Clinical trials often occur cross-border, involving sites under different regulatory authorities across multiple countries and continents. In our experience, it can be challenging to understand and comply with the data protection and privacy requirements for clinical trials. There are often differences in local laws and their interpretation relating to the interplay between these regulations and those specific to clinical trials.
In the EU, although the GDPR is directly applicable in all member states, there are often differences in how the member states, and their national privacy and medicines regulators, interpret and apply the Regulation in the context of clinical trials.
Here we share a recent case study highlighting some of the GDPR cross-border data transfer challenges one of our US clients faced. We describe their engagement with the GDPR, their questions and concerns about international data protection and how we helped them solve their security, privacy, and compliance challenges.
A small pharmaceutical company based in the USA who conducts and sponsors global clinical trials in Europe, USA, Canada, Africa, Latin America and Asia.
Trial data (participant’s code and medical information; data relating to the site investigator (such as name, CV, contact information, etc.) is sent from each of these sites to the global clinical trial database in Paris, France, managed by an external service provider located in the US.
An affiliate of the client located in India provides data management services., and for this purpose, accesses the global database in France. It also contracts with a sub-processor in Taiwan that provides services in data management and, once again, allows access to the central database in France.
Initial client questions related to the GDPR
Is key-coded data related to clinical trial subjects considered personal data under GDPR?
The GDPR defines “personal data” broadly as any information relating to an identified or identifiable natural person. For this purpose, an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (Article 4(1) GDPR).
Key-coded data is an example of pseudonymisation, replacing the identity of the individual trial participant with a unique subject identification code (that is not derived from information related to the participant) and removing direct personal identifiers (such as name, date of birth and the original recording identifiers) from the dataset. Key-coded (or pseudonymised) data cannot be linked to an individual without some additional information.
In the clinical trial context, we still collect personal identifiers out of necessity, e.g., date of birth, gender, or ethnicity. Therefore, pseudonymised data could still be attributed to a trial participant using other information and is thus still considered personal data under the GDPR.
Is the data regarding site investigators (names, professional information, contact details) considered personal data under GDPR?
If your organisation collects, uses, or stores the personal data of citizens of the EEA or UK, then you must comply with the GDPR’s privacy and security requirements.
Note that this is not limited to trial participants. GDPR (or UK-GDPR) also applies to a study when investigators or CRO employees are EEA or UK citizens.
What roles do the parties in a clinical trial have under the GDPR? (Controller / Processor / Other)
Below is a very simplistic description of some of the roles under GDPR. However, every situation is different, roles can overlap, or parties can wear different hats depending on the personal data they are processing in their activities. Where there are multiple parties in other countries adds to the complexity.
It is also important to bear in mind that the legal responsibilities of the parties under GDPR are determined by their actual activities in a specific situation rather than solely by a title.
A controller is the individual, legal person, authority or organisation who controls and is responsible for the storage and use of personal information, which means that they determine why and how personal data will be processed. Controllers can operate alone or jointly with others. The controller is responsible for and must be able to demonstrate compliance with the GDPR.
In a clinical trial, the sponsor (wherever they are based) will be regarded as the controller.
Where two or more parties jointly determine the purposes and means of processing, they shall be joint controllers. Joint controllers divide responsibilities for GDPR compliance depending on their activities.
In a clinical trial, the sponsor and investigation site could be regarded as the joint controller.
A data processor may hold or process personal data but does not exercise responsibility for or control over the personal data. If a processor does not act according to the controller’s instructions when processing trial participants’ personal data, itself then becomes a controller and can be subject to fines for non-compliance with the GDPR.
In a clinical trial, hospitals or testing sites could be considered processors as they act under instructions from the controller, but they could also be regarded as controllers of the participant’s personal data to provide healthcare which is independent of the processing of data for research purposes. In some cases, a hospital or testing site can be a joint controller.
Cross-Border Data Transfers under GDPR
Although complex, our US client’s situation with global clinical trials and multiple processors of the clinical data is common within the pharmaceutical and biotechnology sectors. The key to their success lay in the challenge of understanding the impact of their GDPR cross-border data transfers and how they could ensure and demonstrate compliance through the following:
- Robust Data Processing Agreements (DPA) with all parties acting as data processors on their behalf.
- Detailed GDPR Data Protection Impact Assessments (DPIA). DPIAs are mandatory for organisations processing special category, in these circumstances health-related personal data. Cross-border data transfers are also considered high risk under the GDPR, and the controller must demonstrate that the appropriate safeguards are in place when transferring personal data.
- Comprehensive Data Transfer Policy.
- Thorough Transfer Impact Assessments (TIA) for personal data transfers outside of the EU.
Thus, are the following data transfers allowed? And if so, what data protection measures must be in place?
- Transfer from clinical trial sites to a central database in France?
- Transfer from a central database in France to processor in India?
- Transfer from a central database to sub-processor in Vietnam?
- Transfer from a central database to processor in US?
The General Data Protection Regulation (GDPR) rules protecting the personal data of EEA citizens continue to apply regardless of where the data is processed. It also applies when data is transferred to a country that is not a member of the EEA, which we will refer to here as a ‘third-party country’.
Below we have described EEA and non-EEA data transfers in general terms rather than the specifics for the countries mentioned above. As every situation is different, we would advise speaking to us about your individual international data transfer requirements so we can ensure you receive accurate and up-to-date information.
Transfers within the EEA
In cases of transfer of personal data within the EEA, the GDPR does not impose any additional requirements. Nevertheless, the relationship between the data controller and the data processor needs to be governed by a Data Processing Agreement (DPA).
The DPA (Art. 28 GDPR) specifies the parameters for processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, the processing duration, and the parties’ obligations and rights.
Non-EU Data Transfers
Some third-party countries provide adequate data protection through their national laws (at a level comparable to the GDPR). Thus, the European Commission has issued ‘adequacy decisions’ for these countries, allowing the transfer of personal data without the need for additional safeguards. However, it is still the controller’s responsibility to monitor the situation and take appropriate measures to protect personal data.
If there is no adequacy decision for a third-party country, this does not mean that data transfers are prohibited. Instead, the controller must ensure that the personal data will be adequately protected through other means. The first step in this process requires a data transfer policy and assessment of the risks involved in the proposed data transfer. To do this, the controller must carry out a Transfer Impact Assessment (TIA).
Following a TIA, the GDPR outlines mechanisms that organisations can use to ensure that appropriate safeguards are in place, including:
Talk to us about your clinical trials, and we can advise of roles and responsibilities under GDPR
- Standard Contractual Clauses (SCCs). These can be included as part of the Data Processing Agreements with processors to ensure personal data is adequately protected when transferred outside of the EEA.
- A review of existing safeguards in place.
- A review of Access to Personal Data by Public Authorities.
- Application of supplementary measures to appropriate safeguards.
- Binding Corporate Rules (BCRs) for data transfers within a Group, in which members of the Group agree to commit to comply with codes of conduct related to data processing procedures.
Pharma Data Protection (PDP) specialist GDPR compliance consultancy has provided this client with outsourced Data Protection Services since 2020, including our Data Protection Officer (DPO) service. Following an initial audit, our Data Protection Officer worked with them to help them reach their compliance goals, including the following:
- Developing compliant data processing procedures and policies, particularly around retention and data sharing.
- Assisting with the completion of complex Data Protection Impact Assessments (DPIAs), that included cloud hosting platforms. Providing individualised GDPR training for all staff, helping to cultivate an excellent compliance ethos.
In addition, we recently conducted a re-audit to evaluate the progress the client’s organisation has made towards their compliance goals and highlight any new areas that require attention.
The results of the re-audit have demonstrated the significant GDPR compliance improvements that have been made and have helped the client to build on this progress, setting new goals to continue fine tuning their already effective compliance framework.
GDPR compliance is an ongoing process. Rules and regulations related to data protection and privacy, clinical trials and cross-border transfers are constantly changing. Our Pharma Data Protection team believes that the best way to support our clients is by building a solid partnership founded on a strong industry focus, clear communication and trust. But don’t just take our word for it. Here’s what our client had to say about our data protection consulting service:
“Since engaging PDP’s services, we feel at ease knowing that we have really good support from our outsourced Data Protection Officer. Knowing that they are there to provide us with all the data protection guidance we need has enabled us to make great improvements in our compliance without sacrificing our commercial goals. Their advice and support have already greatly helped to drive our compliance forward and we are confident that this progress will continue into the future.” (Client VP Regulatory and Compliance)
Pharma Data Protection are a specialist team who offer industry-focused data protection services, tools, assistance, and expertise to safeguard data subjects’ privacy and ensure EU GDPR and UK GDPR compliance.
Talk to us about your clinical trials, and we can advise of roles and responsibilities under GDPR