22
Fri, Nov
57 New Articles

Protection of Personal Data in Clinical Trials

Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

May 2023 marks five years since the application of the General Data Protection Regulation, better known as "GDPR", and its requirements still pose a number of challenges for organizations. On one hand, this is because ensuring compliance with GDPR is not a "one-time exercise" but a continuous process "from within", requiring synchronization with all other activities in the organization. On the other hand, companies must also take into consideration innovations "from the outside", including new regulations and technologies, by promptly addressing data protection risks.

Did you know that the word "risk" is used 76 times in the GDPR? The risk to an organization is greater the larger the data sets it processes, especially if data is "sensitive", i.e. a special category of personal data. These include, for example, health data processed in clinical trials.

In the field of clinical trials, in early 2022, Regulation (EU) 536/2014 on clinical trials on medicinal products for human use began to apply, the provisions of which are in close interaction with the rules of the GDPR. How do the two regulations relate to each other? This question is answered by the European Commission ("EC") and the European Data Protection Board ("EDPB"). They also guide the parties involved in the trials (sponsor, clinical trial site, principal investigator, etc.) about the basis for processing patients' personal data in different hypotheses.

Patient protection in clinical trials 

Both the Clinical Trials Regulation and the GDPR are aimed at strengthening the protection of patients' rights, but from different perspectives. The Clinical Trials Regulation aims to obtain reliable and robust data in the clinical trial, protecting the rights, safety, dignity and well-being of individuals. On the other hand, the GDPR ensures the protection of their personal data.

In the Clinical Trials Regulation, one of the highlights is the issue of the patient's informed consent with which they freely and voluntarily expresses their willingness to participate, after detailed information on all aspects of the clinical trial. This consent is a condition for inclusion in a clinical trial, but it should not be confused with consent as a basis for processing personal data within the meaning of the GDPR, which is not always necessary because the data may be processed on another basis (e.g. a legal obligation).

On what grounds is patient data processed?

The European Commission divides the volume of data processed in the course of a clinical trial into two groups - data for primary and secondary use.

Primary use refers to the processing of data in relation to a specific clinical trial protocol during its whole lifecycle, from the starting of the trial to deletion at the end of the archiving period, and  the basis for the processing of personal data is most often a legal obligation (e.g. reporting, archiving, disclosure, etc.) as well as a public interest in the area of public health.

In the secondary use of clinical trial data outside the clinical trial protocol for scientific purposes, it is possible to refer to compatibility of purposes and not to seek a new legal basis. Other options are consent, public or legitimate interest.

If consent under the GDPR needs to be collected, it is advisable to have it on a form separate from that of informed consent under the Clinical Trials Regulation in order to make it clear to the patient that it is two different documents that can be withdrawn by the patient at different times and with different consequences for the clinical trial activities.

In general, the data of patients in the clinical trial are "coded" (i.e. pseudonymised) as a measure of their protection. However, such data continues to be personal and the GDPR applies to them.

In some cases, patient data is anonymised (i.e. the patient cannot be identified at all) and therefore does not constitute personal data. The GDPR does not apply to the processing of such anonymous information, including for statistical or research purposes.

What are the roles and responsibilities of the parties involved?

Another issue for discussion, which in practice often gives rise to lengthy negotiations, is that of the roles of the parties involved in clinical trials within the meaning of the GDPR, namely whether they are controllers, processors or joint controllers. The definition of these roles is important regarding the responsibilities they have towards patients. In Bulgaria, the Commission for Personal Data Protection has accepted that the sponsor and the medical institution are joint controllers, i.e. jointly responsible for the lawful processing of patient data.

According to the guidance given by the EDPB, the sponsor and the investigator can be identified as joint controllers, or as controller and processor, as the case may be.

Practical guidelines on the protection of personal data in clinical trials

The GDPR imposes numerous obligations on controllers and processors that are valid for all data processing activities, including informing subjects, keeping records of processing activities, implementation of appropriate technical and organizational data security measures, incident reporting, etc. In the context of clinical trials, the relevant specificities must also be taken into consideration. For example, according to the Clinical Trials Regulation, the sponsor and the investigator shall archive the content of the clinical trial master file for a period of at least 25 years after the end of the clinical trial. This retention period must be complied with, including being recorded in the records of processing activities.

Given the special nature of the data processed in clinical trials (health information), the need to carry out and document a data protection impact assessment should also be considered.

Cross-border relations in clinical trials

A Sponsor in the US and a Researcher in Bulgaria – in which cases there is a personal data transfer? A researcher stores clinical trial data in a cloud maintained by a provider from Israel – is there a data transfer? In all cases, the transfer of personal data to countries outside the EU/ EEA qualifies as a transfer of data to third countries, which may take place only in compliance with certain additional requirements under the GDPR in order to ensure the necessary level of data protection.

In the context of a cross-border clinical trial relationship, it is important to identify all cases of transfer and the applicable data protection safeguards. In the absence of appropriate safeguards, the transfer could be based on the consent of the data subject (the patient), which would be separate from the consents discussed above.

New challenges: protecting personal data when using artificial intelligence and advanced technologies

Technology is an integral part of the activities of modern companies - a trend that we also observe in the field of clinical trials. For example, the new Clinical Trials Information System (CTIS) involves processing a huge amount of personal data of participants from all Member States which, given their sensitive nature, require enhanced security measures.

The use of artificial intelligence, which is becoming increasingly popular, could also be used in clinical trials – for example, in the selection of participants, the analysis of medical records and the generation of a list of suitable patients, the analysis of information on social networks and the identification of regions where a disease is prevalent, etc. However, the implementation of such technologies should always take into consideration specific risks in terms of personal data protection and rights of data subjects, for example in relation to the automated individual decision-making. Moreover, the estimation must not be subsequent but should precede the use of the technology and be based on an impact assessment.

In conclusion, compliance with the new regulations requires a comprehensive approach and expertise in various areas. In today's world, data is a valuable asset and the challenges in their protection are many, but making efforts in this direction is at the same time a good opportunity for companies to optimize their activities.

This article is subject to copyright. It expresses the opinion of the authors and should not be considered as a recommendation to take certain actions or legal advice.

By Miglena Micheva, Managing Associate, Attorney-at-Law, and Irena Koleva Senior Associate, Attorney-at-Law, Deloitte Legal Law Firm

 

Deloitte Legal at a Glance

Deloitte Legal Adriatic is a unique law firm consisting of teams of highly specialized lawyers, providing a vast range of legal services, and part of the commercially integrated Deloitte Legal Group. Deloitte Legal Adriatic has a team of 50 legal professionals, qualified in their jurisdictions, at offices across 8 countries: Albania, Bosnia, Croatia, Kosovo, Montenegro, North Macedonia, Serbia and Slovenia. Across the Adriatic region, our offices assist clients in this interlinked, highly complex, and dynamically developing region. We are among the largest law firms in our jurisdictions and have offices in each of the most important business centers. With a multi-lingual international team, all of whom are fluent in English, we can assist clients through our dedicated language desks including in Chinese, German, French, Russian, and many other languages, including all the Balkan languages.

Deloitte Legal Adriatic’s bundled, technology-enhanced, cross-border capable service array is a step ahead in providing clients with effective business solutions, and in these challenging times is even more important than ever before in our Adriatic Region. Our team has a collaborative orientation as well as the country specific and international legal and business savvy your business needs. Like our clients, we also know that sure success, in addition to everything else, usually requires winners to simply work both harder and smarter. We are here for our clients to do just that.

Across the Adriatic, we offer a full scope of legal services in the main commercial practice areas, including: 

  1. Banking & Finance – regulatory, real estate, syndicated projects, securitization, NPLs, restructuring, and insolvencies
  2. Business Integrity – investigations, compliance, privacy, GDPR, anti-trust, and competition
  3. Corporate – day-to-day operational, governance, and family protocols
  4. Digital – technology, media, and communications
  5. Employment – full spectrum services including mobility services
  6. Environmental – internal/external due diligence, and compliance advice
  7. GDPR – privacy issues, cyber-attacks, AI, legal, technical and organizational aspect of GDPR compliance
  8. Litigation – including tax, white collar, and discovery support services
  9. M&A – including due diligence, JVs/alliances, and post-transaction restructuring
  10. Real Estate & Construction – transactions of all types as well as development & planning
  11. Commercial – including full coverage supply-chain and distribution contractual coverage

Besides traditional legal fields, we are building prominence in growing fields such as Business Integrity, Legal Management Services, Tax Litigation & Controversy, E-commerce, and Fintech. We take pride in being able to pioneer in industries and practices ahead of many other law firms. We have the benefit of accessing cutting-edge data, technical aspects, and operational realities of various industries through our internal Deloitte collaboration with various service lines (Consulting, Financial Advisory, Tax, and others). This market intelligence is again unparalleled among  our competition and presents a wealth of opportunities for genuine insights to evolving trends.

Our client service resonates with an individual approach, genuine relationship building, dedication, availability, efficiency, and high-quality communication, on top of understanding our clients’ commercial, financial and tax needs and the requirements of the market.

Authentic synergies with our financial and tax teams, as well as our colleagues’ professional experience and education, make our firm one of the most experienced, effective and efficient firms in the Adriatic region, with expertise in a wide variety of legal fields. Our positioning on the legal markets has been noticed and recognized by both mainstream international attorneys-ranking agencies – Chambers & Partners, IFLR and the Legal 500, which distinguishes us across all significant legal areas and functions.

Local contacts:

1. Albania and Kosovo

Deloitte Legal Sh.p.k

Sabina Lalaj, Attorney-at-Law, Managing Partner

slalaj@deloitteCE.com

2. Croatia

Krehić & Partners in cooperation with Deloitte Legal

Tarja Krehić, LL.M. (DUKE)

Attorney-at-Law, Managing Partner

tkrehic@kip-legal.hr

3. Serbia, Montenegro and North Macedonia

Law Office Antonić

Stefan Antonić, independent attorney at law in cooperation with Deloitte Legal

santonic@deloittece.com