The COVID-19 pandemic has accelerated the digital evolution of clinical trials. Introducing new technologies and ways of working with clinical data, improving clinical data access, review, and monitoring processes, and making better use of the data for further scientific research are trends that are here to stay. Side by side with these developments come legal questions about personal data protection. The aim of this article is to shed light on the core legal issue in data processing within clinical trials: its legal basis.
Clinical trials involve the processing of an extensive amount of personal data, including health data and other special categories of personal data regulated under EU General Data Protection Regulation no. 2016/679. The particularity of this processing activity deserves special attention by controllers and their data protection officers. The appropriate legal basis for processing trial participants’ personal data and determining whether explicit consent is necessary under the GDPR has been a hot topic of debate. But Opinion no. 3/2019 of the European Data Protection Board confirms that explicit consent is merely one of the possible legal grounds for processing personal data in clinical trials, and that several others may be appropriate, in specific situations, and should be considered by the controllers. The Czech Data Protection Authority has expressed a similar view, stating that informed consent to participate in a clinical trial should not be confused with the explicit consent required by the GDPR. In addition, guidelines issued by the Czech Institute for Drug Control recommend that the written request for informed consent regarding participation in a clinical trial and the privacy notice (or written request for consent to data processing, if applicable) required by the GDPR be provided to trial participants as two separate documents.
According to the EDPB’s Opinion, the legal grounds for processing should be determined on a case-by-case basis, taking into consideration the purpose for which the data will be processed in the course of a clinical trial. Therefore, the appropriate legal basis should be determined separately for processing operations that relate to protecting the patient’s health and safety, on one hand, and processing performed purely for research, on the other. Alternative legal bases for research-processing activities may be the legitimate interests of the trial sponsor or a task carried out in the public interest, and health data may be processed based on public interest in the area of public health or scientific research purposes. Processing activities related to protection of patient health and safety may be based on the legal obligations of the trial sponsor, while processing of health data may be based on public interest in the area of public health.
Controllers should also separately assess the appropriate legal basis for a secondary use of personal data collected in the course of clinical trials for scientific research purposes, as it may differ from the primary use. In this context, it is worth mentioning that Czech law on data processing provides certain derogations from the GDPR and additional safeguards for the processing of data for scientific research purposes. In particular, Czech law imposes additional obligations on controllers performing scientific research, including the obligation to appoint a data protection officer and adopt specific technical and organizational measures.
The position of the EDPB related to the personal data processing for scientific research purposes was further clarified in the context of the COVID-19 outbreak. The EDPB adopted Guidelines no. 03/2020, which reiterated that explicit consent may be an appropriate legal basis, but depending on the context of the processing, other alternative legal bases should be considered as well. When consent is relied upon, it must be freely given, active, specific, informed, and unambiguous. Controllers should also take into account that data subjects have the right to withdraw their consent. Upon withdrawal of consent, controllers may have to delete the personal data concerned, unless further retention is justified on other lawful bases.
To conclude, controllers should take the time to properly identify the data processing purposes of clinical trials, and carefully assess the applicable legal basis for each processing activity. Explicit consent may be the first one that comes in mind, but other alternatives may be more appropriate, depending on the specific context.
By Monika Maskova, Partner, and Ivana Rosenzweigova, Attorney, PRK Partners