Does your clinical trial pass the GDPR test? (Loyens & Loeff)
Date of publication: 12/10/2018
Since 25 May 2018, the General Data Protection Regulation (“GDPR”) is applicable throughout Europe. Strictly regulating the processing of health data, international data transfers and contractual arrangements between the parties involved in a clinical trial, the GDPR has had quite an impact in the life sciences sector.
In the context of clinical trials, the GDPR has particular relevance, not only for European hospitals or EU-based sponsors of such clinical trials, but also for non-European entities when they fall within the (extra-) territorial scope of application of the GDPR.
Specific guidance on GDPR implementation for clinical trials was however missing until recently.
Guidance published by French Data Protection Authority
In France, the Data Protection Authority (the “CNIL”) published on 13 July 2018 a reference methodology for clinical trials, adapted to the new GDPR requirements. The methodology contains a detailed overview of a number of points of attention and good practices for clinical trials.
GDPR guidelines for entities involved in the organisation of clinical trial
1. The identification of data subjects should only be possible through the use of a number code or alphanumeric code. Only the healthcare professionals involved in the trial can keep and store the key allowing direct identification of the participants to the trial.
2. Identification of the data subjects is only necessary/allowed in limited circumstances (e.g. to communicate the results of the trial to them or to verify the correspondence between the trial results and the raw data).
3. The personal data should only originate from the participants to the trial, the professionals working on the trial and/or from compliance and lawfully accessible databases.
4. All research should respect the ‘data minimization’ principle. Only data that are adequate, relevant and limited to what is necessary for the purpose of completing the trial should be gathered.
5. Access to indirectly identifying information of patients should be limited.
6. Access to directly identifying information of patients should be even more limited and sufficient guarantees should be put in place. For example, the controls conducted to ensure the quality of the trial results must be carried out under the direction and supervision of a healthcare professional, the patients must be informed beforehand and not have objected to the realization of the control.
7. Publication of the results shall under no circumstances allow the identification of the participants to the trial, and access to the data by an independent expert should be strictly limited and subject to security controls.
8. The ‘data processing notice’ to be provided to, and the information on the rights of the participants should be transparently mentioned on the questionnaire, the accompanying letter or the trial information note. Where personal data are collected orally, the professional involved in the trial shall deliver the required information in a written document, and express, free, informed written consent of the participants shall be obtained.
9. Right of access of the participants should be able to be exercised at any time directly with the professional involved in the trial, or through a professional designated for that purpose. Respect for the right of rectification is also essential, and the data subject that intends to oppose the processing of personal data for research purposes may, at any time and without having to justify his decision, express his opposition by any means to either the head of research, the trial site or to the professional holder of this data.
10. Retention period of personal data in the information systems of the controller, in the trial center or with the professional involved in the trial until the release of the relevant product, or up to two years after the last publication of the results of the trial, or, if there is no publication, until the final report of the trial is signed off. Afterwards, paper or computer-based archiving remains possible.
11. Guidelines regarding the processing of personal data of the professionals collaborating on the trial.
12. Implementation of sufficient security measures, covering the risks identified in a Data Protection Impact Assessment.
13. Data transfers outside of the European Union should be strictly necessary for the implementation of the trial or the exploitation of its results.
14. Rules concerning agreements with data processors involved (e.g. CRO).
15. Designation of a a data protection officer (“DPO”) as internal compliance advisor.
Practical relevance of these guidelines
Of course, not all of the above recommendations are strictly necessary to achieve GDPR compliance. They may however serve as a useful basis to guide companies through the implementation of the GDPR in their daily operations, awaiting further guidance from the Belgian or Dutch Data Protection Authorities.