Today, we have woken up to a very different world. The new General Data Protection Regulation (GPDR) will change the way in which data privacy is managed and secured. Over the past few months, various industries made their arrangements for this big moment, creating or modifying current processes and systems. Data controllers (sponsors) are now obligated to implement and follow many very strict requirements aiming at better management of personal data.
A majority of sponsor companies have spent a lot of time and money identifying breaches in their processes through which the personal data of patients, site personnel, their employees, business partners, and vendors can be put at risk.
One of the most crucial changes are related to informed consent forms which have to be signed by each clinical trial participant before entering a trial. The consent section (or a separate document) related to data protection must comply with GDPR requirements. Content of a consent form is clearly provided by the Regulation:
“(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement” – General Data Protection Regulation
The Principle of Transparency
Information relating to personal data processing should be easily accessible and written in a language that is easy to understand. During the consenting process, the data controller(s) should clearly explain all the risks, rules and rights in relation to the processing of personal data.
The threat posed by this requirement is associated with a significant expansion of consent wording which, unfortunately, has actually been growing for many years.
The Purpose Limitation Principle
Under the purpose limitation principle, personal data must be limited to what is relevant for the purpose of the processing, reliable for its intended use, accurate, complete and current.
In scientific research it’s often impossible or very difficult to fully identify the purpose of personal data processing at the time of data collection. Also re-use of data is an important part of research. Luckily, GDPR allows giving consent to certain areas of scientific research or parts of research projects. Additionally, according to Article 5b of GDPR, the rule does not refer to scientific research or public interest purpose.
The Right to be Forgotten
A trial participant can request to delete all personal data collected. While in principle it is possible (i.e. due to the GDPR requirement on keeping record registries), in practice, it becomes challenging at the stage of a trial when collected data is pseudonymized and cannot be clearly associated to a single subject or impossible when it’s fully anonymized and/or aggregated.
Again, the main exception to this rule refers to where processing is necessary for reasons of public interest in the area of public health or scientific reason.
Data Processing Period
Data controllers must also specify the processing period which should be limited to what is necessary for the purposes for which they are going to be processed. It’s difficult to specify strict timelines as many trials are delayed or have adaptive designs that have a strong impact on the data processing period. Another challenge we can face in research is need for re-use of data which in such case can be put at risk.
Here it seems that GDPR meets the needs of the industry one more time allowing for longer storage for public interest or scientific purpose.
According to the Regulation, consent should be obtained from a child of 16 years old and above. Where a child is below 16, the consent should be given or authorized by the holder of parental responsibility over the child. Member States may also provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
Article 89 of GDPR refers to the appropriate technical and organizational measures required in order to safeguard the rights and freedom of the data subjects. Those measures may include pseudonymization, already mentioned in this article, which is widely used in clinical research and in most cases allows for fulfilling a purpose without the identification of data subjects.
Considering clinical trials as a scientific research, which is mentioned in Preamble point 161, brings a lot of possibilities and removes numerous restrictions resulting from GDPR. Interestingly, for the purpose of patients’ participation in clinical trials, GDPR clearly refers to the relevant provisions of Regulation (EU) No 536/2014 of the European Parliament and of the Council, which in turn describes the requirements in a very general way (Article 56).
What about the Current Consent?
According to GDPR, consent given before today will be in charge as far as they have been given in line with the conditions of the Regulation. Additionally, for other consent that are currently in act, there is a need to adjust the way of processing data under the new Act by May 25, 2020.
*Karol Szczukiewicz, Regional Study Manager, Roche, is a Board Member at Polish Association for Good Clinical Practice (GCPpl)