How to manage Data Privacy in Clinical Trials

The clinical trials sector is one with complex and robust procedures, which organisations must account for from the onset. Moreso, such procedures remain applicable throughout the project’s lifecycle and extend to post-market authorization of the drug. Since the adoption of the European General Data Protection Regulation (the “GDPR”), the procedures have doublefolded and data protection obligations are now under the scrutiny of the supervisory authorities.

Furthermore, such obligations will not be limited solely to organisations established in the EU. For example, conducting clinical trials within the EU/EEA is considered as ‘monitoring of data subjects’ behaviour’. This means even if a Sponsor is located outside the EU/EEA, they may still fall the GDPR’s scope by virtue of Article 3(2). Therefore, said Sponsor would still be subject to the rigorous obligations set forth within the GDPR. The same can be said for Sponsors with sites in the U.K; where the level of data protection within national legislation is essentially equivalent to that within the GDPR. Let’s now delve into the myriad of data protection considerations when conducting clinical trials in the EU/EEA or the U.K.

The initial alignment Sponsors must implement is the role qualification between all Parites involved within the study. This includes inter alia, the Sponsors themselves, the hospitals/sites, Clinical Research Organisations and other vendors. This is a key initial step as, depending on the outcome, different contracts need to be entered into with the respective vendor; each of which with their own differing rights and obligations.

Sponsors will always be considered as the Data Controller, as they are the entity which define the purpose (‘how’) and means (‘why’) of the Processing through drafting the study protocol, funding the clinical trial and supporting activities. In tandem, the sites are typically considered as Data Processors, unless national specificities dictate otherwise. Therefore, there should be Controller-Processor agreement between these Parties, either as part of the Clinical Trial Agreement or separately executed. Following the GDPR’s principle of ‘accountability’, it is the Sponsor’s responsibility to enter into and maintain thie aforementioned agreement.

Another core principle imposed on Data Controllers is that of ‘lawfulness of processing’. The GDPR provides six (6) legal bases, upon which Processing of Personal Data will be considered ‘lawful’. Contrarily, Data Controllers who fail to utilise one of these shall be in breach of the GDPR.

As previously mentioned, there is also lack of national harmonization regarding the appropriate legal basis to utilise. For example, Italian Supervisory Authorities require ‘consent’ as a legal basis to Process clinical data concerning study participants. Conversely, other juridictions require ‘legitimate interest’ as a legal basis for the same Processing or even ‘legal obligation’ in Spain’s case.

Given the globalized nature of clinical trials, it is commonplace for Sponsors, CROs, sites, etc. to be established across multiple jurisdictions. While this may be optimal from an operational standpoint, this entails certain data protection risks (both material and residual). Data protection risks stems from different jurisdictions implementing the GDPR with slight nuances. In turn, this rattles the equilibrium sought after by the GDPR as a ‘Regulation’. For example, when transferring Personal Data outside of the EU/EEA, the transfer must be framed in alignment with the ‘appropriate safeguards’ provided within the GDPR.

For example, certain countries are deemed as offering an adequate level of data protection by the European Commission and Sponsors avail themselves from the adequacy decision. Where this is not the case, the Standard Contractual Clauses (“SCCs”) should be implemented, as these include certain obligations on the receiving party (within a third-country jurisdiction) which raises the proverbial ‘data protection bar’.

Considering the above, Sponsors should analyse the various options from a business continuity and risk perspective, while accounting for the various obligations imposed by the GDPR.

The GDPR mandates conducting a Data Protection Impact Assessment (“DPIA”) when Processing health, genetic or biometric data on a ‘large scale’. That said, the GDPR does not define the constitution of ‘large scale’, however, guidelines issued by relevant supervisory authorities provide a certain degree of clarity. Some parametrs include the amount of data-sets collected, geographical reach, temporal elements such as the permenance of Personal Data and also the amount of patients enrolled in a given study.

As with other obligations, the Sponsor is obliged to conclude the DPIA prior to the first patient-in. Moreso, the GDPR outlines the minimum requirements that DPIA should includem but does not concretely guide its implementation.

Similarly to the DPIA, the GDPR obliges the Controller to also assign a Data Protection Officer (DPO) when Processing special categories of Personal Data on a ‘large scale’. Article 39 GDPR imposes certain obligations on the DPO. Such functions include inter alia, monitoring GDPR compliance, raising privacy awareness, advising on data breach evaluations, assisting with DPIAs, cooperating and communicating with Data Protection Authorities (DPAs) and acting as a point of contact for data subjects. In this regard, the Sponsor must ensure the appropriate delegation notification to the competent supervisory authorities, including where the site is based.

A vital, yet often overlooked, requirement is the establishment of Records of Processing Activities (ROPAs). Data Controllers are obliged to compile, maintain and ensure the accuracy of their ROPAs. The ROPA is a register of the activities involing the processing of personal data and will typically be top priority for supervisory authorities should they conduct an inspecting.

Populating ROPAs sufficiently to include all mandatory information can prove tedious. The complexity is only exacerbated when one considereds the multi-jurisdicitonal nature of Parties and the continuous flow of Personal Data – particularly where transfers outside the EU/EEA are involved.

‘Personal Data Breaches’ (as defined within the GDPR) typically constitute one of the highest risks to organisations, as they have no control over an asaliant’s determination to attack their systems. That said, one of the more commonplace forms of data-breaches is when individual employees mistakenly send confidential e-mail correspondence to incorrect respondents (typically containing multiple fields of Personal Data). In this regard, organisations do have a certain degree of control such as internal trainings of validation processes.

Where organisations notice they have suffered from a  Pesonal Data Breach, the initial action should be to conduct a risk-assessment to objectively quantify the level of right which may be imparted onto Data Subjects’ rights and freedoms. Should this result in a ‘high’ risk scenario, organisations are obliged to notify the relevant supervisory authority within seventy-two (72) hours from when they became aware of the Personal Data Breach. This should include important relevant information to the breach and be accompanied by any mitigation measures implemented. Hence, companies should establish appropriate procedures and roles, before initiating their Processing activities. The aim of these measures are to mitigate the adverse affects and risks which organisations face when encoutring Personal Data Breaches, which extend to complaints, fines and reputational damage.

A clinical trial cannot be performed without vendors assisting with the multitude of tasks, regulatory requirements, procedures and submissions. As Data Controller, the Sponsor is obliged to only engage Data Processors who offer a sufficient level of data protection and adequate guarantess (be they technical, organizational or contractual). One such way a Sponsor can achieve this goal is through conducting a ‘vendor assessment’ prior to their engagement. The aim here is to very said vendor’s data protection compliance and highlight any security measures/guarantess in place.