As with all aspects of GDPR compliance, any system, process or infrastructure that uses personal data must be created and designed from the beginning by identifying possible risks to the rights and freedoms of the data subjects and minimising them before they can cause actual damage – privacy by design. GDPR data requirements on closing a clinical trial are no exception.
The GDPR applies to the entire lifecycle of a clinical trial, from the moment you start collecting and processing personal data from anyone in the EEA (or UK in the case of the UK-GDPR), including staff information from Contract Research Organisations or Investigator Sites.
The European Data Protection Board (EDPB) ‘considers all processing operations related to a specific clinical trial protocol during its whole lifecycle, from the starting of the trial to deletion at the end of the archiving period, shall be understood as primary use of clinical trial data’ (EDPB Opinion 3/2019). Thus, when you close a clinical trial, the GDPR still comes into play, and the storage, archiving and potential future processing of clinical trial data outside of the original clinical trial protocol must comply with the regulatory requirements.
This article describes key elements of GDPR compliance that a sponsor must consider before closing a clinical trial:
- Ensure everyone whose personal data you hold has been informed (e.g., via a Privacy Notice or the Patient Information Sheet) about what happens when a trial closes.
- Understand the GDPR retention rules and how you will apply them to different types of personal data
- Know when to delete personal data and how to do this safely
- Have a plan for secure archiving and accessibility
- Prepare for potential secondary uses of clinical trial data
- Check which aspects of your privacy system you must retain, e.g., policies, Data Protection Officer, etc.
Informing Data Subjects
It’s good practice to tell everyone – employees, customers, clients, suppliers, patients and others whose personal data your business might hold what data you are collecting, what you will do with their data, how it’s stored and protected, and how they can either access it in the future or be sure of its deletion. Under the GDPR, an explicit privacy notice is generally required for any lawful processing of personal data where the legal basis for that processing is not the data subject’s consent. However, the information given to someone for them to provide informed consent must be the same as if you were writing a privacy notice. For patients in a clinical trial, a well-constructed Patient Information Sheet can serve this purpose.
GDPR data retention rules
GDPR data retention rules require any personal data collected or processed to be kept only for as long as data is needed to achieve the purpose for which the information was originally collected. However, there are exceptions – scientific or historical research, for example. Different types of personal data will have different retention requirements.
Therefore, the processing of personal data in the context of a clinical trial, for safety reporting or an inspection by a national competent authority, or the retention of clinical trial data under archiving obligations set up by the Clinical Trials Regulation (CTR) or as may be the case, relevant national laws, have to be considered as necessary to comply with legal obligations to which the sponsor and/or the investigator are subject to. The Trial Master File (that contains a significant amount of personal data) is kept for 25 years after completion of the clinical trial.
In addition to personal data, different businesses must retain different processing records. Arrangements must be made to keep those records safe and secure. For all businesses, it’s prudent to keep a copy of your data protection and information security records (including the level of access that people had) because, in the event of discovering a previous breach, you’ll need to have evidence to show what measures you had in place at the time.
Deleting personal data
At clinical trial close out, as well as data that you need to retain, there will also be personal information that you will need to destroy – either straight away or over the following years, depending on what you stipulated in your privacy notice and retention schedule.
The same personal data is occasionally processed for different purposes under different lawful bases, which may have different data retention periods. Therefore, deleting the correct data at the right time will depend heavily on the accuracy and completeness of your data management records.
Shredding paper documents is easy, although a commercial service will give you the peace of mind that it has been done correctly, and you will receive a certificate of destruction.
Computer files, on the other hand, pose an entirely different problem. In a technological world where everyone has a business laptop and a mobile phone from which they access a raft of personal data daily, it’s more involved than just pressing ‘delete’.
There have also been many cases where old, discarded computers have been accessed and personal information recovered. Your business must have a safe and secure process for disposing of data storing IT and electrical equipment under GDPR.
Secure and accessible storage/archiving
Article 89 of the GDPR states that processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject.
The physical measures for safeguarding archived records must ensure accessibility for designated personnel and protection from damage (fire, flood, or rodents). Technological safeguards for archiving personal data records may include encryption, anti-virus software, and password or security keys to limit access. Technology developments over time may render old file formats unreadable, alter context, or change access rights. The information must then be adjusted to meet the requirements of current technology. Care must be taken to preserve the information’s content (data) and context (metadata).
It is important to note that archiving must minimise any adverse impact on a living individual and pay particular attention to the principle of data minimisation. Thus, measures must be taken to limit the amount of personal data archived to relevant, accurate and necessary, including steps to pseudonymise or anonymise the data so that data subjects cannot be identified.
The GDPR provides specific derogations where personal data is processed for research purposes. For example, the principles of purpose and storage limitation can be exempted. Thus, personal data may be retained for longer than necessary and used for a purpose not specified at data collection if it is to be used for research (refer to secondary uses of clinical trial data below).
Where personal data is processed for archiving purposes in the public interest or for research purposes, Union or Member State law may also provide for derogations from the rights referred to in Articles 15 (right of access), 16 (right to rectification), 18 (right to restrict processing), 19 (notification), 20 (portability) and 21 (right to object) subject to the conditions and safeguards mentioned previously. It is essential to seek guidance on the applicability of any potential derogation mentioned in the GDPR to ensure continued compliance.
External archiving of the clinical trial master file
Following the completion of a clinical trial, the essential documents that make up the TMF (Trial Master File) are retained and archived by the sponsor, the investigator and, in some cases, sub-contractors to the sponsor and/or investigator. Essential Documents are those documents that individually and collectively permit evaluation of the conduct of a trial and the quality of the data produced. The essential documents consist of trial-specific documents and non-trial-specific documents.
The archiving of essential documents is a sponsor and an investigator’s responsibility. As the overall accountable party for the clinical trial, the sponsor must ensure that investigators and third parties agree to maintain and archive the essential documents with this duty contained in contract with the trial sponsor.
If the sponsor arranges the external archiving of the TMF on behalf of the investigator/institution, (who should retain control of their part of the TMF), consideration should be given to personal data protection and confidentiality from an unauthorised access perspective. Thus:
- archiving arrangements, including the location of the (electronic) archive, should be formally agreed upon and documented between the sponsor and investigator/institution
- a formal procedure should be in place such that the documents are only released from the external archive or (remotely) accessed with the approval of the investigator/institution
- the documents should be physically or electronically transferred directly between the investigator site/institution and the archive facility independent of the sponsor, thereby ensuring that the sponsor/CRO does not have access to the investigator TMF.
Secondary uses of clinical trial data
Clinical data, including data generated in clinical trials, are valuable resources for scientific health research. Such data have the potential to yield therapeutic insights and discoveries, independently of whether they are used for the initial purpose of the trial or reused later for different health-related scientific research purposes.
The GDPR facilitates the use of personal data for scientific research by providing several exemptions to the usual rules applying to the processing of personal data. These exemptions recognise the potential benefits of using personal data for scientific research. Each exemption is subject to implementing safeguards to protect the data subjects.
Regarding the obligations to provide detailed information to data subjects about the processing of their personal data, Article 14 states that it ‘shall not apply where and insofar as the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’.
GDPR recital 33 acknowledges that ‘it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection’. In other words, this recognises that the subject of future research may be unknown at the time a patient gives their consent to the use of clinical data for scientific purposes.
The Clinical Trials Regulation explains this further when it says that ‘it is appropriate that universities and other research institutions, under certain circumstances that are in accordance with the applicable law on data protection, be able to collect data from clinical trials to be used for future scientific research, for example for medical, natural or social sciences research purposes. In order to collect data for such purposes, it is necessary that the subject gives consent to use his or her data outside the protocol of the clinical trial and has the right to withdraw that consent at any time’.
Patient Information Sheets should consider the potential for further processing of clinical trial data.
What other aspects of your compliant data privacy system must be maintained after closing your clinical trial?
In addition to considerations regarding the personal data itself, what about policy documents and roles such as the Data Protection Officer or EU or UK data protection representative?
In short, every situation is different, and the answer depends on factors such as:
- is the medical product or device still going to be developed?
- is the product being transferred to another party?
- will the sponsor still be collecting and processing personal information?
If a clinical development program is shut down or the sponsor goes out of business, you must carefully secure the personal data from the clinical trial. Usually, this involves dead archiving in a secure facility with a nominated person responsible for maintenance during the normal retention period. This person should also be available to respond in case of any data subject requests.
How can we help you?
As a GDPR compliance consultancy with 25+ years of experience in pharmaceutical clinical development and data protection, our specialist team at Pharma Data Protection always advise clients to seek guidance on their individual circumstances in the planning stages of a clinical trial.
Thanks to our combined expertise, we pragmatically apply the GDPR legislation and support you in making the necessary changes to policies, documentation, and processes.
GDPR compliance is not something that can be applied retrospectively, and GDPR data requirements when closing a clinical trial must be planned and implemented from the very beginning of the trial.
We can work with you, considering the specifics of your business and clinical trial and help you prepare documents in respect of privacy notices, archiving records (including information about where, how, safeguards in place, duration, processes for destruction, and who is responsible) and retention policies. We can also guide you on other aspects of your privacy system that you may need to retain after your clinical trial ends.
Talk to us about GDPR data requirements when closing a clinical trial.