In clinical trials and studies a large number of data on the participants is required to be stored and managed. Is that clinical data subject to compliance with the GDPR?
In most cases we can say that this norm does apply to clinical data and must be taken into account.
Anonymised and pseudonymised data
The only exception to the application of the GDPR is clinical trials or clinical studies, where that data is anonymous, since GDPR does not apply to data that is considered anonymous as indicated in precept 26 of the norm:
“[...] the principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”
But, what does the GDPR consider to be anonymous data? This is an important clarification because before the GDPR was approved in 2018, data that can NOT be classified as anonymous was considered as such.
Before GDPR was enforced in 2018, dissociation of identifiable data from clinical data was the most utilised strategy in clinical studies and trials with the goal of anonymising the clinical data of the participants. It consists in, basically, not introducing identifiable data of the participant into the study’s database, where the clinical data of the participants was stored.
Once the identifiable data had been removed from the clinical information, the issue at hand is to identify each participant’s data since this information might be necessary during the study in many occasions like for instance: when adding new clinical data for the participant in a new visit, when adverse events occur or when monitors need to perform source data validation.
To solve this issue, in most cases, a unique identifier is created for each participant in the study. When a new record is created in the study’s database in order to store clinical data belonging to a new participant, a unique number is created in this database that will be used to identify the new participant, although not directly.
In order to know to whom does this participant’s unique identifier belongs to, sites will keep in an alternative database (different from the study’s database) the relation between the participant’s unique identifier and its personal identification (name, last name, or any other personal identificator like ID, Social Security Number, etc.). In this system, whenever the identifier for a specific participant is needed, it is looked up in the alternative database.
Doing so, it is achieved that, in cases where there is only access to the database with the clinical information it is not possible to personally identify the participants because it is impossible to do so with just the unique identifier. To identify the participant, access to the alternative database is required and such access is only granted to each of the sites participating in the study. Besides, each site only has the data it has collected for the study.
Then, prior to the enforcement of the GDPR, it was understood that the participants' clinical data was anonymous if the study’s database was dissociated, since just with the data in the clinical database, it was impossible to identify to whom those data belonged to.
But as we mentioned earlier, this changed with the approval of the GDPR, since the regulation introduces a new concept: pseudonymisation, which is defined in the precept 26 of the norm:
“...Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person…”
As a result of this definition in the GDPR, the dissociation technique used in clinical trials and studies is data pseudonymization, and as indicated in the norm, it is considered to be identifiable data and therefore compliance with GDPR is applicable.
The only cases in which the norm would not be applicable, would be in those where participants could not be identified in any way. If in the clinical study’s database a unique identifier would not exist, data would be considered anonymous, as long as participants could not be indirectly identified with the rest of the data.
Given the current state of technology, it is relatively easy to cross different data sources that would allow to identify the participant from data that seems unidentifiable like birth date, patient’s initials or other data that would allow the direct identification of the participants.
Thus, in the vast majority of clinical studies and trials, compliance with the GDPR is mandatory.
Obligations for clinical trials
Health related data is considered, according to article 9 of the GDPR as data of specific protection and as such the following specific norms are applied to prevent risk in the treatment of such information. These norms compel clinical studies and trials to:
- Create and keep up to date a record of processing activities, in which the processing of personal data is documented.
- Designate a Data Protection Officer (DPD) (article 37.1 c)
- Perform a “Data protection impact assessment” (DPIA) (article 35 of the GDPR)
The “Data protection impact assessment” (DPIA) will be carried out by the data protection officer (at the request of the processor), the study sponsor and the participating sites. In such assessment, the technical security measures will be defined, in order to guarantee the protection of personal data.
Technical security measures in clinical trials.
The GDPR does not specify a series of security measures (unlike previous norms). It states that security measures to be implemented will be decided based upon the risk analysis and the impact assessment.
Any security measures will follow basic concepts on security of the information:
- Confidentiality: Only authorized personnel can access the information
- Integrity: Data can not be modified, manipulated or altered by unauthorized personnel.
- Availability: Possibility of accessing the data at any given moment.
- Resilience: the information system should be able to continue running even through incidents and issues.
According to the GDPR, those measures must consider:
“...the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons” (art. 32)
And although we mentioned that the GDPR does not define concrete security measures, it does indicate the minimal protection measures to be established in article 32:
a) the pseudonymisation and encryption of personal data; b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
ShareCRF and the GDPR
When clinical data from a clinical study or trial must be stored, in most cases compliance with the GDPR is mandatory and data concerning heath is specifically protected. This causes that the security measures to be taken be of paramount importance and complexity.
Deploying all the necessary security measures for the database of clinical studies to comply with GDPR requirements is a complex, laborious and hard process. That is why ShareCRF incorporates plenty of technical security measures that allow clinical studies and trials using it, to easily and efficiently comply with the GDPR.
ShareCRF is a platform for the capture and management of clinical data in clinical studies that is ISO 27001 and ISO 9001 certified.
If you need an EDC for your clinical trial or study, request a free demo and get to know us.