What should be the basis for processing of data in clinical trials? The approach recommended by the HRA for UK trials is unlikely to work in all EU27, but we hope that the new EDPB guidance will set out an EU-wide approach - as we explain in this article.
In April 2018, the UK Human Research Authority (HRA) first published its guidance on how the ethics committees (ECs) and sponsors of clinical trials in the UK should approach GDPR. This guidance stated that sponsors should not rely on consent for the processing of personal data in the context of clinical trials, but rather on legitimate interests as legal basis for processing of personal data under Article 6 of the General Data Protection Regulation (GDPR). The HRA guidance was subsequently amended to clarify that in the case of sensitive data (which cannot be processed on the grounds of legitimate interest), Article 9.2 (i) or (j) GDPR should be relied upon as lawful basis for processing.
Other regulators throughout Europe have issued a patchwork of guidance on this subject. In many cases, such local guidance differs from the guidance issued by the HRA. This situation makes life difficult for commercial sponsors of multi-site clinical trials to find a one-size-fits-all approach to the processing of data in clinical trials, especially as they risk not getting the approval of the relevant EC, if the legal basis they decide to follow does not match the one recommended in the local guidance.
In the UK, our experience is that the ECs, with support from HRA's staff, are prepared to consider a reasonable and coherent one-size-fits-all approach to the processing of data proposed by a sponsor on a case by cases basis (whether the sponsor follows the HRA guidance or not). Moreover, once the one-size-fits-all approach is approved by the HRA and the UK EC, the HRA is prepared to honour the validity of such approach for subsequent trials that the sponsor files for approval in the UK.
We are not aware that the approach described above is being followed by regulators or ECs in other jurisdictions. Therefore, the risk that sponsors will need to localise their clinical trial documents is high.
This situation may be remediated by guidance at EU level, so we strongly recommend you review guidance from the European Data Protection Board (EDPB) on GDPR and the new clinical trial regulation.
BACKGROUND
Clinical trials of medicinal products are regulated for a number of reasons, including ensuring:
- that the results are sufficiently robust to validly substantiate the safety and efficacy of the product being studied, while the patients are treated ethically (i.e. scientific rigour and subject's safety); and
- appropriate collection and use of large amounts of sensitive personal data (i.e. data protection).
This dichotomy reflects the fact that in the context of clinical trials, the trial subject has two big things to give: (1) access to their body for the sponsor to test the medicinal product; and (2) their personal data for the sponsor to be able to interpret the results of the trial. Whilst for a long time, the latter was just an after-thought; GDPR has brought subjects' personal data to the fore.
Before starting a clinical trial anywhere in the EU, the sponsor must obtain a positive opinion from a local EC. ECs are independent bodies with a responsibility for protecting rights, safety and well-being of the trial subjects. When providing their opinion in relation to a clinical trial, the EC should consider the adequacy and completeness of the written information to be given to the trial subjects, and the procedure to be followed for the purpose of obtaining their informed consent.
Informed consent is a freely taken decision by the trial subject to take part in the clinical trial. The trial subject must be informed of the health and other risks and implications for them personally of their participation in that trial, before giving their informed consent, which must be in writing, dated and signed. This is recorded using an EC approved informed consent form (ICF).
In addition, a clinical trial may be undertaken only if the rights of the subject to privacy and to the protection of the data concerning them are safeguarded. Note that from privacy law perspective, a clinical trial involves en masse processing (i.e. collection and use) of special categories of personal data (i.e. data concerning health, also known as sensitive personal data). In order to carry out such processing lawfully under GDPR, the sponsor must have both:
- a legal basis for processing of any kind of personal data under Article 6 GDPR; and
- a ground for lawfully processing special categories of personal data under Article 9 GDPR.
Consent for processing is both a legal basis under Article 6 and a ground for lawfully processing under Article 9 GDPR.
This is where harmonisation at the EU level ends: exactly how an EC assesses whether the subject's rights have been properly protected (and if their data are processed lawfully) is a decision made at national and, in some cases, regional level.
Informed consent needed for the purposes of a clinical trial is very different from consent for processing under GDPR. Informed consent to participation in the trial must always be obtained to ensure the trial complies with the requirements of the Directive 2001/20/EC and Declaration of Helsinki. Consent for processing is just one of a number of possible mechanisms which can be used to ensure that processing of personal data is lawful under GDPR.
WHAT THE HRA SAYS
The HRA recommends that commercial sponsors of clinical trials in the UK do not rely on consent for processing as the legal basis for processing of personal data. Instead, they should rely on:
- the legal basis set out in Article 6(2)(f) GDPR. This provides that processing is necessary for the purposes of the legitimate interests pursued by the sponsor ("legitimate interests basis"); and
- the legal grounds set out in either Article 9(2)(i) (processing for reasons of public interest in the area of public health, "public interest ground") or Article 9(2)(j) (processing for archiving purposes in the public interest or for scientific, historical research or statistical purposes, "scientific ground").
WHAT WE SAY
HRA's solution is counter-intuitive: given that the sponsor has to obtain consent from the subject before enrolling them into the trial (informed consent) anyway, the sponsor could, at the same time, easily obtain explicit consent for processing, and rely on it as the legal basis under Article 6 and ground under Article 9 GDPR.
From a cultural and public perception standpoint, it is also difficult to ignore that a commercial sponsors' ultimate aim is to make a profit for their shareholders. This does not sit comfortably with the "public interest ground" or even the "scientific ground". Whilst it is recommended by the HRA in the UK, we believe this line of argument is unlikely to be accepted by ECs (or indeed the public) in other EU Member States. In practice, we have found that data privacy regulators in some EU Member States (e.g. France) expect sponsors to obtain consent for processing personal data in clinical trials as part of the ICF.
THE WAY FORWARD
Recently (24 January 2019), EDPB announced that following a request from the European Commission (DG SANTE), the EDPB adopted its opinion on the clinical trials Q&A. The opinion addresses in particular the aspects related to the adequate legal basis in the context of clinical trials, and the secondary uses of clinical trial data for scientific purposes. It has now been published guidance and it is likely to be followed by the HRA, even after Brexit.
Whilst we assess the impact of EDPB guidance, sponsors who are seeking UK approval of their one-size-fits-all approach to the processing of data should:
- Plan for costs and delays during your first UK EC approval, but expect a swifter process for any subsequent ones – Our experience is that the HRA, when supporting the UK EC, is prepared to consider a reasonable and coherent one-size-fits-all approach to the processing of data proposed by a sponsor (whether the sponsor follows the HRA guidance or not). Whereas getting the first application may take some time and require some back and forth with the HRA, once the one-size-fits-all approach is approved by the HRA and the UK EC, the HRA is prepared to honour the validity of such approach for subsequent trials that the sponsor files for approval in the UK.
- Carry out a thorough risk assessment – Under GDPR, a controller of personal data must at all times comply with the data protection law applicable to the controller. The safest course for the sponsors is to determine the legal basis and legal ground for processing of personal data on a case-by-case basis. If the relevant data protection authority determines that a "public interests ground" or the "scientific ground" cannot be used in the context of a clinical trial, this will expose the sponsor to liability under data protection law (and may mean that the resulting data cannot be used in support of regulatory submissions). Be prepared to explain your position and why you are deciding to follow the HRA guidance (or not).
- Don't forget other obligations under GDPR – Using the "legitimate interests basis" and the "public interest ground" or the "scientific ground" does not allow the sponsors (public or private) to avoid the considerations about how long they keep personal data of the subjects in the trial, and in what form. The sponsors using those grounds still need to comply with the general data protection principles in Article 5 GDPR, including that any processing of personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This means that the sponsor, when designing the trial, still needs to carefully think about: (1) what data they will be collecting; (2) in what form it will be kept, and (3) in each case, on what basis.
Finally, it would be immensely helpful, if the ECs were trained on GDPR. The role of ECs in the context of clinical trials is particularly important as they are supposed to provide independent oversight (which means exercising their independent judgment), and so much of data protection law is about applying the data protection principles on a case-by-case basis.