Clinical Trials and the GDPR: 10 Steps, Part 1 Posted by Clare on 02 June 2017


May and October 2018 will be important months for companies involved in Clinical Trials. The new Clinical Trials Regulation (CTR) EU No 536/2014 becomes fully operational in October 2018 when the EMA introduces the new EU portal and EU database. This system intends to simplify and harmonise procedures for the authorisation, assessment and supervision of Clinical Trials. Conveniently and identically to the Clinical Trials legislation that was adopted in 2014 as a Regulation, the new Data Protection Legislation in Europe, known as the GDPR (General Data Protection Regulation), will also take the form of a Regulation.  However, unlike the Clinical Trials Regulation, there will not be the same transitional period, the GDPR will be enforced from 25 May 2018, which means an organisation can be fined from this date for non compliance with the new provisions.

What is promising to be the most aggressive piece of legislation to hit businesses in decades, the GDPR is also promising to greatly enhance the patient experience with new provisions such as changes in Explicit Consent and easy withdrawal of same; the Subject Access Request (SAR) timeline being reduced to 30 days; and the introduction of the Right to be Forgotten. The GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant Data Controllers; therefore, the GDPR requires companies based anywhere in the world that are handling EU citizens’ data to act now.

Organisations that are already familiar with the pharmaceutical industry and Health and Safety legislation will see a number of themes in the GDPR that will be recognisable, such as Risk Management, privacy by design (similar to quality by design), a requirement to maintain evidence of compliance, increased responsibilities for 3rd parties and restrictions on transfers of personal data to destinations outside the EEA. 

Organisations that are shortly about to begin a Clinical Trial that is likely to extend beyond 25 May 2018, need to know what will have changed by then in the legislation on Data Protection. Below are some considerations directly applicable to Clinical Trials that should be considered.

1. Privacy by Design: Just like ICH Q8 Pharmaceutical Development introduced Quality by Design (QbD), the GDPR introduces Privacy By Design (PbD) whereby organisations must consider the implications for Privacy at the Design Stage of development. Organisations are encouraged to consider Privacy in the design of their Clinical Trial, such as, when building the IT system by which personal data will be shared, robust procedures and training that’s is specific to data protection that are built into your protocol; privacy considerations at Patient Recruitment stage; and defining early on how the data will be processed, not to mention the consent form which will set out what you intend to do with the data. 

2. Consent: Consent remains a lawful basis for processing personal data under the GDPR; however, the most significant changes to consent that have direct implications on Clinical Trials include:

The consent form should state specifically how the data will be processed, whether it will be transferred to a third party, provide notification that they can withdraw their consent at any time, and that if there are any changes in circumstances outlined in this form, they will be contacted prior to such change being implemented. 

We are still waiting on GDPR Consent Guidance which should arise out of recent consultations with Supervisory Authorities in Europe; in the mean time, the Commissioner has released a very helpful document ‘The GDPR and You’, refer to page 8 for details on Consent: https://www.dataprotection.ie/docimages/documents/The%20GDPR%20and%20You.pdf 

3. Pseudonymisation: Typically, anonymising data involved permanently replacing one unique attribute in a record with another. If the personal data has not been irreversibly anonymised, the natural person could potentially be identified   When such data is shared with a third party who is not authorised to process the personal data of your patients, can the Sponsor say for certain that the patient can’t be identified by the third party? 

"Anonymisation of data means processing it with the aim of irreversibly preventing the identification of the individual to whom it relates”. Data can be considered anonymised when it does not allow identification of the individuals to whom it relates, and it is not possible that any individual could be identified from the data by any further processing of that data or by processing it together with other information which is available or likely to be available.  Identification in this instance refers to the possibility of identifying the patient by singling out, link-ability and inference.

According to the GDPR, "Pseudonymisation of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified”. This provides limited protection as the patient could potentially be indirectly identified.

The two terms should be distinguished in your protocol as the latter only provides limited protection against identifying the patient whereas the former irreversibly prevents the patient from being identified. A decision will need to be made by the Data Controller (likely to be the Sponsor of the Clinical Trial) as to when it is appropriate to anonymise and when it is appropriate to pseudonymise. Consider this in your Risk Register.

When patient data has been anonymised, this offers maximum protection to the privacy of the patient as the data is no longer considered to be personal data; therefore, the Data Controller is not subject to the rules set out in the GDPR. 

Even when data has been anonymised you must give consideration to the use of the data versus the expectations of the patients whose data is involved. 
For more information, click https://www.dataprotection.ie/docs/Anonymisation-and-pseudonymisation/1594.htm

So, when you are mapping out your process from start to finish and considering the risks at each stage, consider whether the data could be anonymised or pseudonymised. If it is only pseudonymised, is this absolutely necessary? And even if data is anonymised, other obligations still apply. If data is essentially pseudonymised when being shared with 3rd parties, you will need a Data Processor Agreement in place, which bring us onto our next consideration…

4. Engaging Data Processors: The line between Sponsor’s responsibilities and Contract Research Organisations (CRO’s) responsibilities can sometimes be a blurred one. Where you are sharing personal data with a 3rd party that absolutely cannot be anonymised, then, you will need to establish which parties are the Data Controllers and which are the Data Processors. This relationship should be clearly spelt out in a Data Processor Agreement (DPA) prior to the sharing of any data. In terms of the GDPR, the Sponsor is generally the Data Controller and the CRO or any third party who processes personal data on behalf of the Data Controller, is generally the Data Processor.

There are a number of circumstances where a DPA is required that you may not have thought about as some are less obvious. If a third party could potentially gain access to personal or even sensitive personal data (whether or not they are required to as part of their service) then they are considered to be Data Processors and a DPA should be in place. An example of this is a hosting service, does the hosting service have access to your data databases? Again, we recommend that you consider a risk based approach, where the level of detail in the DPA will commensurate with risk.  

Just like you verify the Quality Management Systems of 3rd parties to guarantee quality meets the requirements of the relevant legislation, so too, you must guarantee that the data protection practices of the 3rd party meets the requirements of relevant legislation.  Article 28 calls this out “the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”. Have you considered whether your 3rd parties are GDPR ready? 

So, what else is new with Data Processors? 
Under the GDPR, Data Processors are now going to be subject to liability for failure to comply with their contractual obligations to their Data Controllers. Prior to the GDPR, they were not liable to such direct action by Supervisory Authorities. Data Subjects (patients) will also be able to take action against Data Processors if they have suffered damage as a result of an infringement of the Data Processors obligations. So, potentially, Data Processors could be liable to the Data Controller and the Data Subject. Are your 3rd parties aware of their new responsibilities, more importantly from a Sponsors point of view, do your 3rd parties have the capacity to honour such responsibility particularly if they are a small organisation or operate outside of the EEA. 

Consider if any of the parties involved in the Clinical Trial fall into the newly created category, the Joint Controller and what contract must be in place accordingly. Article 26 states “Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers”. This may be relevant, for example, where two organisations are jointly sponsoring a Clinical Trial.

Mirroring the legislation in pharma, notably, Volume 4, Chapter 7 of the Eudralex on Outsourced Activities where the Contract Acceptor now has responsibilities, so too does the Data Processor acquire a similar level of responsibility. Just like Chapter 7 Outsourced Activities, a written contract must be drawn up between the 2 parties prior to the sharing of assets, in this case, personal data. The GDPR stipulates a number of new requirements and responsibilities for the contract. There are a number of specific requirements including: that the personal data is processed only on documented instructions from the Controller, and requirements to assist the Controller in complying with many of its obligations. For more information click here: http://www.sytorus.com/Blog/Article/75/suggested-clauses-for-the-data-processor-contract.

The Commissioner has released a document ‘The GDPR and You’ that gives a high-level introduction to the main concepts and steps required to be taken before May 2018. To view this document, click: https://www.dataprotection.ie/docimages/documents/The%20GDPR%20and%20You.pdf

We will continue with Part 2 soon.