Guideline on good pharmacovigilance practices (GVP) Module VI Addendum II on masking of personal data in individual case safety reports (ICSR) submitted to EudraVigilance (EV) was published on 22nd of July 2025 and it became effective on 25th of July 2025. 

As part of finalization of the document the EudraVigilance Expert Working Group (EV-EWG) was consulted with. It is part of the EudraVigilance Expert Working Group’s Work Program for 2025 – 2026 to provide expert advice on best practices related to personal data protection in relation to pharmacovigilance and to contribute to the deliverables of the EMA/Member States Pharmacovigilance Business Team in relation to development and updates of GVP modules, particularly in relation to Module VI Management and reporting of ADRs and Module IX Signal Management.

Addendum to GVP Module VI provides instructions to complement Section VI.C.6.2.2.10. on data protection laws. These instructions form an integral part of the guidance in GVP Module VI.

Addendum Background

Why was the GVP Module VI amended?

Why do these fields have to be masked now?

EudraVigilance was audited by the European Data Protection Supervisor (EDPS), European Union’s (EU) independent data protection authority.

One of the outcomes of the audit was that the EDPS recommended to EMA and the joint controllers (European Commission and competent authorities in Member States) a common masking policy that would be complied with by all entities reporting to EudraVigilance.

The executive summary of the audit report states:

GVP Module VI on data protection laws – VI.C.6.2.2.10.

What does the guideline say about data protection?

Where in accordance with the applicable national legislation, the patient’s direct identifiers cannot be transferred to the EudraVigilance database, pseudonymisation may be applied by the competent authority in the Member State and by the marketing authorisation holder, thereby replacing identifiable personal data such as name and address with pseudonyms or key codes, for example in accordance with the ISO Technical Specification DD ISO/TS 25237:2008, Health informatics – Pseudonymization [IR Recital 17].

The application of pseudonymisation will facilitate the ability of the EudraVigilance system to adequately support case processing and detect duplicates. Alternatively where pseudonymisation is not feasible, the following may be applied in line with ICH-E2B:

Pseudonymisation or the use of the nullFlavor ‘MSK’ should be applied without impairing the information flow in the EudraVigilance database and the interpretation and evaluation of safety data relevant for the protection of public health; given the high-level nature of the information, data elements such as patient’s age, age group and gender should in principle be kept un-redacted/visible.

Addendum II – What should be masked now?

What is in the addendum?

According to the addendum, all ICH E2B R3 data elements were assessed to determine if the information in the data elements is required in support of the pharmacovigilance and safety monitoring obligations set out in the EU pharmaceutical legislation.

Specifically the assessment took into account the relevant obligations placed on the EMA, national competent authorities and the Pharmacovigilance Risk Assessment Committee (PRAC). Requirements to process ICSRs and to ensure adequate quality of the ICSRs were also reviewed.

The addendum specifies that all senders of ICSRs to EV are expected to comply with the instructions, and the data fields to be masked or not to be provided should not go beyond the data fields described in the document.

The 13 Masked Data Elements

The 13 data elements in Table VI.Add.II.1 of the addendum are fields that should always be masked by the sender when submitting ICSRs to EudraVigilance. These fields are not required for signal management, duplicate detection, or ICSR processing. The data fields to be masked or not to be provided should not go beyond the data fields described here.

These data elements should therefore be set with the nullFlavour MSK, provided that data are available to the sender. Other nullFlavours may be applicable when the data is not available to the sender (e.g. ASKU, NASK, UNK) and should be used accordingly. Alternatively, the field(s) can be left blank.

The 11 Data Elements to be Left Blank

The 11 data elements provided in Table VI.Add.II.2. are also not necessary for signal management, duplicate detection or ICSR processing. Since the use of nullFlavors is not supported by the ICH E2B R3, the 11 data elements should be left blank when submitting ICSRs to EudraVigilance.

Data Elements That May Contain Personal Data and Are Required for Pharmacovigilance Processes

The data elements provided in Table VI.Add.II.3. may contain personal identifiers or quasi-identifiers and are required for signal management, duplicate detection and ICSR processing. When available, data related to these data elements should not be masked or not to be left blank.

This third list of elements contains in total 185 fields from all sections of the E2B R3 report format, except the N section that contains technical system values.

Data Elements That do not Contain Personal Data and Are Required for Pharmacovigilance Processes

The data elements provided in Table VI.Add.II.4. do not contain personal identifiers or quasi-identifiers and are required for signal management, duplicate detection and ICSR processing. When available, data related to these data elements should not be masked and not be left blank.

This fourth list contains 73 fields from all sections of the E2B R3 report format.

No Changes to EV Business Rules or to the ICSR Implementation Guide

It is stated in the addendum that the instructions in the new document do not change the current EudraVigilance Business Rules, therefore there is no impact on the electronic submission process of ICSRs and related safety messages. The EU Individual Case Safety Report Implementation Guide does also not require to be changed and remains applicable.

Already submitted ICSR XMLs will remain as they are

The addendum states that “XML files of ICSRs submitted by senders will be preserved in their original form by the EMA for regulatory and audit purposes” but it also states “for legacy data held in EudraVigilance related to these 13 / 11 data elements, the Agency will mask / delete the data”. 

Access to these submissions is restricted to a limited number of authorized EMA staff members who can make the XML files available to national competent authorities for the purpose of inspections of sponsors of clinical trials, marketing authorization applicants and marketing authorization holders.

Purposes of personal data processing

The processing of personal data is necessary for pharmacovigilance activities as mandated by several EU regulations. These activities include monitoring of data in EudraVigilance, safety assessment of clinical trials, and signal management.

ICSRs contain personal data of patients and the primary source of the report. This data is pseudonymised and can be in both structured and unstructured formats. The personal data is stored within the EudraVigilance system.

Access to ICSRs with pseudonymised personal data is restricted to registered users of the EudraVigilance system and is protected by multi-factor authentication (MFA). Users who can access the data, depending on their roles and permissions, include safety officers in the regulatory authorities, marketing authorization holders, and clinical trial sponsors.

What if unmasked data is sent accidentally?

If unmasked data is submitted to EV, the EMA will not make the unmasked data available to the EV users.