If you carry out clinical trials you will be used to complying with the requirement to obtain informed consent from participants. However, data protection law sits alongside clinical trials rules as an additional requirement. With the new, much more extensive, obligations of the General Data Protection Regulation, or GDPR, there have been concerns about how the two sets of rules fit together and what clinical trial sponsors need to do to ensure full compliance. We have discussed these issues in an earlier blog.
The GDPR only allows processing of personal data if it has a permitted legal basis. Data processors have to consider in advance what legal basis might apply and make sure that this is properly communicated to data subjects. An additional layer of complexity is added when the personal data in question falls into a special category of particularly sensitive information, and this includes health data.
The European Data Protection Board’s 23 January opinion provides a greater degree of comfort at least in relation to the legal basis for processing. The EDPB separates processing into two categories:
- processing operations relating to research activity
- processing operations relating to the protection of health, as required by legislation.
Where the sponsor is carrying out activity required under clinical trials legislation (whether national or at EU level), this will normally fall within the “legal obligation” basis for processing. Examples are data processing for safety reporting or inspections, or for meeting archiving requirements. This kind of processing can include special category data under the “public interest in the area of public health” basis.
In contrast, where processing activity is carried out for the purposes of research different considerations apply. The legal basis for this processing may be
- explicit consent
- a task carried out in the public interest
- the legitimate interests of the controller
For public interest and legitimate interest grounds, processing of special category data may be permissible under “reasons of public interest in the area of public health” and “ scientific… purposes”.
Importantly, consent for the purposes of GDPR is not the same as informed consent for the purposes of a clinical trial, flowing from the Helsinki Declaration. A key difference is the “freely given” requirement. The EDPB view is that there will in many situations be an imbalance of power between a sponsor or investigator and trial subject, making consent inappropriate as the legal ground for data processing. It is also worth noting that if consent is relied on, the data subject will be entitled to withdraw it at any time, making further processing illegal.
Public interest/controller’s legitimate interest
The EDPB opinion gives comfort to trial sponsors and investigators that these grounds for processing are likely to be relevant. Reliance on the public interest ground will apply where the conduct of the clinical trial “directly falls within the mandate, missions and tasks vested in a public or private body by national law”, but even where this is not the case, the EDPB is willing to recognise the legitimate interest ground. Of course, the general obligations under the GDPR (to keep information secure, for example) will apply.
Secondary uses of clinical trial data
Where the sponsor wishes to use the data for purposes not envisaged in the trial protocol, but still for scientific purposes, the EDPB indicates that a new legal basis is unlikely to be necessary.
This is not the last word on the subject. We can expect the EU Commission to produce an updated Q&A document to assist clinical trial sponsors with meeting their obligations.