Clinical trial sponsors often face challenges when it comes to selecting the right lawful basis for clinical trial data processing. Key questions include whether the choice varies by jurisdiction, how it might affect compliance and data protection practices, and why it is important to select the right one.
In this blog, we discuss these questions and more with Data Protection Officer (DPO) and Life Sciences Sector Lead, Lawrence Carter. With his extensive experience and knowledge of data protection compliance for clinical trials, Lawrence provides valuable insights, including simulated case studies, and explains the key regulations that apply to clinical trials operating in the UK and the EU.
For any clinical trial operating in the UK or EU, selecting the right lawful basis is essential for ensuring compliance with the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR).
Simply put, where the GDPR applies, every data processing activity must have a corresponding lawful basis. Without a valid lawful basis, personal dataInformation which relates to an identified or identifiable natural person. cannot be lawfullyIn data protection terms, 'lawfully' must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations. processed.
It is especially important to get this right the first time. An incorrect selection can lead to costly delays from investigational sites and ethics committees. Also, the clinical trial might face scrutiny years later from data subjects, regulatory bodies, potential acquirers of the IP and their due diligence reviewers, and shareholders.
Selecting the right lawful basis involves careful consideration of the data processing and depends on a range of factors, including the nature of the research, the phase of the clinical trial, and, most importantly, jurisdictional scope.
Under the GDPR, a Data ControllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data. is the entity that determines the purposes and means of processing personal data. In the context of a clinical trial, the sponsor is a data controller, but there may also be additional data controllers, depending on the specific circumstances.
To select the most appropriate lawful basisIn the event of processing personal data, an appropriate rationale in order to process personal data. for clinical trial data processing, it is essential to carefully consider the various objectives and requirements of the trial.
Data controllers should identify all potential data processing activities and their corresponding lawful bases well before the intended go-live date. This ensures that the planned data processing is lawful and acceptable to the relevant stakeholders, such as ethics committees.
It is also important to correctly identify the different processing activities with the appropriate degree of granularity. Whilst it can be tempting to group activities together when drafting a Record of Processing Activities (RoPA), doing so can lead to ambiguous or incorrect identification of the lawful basis.
Clinical trials use participants’ data to achieve the main research goals defined in the trial plan, which is often referred to as the ‘primary purpose’. Selecting the appropriate lawful basis for the clinical trial can be complex and although there is some debate as to which lawful basis is appropriate, there is specific regulatory guidance.
The European Data Protection Board (EDPB) guidance from 2019 states that processing clinical trial participant data should be based on one of the following lawful bases:
Guidance from the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. (EC) clearly distinguishes between the two concepts: ‘informed consent’ and the lawful basis ‘Consent’. Whilst all clinical trial participants must give their ‘informed consent’ to join the trial, this does not mean that ‘Consent’ is the required lawful basis for processing their data.
The EDPB further advises that using Consent as the lawful basis for processing clinical trial data is often unsuitable due to the potential power imbalances between sponsors and participants. This power gap might hinder the ability to provide ‘freely given’ consent, as required by the GDPR.
For example, participants in poor health might experience pressure to consent in order to receive treatment, making it difficult to ensure genuine consent.
Public bodies, such as NHS hospitals, can rely on Public Interest, where there is a basis in law to provide a given function. Private entities, including most trial sponsors, can use Legitimate Interests, providing they conduct a Legitimate Interests AssessmentAn assessment that used to demonstrate whether not processing is necessary in the legitimate interests and does not prejudice the data subject’s interests, rights and freedoms. (LIA) and meet the necessary conditions.
European jurisdictions have interpreted the EDPB’s guidance on lawful bases for clinical trials differently. Some jurisdictions have enshrined the preferred choice into national law, whilst others only provide guidance. This variation can complicate the decision-making processA series of actions or steps taken in order to achieve a particular end. for sponsors, especially when planning trials across multiple jurisdictions.
To obtain authorisation for a clinical trial, sponsors must secure approvals from ethics committees in each jurisdiction. These committees review the Informed Consent Forms (ICFs) and patient information sheets (PISs) – documents which must include a lawful basis for data processing as required by Article 13 of the GDPR. Discrepancies between the proposed lawful basis and local regulations can often lead to delays or rejections.
If a clinical trial is being conducted across multiple jurisdictions, sponsors might need to select a different lawful basis for each jurisdiction. For example, a sponsor running a trial across the UK, Finland, Germany, and Spain, may need to document up to four different lawful bases in their Record of Processing Activities (RoPA).
The UK’s Information Commissioner’s Office (ICO) guidance emphasises the use of Legitimate Interests for private or third sector organisations conducting research.
An NHS Health Research Authority (HRA) leaflet for patients also echoes this view, noting unambiguously that ‘[w]hen companies do research to develop new treatments […] they have a ‘legitimate interest’ in using patient data.’
In Finland, the Office of the Data Protection Ombudsman guidance states clinical trial sponsors should choose between Consent, Legitimate Interests or Public Interest. However, unlike most jurisdictions, where private entities can’t typically use Public Interest due to legal constraints, Finnish law provides this option.
Section 21a of the Medical Research Act 2021 permits processing personal data based on Public Interest if it is necessary for evaluating or ensuring the quality and safety of medical research, and the law explicitly allows for this option to be applicable to both public and private sectors.
In Germany, the Federal Commissioner for Data Protection and Freedom of Information emphasises Consent as the preferred lawful basis for a wide range of processing activities, going as far as stating Consent is ‘the main legal basis‘.
In the context of clinical trials, the requirement for explicit consentA clear and unambiguous expressed statement of consent. This can be provided in writing, by filling out online forms using electronic signatures, or even via oral statements (so long as the conditions for valid consent have been met). to process personal data is also laid down in German law. Section 40b(6) of the German Medicinal Products Act mandates that participants must provide clear, written consent for the collection and use of their personal and health data.
The EDPB highlights three possible lawful bases for clinical trial processing: Consent, Public Interest, and Legitimate Interests. And in most jurisdictions, this holds true. However, in Spain, a fourth option is on the table: Legal Obligation.
The Spanish Data Protection Agency (AEPD) has issued a Code of Conduct Regulating the Processing of Personal Data in Clinical Trials and Other Clinical Research and Pharmacovigilance Activities.
This document has been approved as a Code of Conduct pursuant to GDPR, Article 40, and appears on the EDPB’s Register.
The Code states that the primary purpose for processing clinical trial data is a legal obligation because sponsors must follow clinical trial legislation, such as the CTR, in accordance with the GDPR.
As the four example case studies above demonstrate, selecting the appropriate lawful basis for clinical trials, especially across multiple jurisdictions, is far from straightforward. With varying interpretations and preferences, there isn’t a one-size-fits-all approach.
It is hoped that the European Data Protection Board or the European Commission can provide greater clarity on this issue for the future.
In the meantime, sponsors must handle the complexities of the varying jurisdictional requirements to prevent their clinical trials from being unnecessarily delayed by national ethics committee reviews.
The DPO Centre has extensive experience in guiding clinical trial sponsors through the pre-trial phase, including advising on lawful basis selection and the drafting of informed consent forms.
Get in touch with our team if you’re interested in how we can help expedite your clinical trial and data protection compliance.
For more Life Sciences data protection news and insights, sign up to our monthly newsletter
______________________________________________________________________________________________________________________________
In case you missed it…
______________________________________________________________________________________________________________________________
For more news and insights about data protection follow The DPO Centre on LinkedIn
Fill in your details below and we’ll get back to you as soon as possible