GDPR’s involvement in Clinical Trials
What is the new GDPR and how will it affect the Clinical Research Sector?
The new General Data Protection Regulation (No. 2016/679, or ‘GDPR’) came into force on 25 May 2018 across all EU countries including the UK. The new Regulation aims to provide a high level of protection for personal data, to ensure that organisations use the data in a lawful, fair and transparent way.
Personal data is any information concerning a living person which is identifiable either on its own or with other information you might have access to. Organisations also need to meet additional conditions when processing sensitive personal data such as medical or genetic data.
So what impact will the new GDPR have on the Clinical Research sector?
GDPR highlights the need for organisations to have processes in place to ensure data is processed securely and accurately, and in accordance with legal and ethical responsibilities. Clinical research is already highly regulated with many existing processes and procedures in place to ensure the principles of data protection are upheld, including Research Ethics Committee approval, Health Research Authority (HRA) assessment and Good Clinical Practice (GCP) guidance.
In addition, study specific methods to safeguard a participant’s data are also used such as stringent arrangements for security and storage of data, anonymising or pseudonymising data wherever possible, only collecting data that is needed (‘data minimisation’) and minimising the number of participants recruited.
GDPR has strengthened the conditions for consent. However, consent is not new in clinical trials. Informed, voluntary consent in clinical research is fundamental in protecting participants’ health and welfare, and is already a requirement of GCP. In line with GDPR, the consent process in clinical research should ensure organisations treat study participants in a fair and transparent way, providing information about what their data will be used for, who will process it and how it will be stored. Clinical research organisations will also need to make sure study participants have access to data protection and privacy policies.
Exceptions to GDPR applicable to Clinical Research
If clinical trial participant data has been anonymised it is no longer identifiable, and is not categorised as personal data, and as such the GDPR requirements no longer apply. However, to meet ethical considerations, clinical trial participants should still be kept informed about what is happening to their data even when it is no longer personal data.
It should also be noted that pseudonymised personal data, such as encrypted data where the encryption can be reversed, is not exempt.
Clinical research records are retained for long periods (for more than 20 years is common), in case further analysis or monitoring is required. The emphasis in GDPR is for data minimisation, both in terms of the volume of personal data stored and how long the data is retained. There are however certain circumstances exempt from the rules, including archiving processes used in ‘public or scientific interest’, which should include all health research. With the prominence of data minimisation in the GDPR it is good practice to remove participant identifiers from archived records whenever possible.
Other exemptions mean that normally there will be no right for research participants to access their data, rectify it or have their data erased. However, trial participants have the right to withdraw consent for their data to be used, but this would usually only prevent any additional data being collected.
Processing of sensitive personal data for safety surveillance and pharmacovigilance purposes is still justified as it is in the public interest to safeguard health. Such data on reported adverse events to medications or devices includes information on the patient and the reporter (e.g. patient, family member or healthcare provider). Although the patient or reporter should be informed how their personal data is being used it is not necessary to obtain their consent before reporting such data to regulatory authorities for safety surveillance purposes. The organisation responsible for collecting and reporting this data must still have specific safeguarding measures in place for processing and storage to ensure data security and confidentiality is maintained. Data minimisation should also be adopted.
Health research using patients’ data can bring benefits to individuals and to society as a whole, but there needs to be a balance between what is in the public’s interest and respect for personal privacy. The new GDPR may require clinical research organisations to tighten some of their processes around data protection, but this should only strengthen the existing ethical and lawful responsibilities around clinical research, to ensure the rights and well-being of trial participants are protected and their data is used in a lawful, fair and transparent way.