Personal Data Protection in Clinical Trials
Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
The new Regulation 2016/679 on the protection of personal data will be entered into force on 25 May 2018. Until then, all Member States must notify the European Commission of the adopted legislations.
The Regulation was created to protect the rights of natural persons, to clarify the requirements that they may place on the data processors. The regulation seeks to implement a coherent, effective and high level of data protection and also simplify the flow of data across the Union.
The new rules impose many new definitions and concepts on us. 'Personal data' is defined as information on an identified or identifiable natural person ('the data subject'). An identifiable natural person is one whose identity can be determined directly or indirectly, in particular on the basis of the identifier such as: name, identification number, location data, internet identifier or one or more specific factors determining the physical, psychological, economic, cultural or social identity of the individual.
As we can see, the patient code we use is personal data.
Thus, the term has been clarified and expanded by introducing new terms such as genetic data, biometrics and, importantly, health data. These data are referred to as particularly sensitive or belonging to specific categories of personal data (Article 9) and due to the risk of their departure, particular attention should be paid to their protection during processing.
The concept of 'processing' has been specified and it means any operation on personal data, whether automated or not. As an example, browsing data that is performed by the monitor on a visit at site is a processing. Data processing also includes activities such as organizing, storing, deleting, merging, adjusting, or modifying data. All these activities should be carried out with the consent of the data subject (including patients).
However, the regulation does not define that the consent has to be writte
n, but the Controller should demonstrate that this consent has been given, which does not leave us with the illusion that the patient should allow any access by the investigator, monitor or sponsor to personal data, in writing. In the consent form it is needed to define who will be the data Controller, for what purpose they are collecting data, for how long will this data be stored. This is the principle of a limited purpose or data minimization, as you cannot ask for more data than the number of purposes you have. In other words, data is a set of files, and one set has one goal, so the number of data sets must match the number of purposes for which they are collected.
Consent to data processing should be collected during screening activities, and the next upon signing the Informed Consent Form (ICF). Why twice? In the first case, the purpose of the data collection is different than the second one (although it may overlap with the data that will be collected during the study). Two agreements are the result of the principle of minimizing data and collecting this data for specific, legitimate purposes. If the purpose of the data processing is changed, this creates a problem because the patient has to agree on a new purpose despite the fact that the data has already been collected because the processing of the data upon purposes which were not described previously is illegal (Article 5).
It is worth noting here that GDPR introduces a new concept that is 'profiling' which can correspond to the screening process. Profiling is any form of automated processing of personal data to assess or analyze certain factors such as health, interests, behavior, location, or economic situation.
In clinical trials we are profiling to screen the potential participants of the studyand examine if they meet inclusion criteria.
GIODO, soon the Office of Data Protection
The Regulation introduced the role of the Supervisory Authority in each Member State, which would monitor compliance with the GCPR. In Poland, the current GIODO will adopt the name of the Office of Personal Data Protection with the president from next year. The Authority will enforce the penalties provided in the GDPR and may impose penalties for failure to comply with the Regulation. According to Dr. Maciej Kawecki, entrepreneurs are most likely to break the law on the protection of personal data, which results from the fact that the more data are processed, the higher the probability of the violation.
/ Signals of the day, March 28, 2017 /
Administrator and joint controllers
The administrator of the personal data specifies the purpose and method of data processing. If there is a joint decision with another entity that the data needs to be collected then both entities become joint controllers. Such a process should be documented and the agreement should show a clear division that the joint controller is responsible for the specific data (because it was he who set the purpose in which the data are collected). This agreement is essential for any data leakage, because the controller decides how the information is to be protected and is supposed to verify that the entities entrusted with data processing adequately protect it.
Study design should begin with an analysis of what data will be needed to be collected. This applies to patients, researchers or CRO staff data. Process mapping allows you to determine what data is needed and for what purpose it will be collected, how it will be processed, and for how long. In the case of joint controllers, mapping allows us to determine who will be responsible for which data and at which stage of the study it should be needed.
Processor Once you know who is the data controller you should sign a entrustment agreement (Data Processing Agreement) with people who have access to the information you collect. A person who has access to personal data by signing such a contract is called a processor. An example may be the CRO, which, at the request of the sponsor, performs monitoring at the facility (reviewing the documentation), or an accountant who pays salary to the Investigator's account. They have access to the personal data, but not the data they collected and they did not set the purpose for which the data was collected, so that, despite having access, they are not controllers but processors.
Data Protection Officer
If your company processes data, it probably has the Information Security Administrator. From next year anyone who processes data regularly and systematically monitors data subjects on a large scale or processes large-scale specific categories of personal data is obliged to designate a Data Protection Officer. The inspector is responsible for monitoring the company's compliance with the regulations and informing controllers and processors of their obligations according to the GDPR. The DPO is also obligated to possess appropriate professional qualifications and adequate expertise in the field of protection of personal data.
The regulation, however, does not define what means a 'large scale' of processing, but when we look at it globally we will refer to the GDPR Theme 91 and consider sensitive data being processed, implementation of new processes into the life of the company, preparation of new and current documentation and staff training – the DPO seems necessary.
A data controller / sponsor without a branch office in the Union shall designate a representative if the data of persons in the Union is processed. A representative is appointed in writing by the controller or the processing entity to represent the controller or processor in the scope of their obligations under the Regulation.
Next part of a 'Personal Data Protection in Clinical Trials'
will be available soon!