietary information?

A: We apply the same rigorous controls to customers’ IP and confidential information as we do to our own, and we apply and adhere to them across all sites in our global network. We group these safeguards into three categories: contractual protections, project team requirements, and data protections. Again, these are applied across all sites based on an established framework—whether the work is being done in the U.S. or Europe or China.

Q: What are some of the contractual protections?

A: Our contractual terms are consistent with industry expectations and include binding confidentiality and IP obligations to protect our client’s information. These obligations apply throughout our performance of the services and are legally enforceable by our customers. We also have processes in place to ensure that a valid confidential disclosure agreement is in place before any disclosure of confidential information takes place. The confidential disclosure agreement contains express provisions of confidentiality and non-use which apply during initial conversations with the customer and continue even after the project finishes. Any customer IP that is disclosed to us in tech transfer always remains the property of the customer and we can only use it for their projects as per the service agreement. For new intellectual property that is generated during the services belonging to the customer, we give ownership to customers outright in the service agreement with no need to further documentation or fees.

In all scenarios, the confidentiality agreement mandates that only individuals who need to know information about a specific project can access that information, and then it can only be used for that customer’s project and nothing else.

We can also support customers with IP protection and registration. For example, if the customer wants to file a patent application regarding their IP generated in the services, and requires support, we can assist them in that effort by reviewing any documentation, such as a patent application, from a technical perspective.

Q: What project team requirements are in place to ensure protection of IP and confidential information of our clients?

A: Project teams comprise Thermo Fisher employees who are bound by their employment contracts and policies of Thermo Fisher. As such they are bound to the confidentiality and IP obligations of these contracts and policies, which are consistent with our contractual commitments to our clients, meaning that every project team member is legally obligated to keep confidential information confidential, use it in accordance with Thermo Fisher policies and only for the project with the client disclosing such confidential information. Additionally, all IP generated by our employees as part of the project belongs to Thermo Fisher which, in turn, allows Thermo Fisher to give ownership of New Client IP to our clients, which we do under the services agreement with our clients. This applies to all our sites, regardless of any local law variations – we have a consistent approach to IP globally and have mechanisms in place to ensure the same rules apply across all our sites. All new inventions are disclosed through a formal reporting and notification process. Employees also have mandatory regulatory training around confidentiality, and they are subject to requirements that prevent information from being disclosed between different groups within the company.

Q: Data privacy and protection is a top-of-mind issue in pharmaceutical manufacturing. What measures are in place to protect against the potential mishandling of sensitive information?

A: Thermo Fisher’s data protection best practices are applied across all Patheon’s sites. This includes IT policies, processes, and monitoring to limit physical and digital access to confidential information. The company’s global cybersecurity program includes employee training, monitoring, challenging, and reporting. Additionally, all facilities adhere to robust GMP compliance procedures.

Q: What is the global data integrity strategy and how is it deployed at the site level?

A: The global data integrity strategy encompasses four pillars: Governance, Culture, Systems and Equipment, and IT Security. Each of these categories has specific practices and policies that are implemented at the site level. For example, the Governance pillar includes annual site data integrity plans, an observational oversight program that includes measurement and surveillance tactics, data integrity tracking, and an escalation process for significant events. The Culture pillar includes Data Integrity skills training for new hires, annual GMP/Data Integrity refresher training for all associates, and observational oversight. The Systems and Equipment pillar covers such considerations as equipment and systems user access management, system reviews, data integrity assessments, audit trail reviews, and software validation lifecycle. The IT Security pillar encompasses policies for acceptable use, CIS data use and protection, endpoint security, identification and authentication, network security and FDA-Title 21 CFR Part11/Annex 11 compliance.

Q: With respect to FDA Title 21 CFR Part11/Annex 11 compliance noted above, what GMP workstation protections are in place?

A: We have four layers of data integrity security controls for GMP workstation. The outermost layer includes controls to limit physical area access to authorized and qualified employees. The next layer of controls are physical impediments, such as USB locks and lock-in-place USB and LAN. The third layer are the logical controls, including Windows group policy and locked Windows build. The innermost layer comprises the application controls, including role-based security, privilege restriction, and qualification following data integrity assessment.

Q: What are some of the key cybersecurity and data protection safeguards in place across sites, including the Hangzhou facility?

A: The foundation is a secure infrastructure, including a secure data center with optimal access, power supply, and environmental protections; a qualified manufacturing server with redundance and load balancing, data hosted in local servers, and role-based access restrictions; and a qualified COR and manufacturing networking to enable data transfer.

Additionally, we utilize industry standard toolsets for patching management and antivirus and threat protection, secure remote access, and continuous threat detection.

Finally, we have a robust and highly detailed data classification and handling policy for data protection that provides very clear guidance on handling different classes of data.

Q: Are data from manufacturing projects at the Hangzhou site stored locally in China or can it be hosted outside of China?

A: China has specific regulations around how and where data collected in China should be stored and transferred based on its potential impact on Chinese national security. We conducted hosted assessments to ensure compliance with applicable laws and regulations in China and determine that U.S.-based servers can host the data.

Q: The Hangzhou site was established in collaboration with a Chinese company. Does this in any way change the protections that are in place?

A: The Hangzhou site is a joint venture with China-based bio-innovation firm Innoforce Pharmaceuticals, which is a private corporation. Thermo Fisher has full control of the internal processes and systems at the site. The employees at the facility are Thermo Fisher employees and Thermo Fisher is responsible for all hiring decisions at the site. This ensures we are able to implement the established global protections locally, not only at the Hangzhou site but across other sites in China. Although the Hangzhou site is new, Thermo Fisher has been doing business in China for more than 40 years and has been able to successfully apply its global standards and policies to the regional sites through our One Thermo Fisher, One Quality Standard approach.