May 2023 marks five years since the application of the General Data Protection Regulation, better known as "GDPR", and its requirements still pose a number of challenges for organizations. On one hand, this is because ensuring compliance with GDPR is not a "one-time exercise" but a continuous process "from within", requiring synchronization with all other activities in the organization. On the other hand, companies must also take into consideration innovations "from the outside", including new regulations and technologies, by promptly addressing data protection risks.
Did you know that the word "risk" is used 76 times in the GDPR? The risk to an organization is greater the larger the data sets it processes, especially if data is "sensitive", i.e. a special category of personal data. These include, for example, health data processed in clinical trials.
In the field of clinical trials, in early 2022, Regulation (EU) 536/2014 on clinical trials on medicinal products for human use began to apply, the provisions of which are in close interaction with the rules of the GDPR. How do the two regulations relate to each other? This question is answered by the European Commission ("EC") and the European Data Protection Board ("EDPB"). They also guide the parties involved in the trials (sponsor, clinical trial site, principal investigator, etc.) about the basis for processing patients' personal data in different hypotheses.
Patient protection in clinical trials
Both the Clinical Trials Regulation and the GDPR are aimed at strengthening the protection of patients' rights, but from different perspectives. The Clinical Trials Regulation aims to obtain reliable and robust data in the clinical trial, protecting the rights, safety, dignity and well-being of individuals. On the other hand, the GDPR ensures the protection of their personal data.
In the Clinical Trials Regulation, one of the highlights is the issue of the patient's informed consent with which they freely and voluntarily expresses their willingness to participate, after detailed information on all aspects of the clinical trial. This consent is a condition for inclusion in a clinical trial, but it should not be confused with consent as a basis for processing personal data within the meaning of the GDPR, which is not always necessary because the data may be processed on another basis (e.g. a legal obligation).
On what grounds is patient data processed?
The European Commission divides the volume of data processed in the course of a clinical trial into two groups - data for primary and secondary use.
Primary use refers to the processing of data in relation to a specific clinical trial protocol during its whole lifecycle, from the starting of the trial to deletion at the end of the archiving period, and the basis for the processing of personal data is most often a legal obligation (e.g. reporting, archiving, disclosure, etc.) as well as a public interest in the area of public health.
In the secondary use of clinical trial data outside the clinical trial protocol for scientific purposes, it is possible to refer to compatibility of purposes and not to seek a new legal basis. Other options are consent, public or legitimate interest.
If consent under the GDPR needs to be collected, it is advisable to have it on a form separate from that of informed consent under the Clinical Trials Regulation in order to make it clear to the patient that it is two different documents that can be withdrawn by the patient at different times and with different consequences for the clinical trial activities.
In general, the data of patients in the clinical trial are "coded" (i.e. pseudonymised) as a measure of their protection. However, such data continues to be personal and the GDPR applies to them.
In some cases, patient data is anonymised (i.e. the patient cannot be identified at all) and therefore does not constitute personal data. The GDPR does not apply to the processing of such anonymous information, including for statistical or research purposes.
What are the roles and responsibilities of the parties involved?
Another issue for discussion, which in practice often gives rise to lengthy negotiations, is that of the roles of the parties involved in clinical trials within the meaning of the GDPR, namely whether they are controllers, processors or joint controllers. The definition of these roles is important regarding the responsibilities they have towards patients. In Bulgaria, the Commission for Personal Data Protection has accepted that the sponsor and the medical institution are joint controllers, i.e. jointly responsible for the lawful processing of patient data.
According to the guidance given by the EDPB, the sponsor and the investigator can be identified as joint controllers, or as controller and processor, as the case may be.
Practical guidelines on the protection of personal data in clinical trials
The GDPR imposes numerous obligations on controllers and processors that are valid for all data processing activities, including informing subjects, keeping records of processing activities, implementation of appropriate technical and organizational data security measures, incident reporting, etc. In the context of clinical trials, the relevant specificities must also be taken into consideration. For example, according to the Clinical Trials Regulation, the sponsor and the investigator shall archive the content of the clinical trial master file for a period of at least 25 years after the end of the clinical trial. This retention period must be complied with, including being recorded in the records of processing activities.
Given the special nature of the data processed in clinical trials (health information), the need to carry out and document a data protection impact assessment should also be considered.
Cross-border relations in clinical trials
A Sponsor in the US and a Researcher in Bulgaria – in which cases there is a personal data transfer? A researcher stores clinical trial data in a cloud maintained by a provider from Israel – is there a data transfer? In all cases, the transfer of personal data to countries outside the EU/ EEA qualifies as a transfer of data to third countries, which may take place only in compliance with certain additional requirements under the GDPR in order to ensure the necessary level of data protection.
In the context of a cross-border clinical trial relationship, it is important to identify all cases of transfer and the applicable data protection safeguards. In the absence of appropriate safeguards, the transfer could be based on the consent of the data subject (the patient), which would be separate from the consents discussed above.
New challenges: protecting personal data when using artificial intelligence and advanced technologies
Technology is an integral part of the activities of modern companies - a trend that we also observe in the field of clinical trials. For example, the new Clinical Trials Information System (CTIS) involves processing a huge amount of personal data of participants from all Member States which, given their sensitive nature, require enhanced security measures.
The use of artificial intelligence, which is becoming increasingly popular, could also be used in clinical trials – for example, in the selection of participants, the analysis of medical records and the generation of a list of suitable patients, the analysis of information on social networks and the identification of regions where a disease is prevalent, etc. However, the implementation of such technologies should always take into consideration specific risks in terms of personal data protection and rights of data subjects, for example in relation to the automated individual decision-making. Moreover, the estimation must not be subsequent but should precede the use of the technology and be based on an impact assessment.
In conclusion, compliance with the new regulations requires a comprehensive approach and expertise in various areas. In today's world, data is a valuable asset and the challenges in their protection are many, but making efforts in this direction is at the same time a good opportunity for companies to optimize their activities.
This article is subject to copyright. It expresses the opinion of the authors and should not be considered as a recommendation to take certain actions or legal advice.
By Miglena Micheva, Managing Associate, Attorney-at-Law, and Irena Koleva Senior Associate, Attorney-at-Law, Deloitte Legal Law Firm