Clinical trials have been at the forefront of many peoples’ minds recently due to the COVID-19 pandemic, and the vaccination trials that were completed in record time. However, the data protection rules and regulations still remain an enigma to many. This is for good reason, as whilst clinical trials must comply with standard data protection laws, there are many exemptions that apply in this area. Coupled with the fact that there are also a number of different trial-specific regulations that also include rules on the handling of personal dataInformation which relates to an identified or identifiable natural person.. Trials often occur across multiple countries meaning multiple regulations can apply, making for a complex regulatory landscape that trial sponsors and their study partners need to navigate.
In this blog we will be discussing some of the key data protection factors that must be considered before a sponsor embarks on a clinical trial in the EU and UK. Clinical trials are a highly regulated area, largely because they often involve large volumes of special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal..., often processed in novel ways, so it is imperative that organisations involved in trials understand their obligations and how to action them.
Whilst the setup of clinical trials often varies greatly, trial sponsors will generally always be considered the ‘Data Controller’ of the personal data processed for a trial (whether that be independently or jointly). The reason for this being that the sponsor initiates (perhaps alongside others) the trial in the first place and then defines its aims and how it is going to try to achieve them. This means that the sponsor “alone or jointly with others, determines the purposes and means of the processing of personal data” so is therefore defined as the Data ControllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data. under Article 4(7) of the GDPR
Being Data Controller means it is the sponsor’s responsibility to ensure that the required documentation is in place and they are able to be accountable for the personal data being processed either by them or any of their appointed Data ProcessorsThird parties processing personal data on behalf of a data controller. (such as a Contract Research Organisation or CRO). This includes a requirement to conduct Data Protection Impact Assessments (DPIAs) and define a Record of Processing Activities (ROPA), alongside drafting other data protection policies and procedures required to demonstrate compliance. This also includes ensuring that appropriate due diligence has been conducted on the third parties engaged with to administrate the trial and collect the data, and that suitable agreements have been put in place with each of them.
Trial sponsors are also responsible for making data protection compliance declarations as required in some countries where their residents’ personal data is being processed in a trial. There are also country specific requirements related to this, but more on this in a future blog.
The recently introduced EU Clinical Trials Regulation (CTR) will soon require trial sponsors to make trial applications via the European Clinical Trials Information System (CTIS) and confirm that they have the relevant data protection measures in place. Applications via CTIS are optional up until 31st of January 2023. After that date, new trials will be required to apply via CTIS and from 31st of January 2025, any trials approved under the previous Clinical Trials Directive that continue running will need to comply with the Clinical Trials Regulation and their sponsors must record information on them via the CTIS.
Before embarking on a clinical trial, organisations must establish one or more lawful bases for the processing.
Primary processing
When we consider a clinical trial, there are two defined parts of the processing required. First, is the processing related to ensuring the reliability and safety of a trial. For this type of processing, it is well established that the lawful basis ‘Legal Obligation’ can be relied upon, as these types of activities are prescribed by the CTR.
Secondly, there is the processing that is required merely for the purposes of research. In this case, the most suitable lawful basis is less clear and will likely vary from country to country. This is because there is an ongoing difference of opinion throughout the EU and UK over whether ConsentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. or Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle. is the most suitable. The UK’s Medical Research Council and Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. both argue that Legitimate Interests makes most sense due to the difficulty in demonstrating consent in this context is freely given (a requirement of valid consent under the GDPR), plus the complications that enabling participants to withdraw their consent at any time would cause the trial. Under the GDPR, consent must be as easy to remove as it was to give.
The same stance has also been taken by the European Data Protection Board in a 2019 Opinion, but despite this, a few Member States (including Italy, Germany, and Spain) still mandate that Consent is the lawful basis that must be relied upon in almost all circumstances relating to clinical trials. The result of these contrasting approaches is that it is often difficult for trial sponsors to standardise their approach across jurisdictions, even without considering all of the other requirements related to clinical trials that vary across countries.
This is also made more complicated by the fact that regardless of which lawful basis is relied upon, trial organisations must always gain informed consent from the participant, confirming that they are happy to participate in the trial. This obligation is however, completely unrelated to data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data., and so should remain completely separate even if Consent is the lawful basis relied upon.
Secondary purpose
In many instances, personal data used in one clinical trial may also be used subsequently to benefit future research. Where this is the case, you will not need to identify an additional lawful basis for this additional research provided that the purpose of the additional processing is compatible with the purpose for which the data was originally collected. Furthermore, Recital 50 of the UK and EU GDPRs indicate that “Further processing for… scientific or historical research purposes… should be considered to be compatible.”
The above point demonstrates how the location of a trial participants impacts how a trial processes personal data, but the location of the sponsor also has repercussions for its data protection obligations. If the sponsor is not established within the EU but their trail involves EU resident trial participants, it will be required to appoint an EU Representative in one of the member states within which trial participants reside, to act as a point of contact for data subjects and for the lead Supervisory AuthorityAn authority established by its member state to supervise the compliance of data protection regulation.. In the UK context, a UK Representative would be required, so if a trial involves both EU and UK participants, both an EU and UK Representative will be required.
Furthermore, a sponsor located outside of the EU/UK that is receiving the personal data (even if that data has been pseudonymised) of EU/UK trial participants would need to ensure that an appropriate transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. mechanism is in place to safeguard the transfer. Adequacy may be an option for some sponsors located in countries that have been deemed adequate by the exporting nation (for example, a UK sponsor receiving data from participants in the EU, or vice versa). Alternatively, and most commonly, Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (for EU) or an International Data Transfer Agreement or amended EU SCCs (for UK) will be required. Where the latter are being relied upon, it is worth noting that following Schrems II “additional safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the...” are required when using these methods.
There are a lot of considerations trial sponsors need to be aware of to ensure that they are complying with all their data protection obligations as well as sector-specific rules. Considering that these can vary significantly between countries, it is quite the minefield.
The DPO Centre has extensive experience in the life science sector and its many complexities. We advise clients throughout the entire lifecycle of a clinical trial, from setup through to decommissioning. If you are a life science organisation in need of data protection support, especially if you are planning and EU and or UK based trail, please contact us using the form below.
Fill in your details below and we’ll get back to you as soon as possible