Are you GDPR ready for the new clinical trial regulation?
February 14, 2022
European Clinical Trial Regulation (CTR) (Regulation EU No 536/2014) has finally entered into force on 31st January 2022. The CTR replaces the Clinical Trials Directive 2001/20/EC and will hopefully harmonise the registration, assessment, and supervision processes for clinical trials throughout the EU via the Clinical Trial Information System (CTIS).
Even though CTR implements a very strict legal framework, the GDPR applies on top of it. Indeed, the Article 93 of the CTR provides that “Member States shall apply Directive 95/46/EC [now repealed by the GDPR] to the processing of personal data carried out in the Member States pursuant to this Regulation”.
Even if the CTR becomes applicable as of 31st January 2022, it has a threefold transition period:
- As of 31st of January 2022 up to 30th of January 2023 sponsors may choose to submit a new clinical trial as per CTR (through the EU portal) or under the old regime. This choice exists also for amendments to previously submitted trials;
- As of 31st of January 2023 all new trials shall be submitted as per CTR through the CT portal; amendments to the previously submitted trials can only be submitted as per CTR through the CT portal and, at this occasion trials need to be compliant with the CTR requirements;
- By the 30th of January 2025 at the latest, all trials not yet completed shall be converted to CTR requirements.
The transitioned clinical trial will be governed by the Clinical Trials Regulation from the moment of its (tacit) approval under the Regulation. From this time point on, all requirements of the Regulation will apply (e.g., obligations of notification, safety reporting rules, archiving requirements as well as the procedural rules of the Regulation for requesting substantial modification, addition of a Member State).
In other words, all trials which are planned to be completed (overall, not just the end recruitment) later than end of January next year are susceptible to have to comply with the new rules at least towards their end.
What shall you prepare from the GDPR perspective?
1. GDPR in the clinical trial protocol
According to CTR 2014 annex 1.D a section containing GDPR related elements is now required. This section must describe:
- Annex 1D.17ak: “a description of the arrangements to comply with the applicable rules on the protection of personal data; in particular organizational and technical arrangements that will be implemented to avoid unauthorised access, disclosure, dissemination, alteration or loss of information and personal data processed”;
- Annex 1D.17al: “a description of measures that will be implemented to ensure confidentiality of records and personal data of subjects”;
- Annex 1D.17am: “a description of measures that will be implemented in case of data security breach in order to mitigate the possible adverse effects”.
This section implies that you are GDPR compliant and ready for inspection and audit. As GDPR interplays with CTR 2014 the health authorities’ inspectors will certainly consider GDPR compliance during the inspection. MDT can support its clients in drafting this section or help to develop client’s own template.
2. Transparency versus GDPR confidentiality
The clinical trial Regulation (EU) No 536/2014 aims to increase transparency and availability of information on clinical trials through the EU clinical trial portal and database. Article 81 (4) of the Regulation states that the (information in the) EU database shall be publicly available unless one or more exceptions apply (e.g., in order to protect personal data or commercially confidential information).
A specific document was developed to give more insight in the application of the disclosure rules.
Documents submitted by the sponsor in the application dossier for the transition of a clinical trial to the Clinical Trials Regulation will fall under the transparency requirements, as any other application dossier, and will be made publicly available.
The documents issued under the clinical trials Directive, which were not destined to be made public initially, will not fall retroactively under the transparency requirements (e.g., inspection reports, notifications).
Clinical trials were initially started under the Directive and transition to the Regulation have to comply with all the obligations of the Regulation e.g., the publication of summary of results, notifications and, if applicable, the Clinical Study Report (CSR).
Of note all the documents above may contain personal data, pseudonymous patients’ data and staff data.
Henceforth sponsors need to ensure documents subject to transparency rule do not contain personal data. And, where not possible, sponsor must have a robust redacting system to ensure that no personal data are released into the public domain.
Specifically, ensure to avoid leaving patient’s narratives in these documents!
Not all parts of CTIS are accessible to the public. By default, the first version of a document uploaded to CTIS will be considered for publication and must not contain personal data (by design or redacted). A second version of a document (not intended for publication) may be uploaded in the CTIS secure module and may contain more information.
Aside from the need of redaction for publicly available documents, Sponsors must ensure non-publicly available sections contain only pseudonymized data of subjects participating in clinical trials.
Personal data of trial stakeholders may be submitted to the portal (PI Name, CV). Other stakeholders’ personal data (Pharmacist, Study Coordinator) may only be stored and accessed in the CTIS secure module.
3. Any new documents needed before submission of the application dossier?
The list of documents to be provided by the Sponsor (part I and II) is available online.
Below are a couple that interplay with GDPR:
- Sponsor statement to confirm that collection and processing during the clinical trials is done in full compliance with the GDPR.
- ICFs (with GDPR compliant data protection section)
Last, but not the least, for each PI, a CV and a declaration of interests. have to be submitted using EU CV Template These obviously will contain personal and on purpose! So, you shall ensure that CVs do not contain too much data, such as home address or family composition. Also, the legal basis for this is obviously not the consent as this is mandated by the CTR.
4. What are the GDPR Sponsor obligations when processing Data in CTIS?
The EMA, The European Commission, Member States, Clinical trial sponsors and Marketing Authorization Holders are considered as joint controllers regarding the personal data they submit or manage in CTIS. Even if each of them is governed by a specific law (GDPR or EUDPR), they share responsibilities regarding the personal data in CTIS. However, the EMA won’t be responsible for personal data submitted to CTIS even if they have the power to remove or amend an information displayed on the public web site upon request and under justified grounds.
The Sponsor remains responsible for ensuring GDPR compliance of all documents uploaded by them or on their behalf.
5. What is the legal ground for processing activities under the CTIS?
Processing personal data in CTIS is justified on public interest grounds as the data published in the CTTIS will serve public interest objectives.
Sponsors have a legal obligation to process personal data when submitting applications or reporting activities for ongoing and completed clinicals trials.
6. What about safety assessment?
Safety reporting falls under either Clinical Trials Regulation (EU) No 536/2014 or under the provisions on pharmacovigilance (Directive 2001/83/EC or Regulation (EU) No 726/2004); not under both. The Safety data base module in clinical trials is a module of the EudraVigilance data base.
When reporting SUSARs (Suspected Unexpected Serious Adverse Reaction) pay attention to the narrative section which may contain a lot of information allowing the readers in EudraVigilance to recognize a patient even if the data are coded.
Furthermore, the Annual Safety Report shall only contain aggregate data without Subject ID.
The agency will, by electronic means, forward the Safety Information reported to the member’s states concerned.
Should authorities decide to investigate a specific SAR/SUSAR and ask information or data which can be found in the patient’s file, the sponsors and/or investigator must be able to assist this investigation without revealing the subject ID and thus anonymizing the data in the ASRs/SUSARs for to authorities (in the sense of Recital 26 of the GDPR) in the context of safety reporting under CTR as long as subject ID is not included in line listings and not provided to authorities.
As such, the anonymity of line listings is not granted and depends on the type and amount of data elements in such a listing. More data elements and more unique data elements (such as dates) make the listing easier to potentially re-identify even without the patient ID. However, CTIS may become a catalyst of the discussion about data anonymity and GDPR.
To read the full article, click here: