On 23 January 2019, the European Data Protection Board (EDPB) adopted an opinion on the interplay between the EU Clinical Trials Regulation (CTR) and the EU General Data Protection Regulation (GDPR). The Opinion addresses the appropriate legal basis for the processing of personal data in the context of clinical trials (primary use), and the secondary use of clinical trial data.
Legal basis for the processing of personal data in a clinical trial (primary use)
The Opinion states that for processing related to reliability and safety purposes (e.g., safety reporting, archiving of the clinical trial master file, and disclosure of clinical trial data to national competent authorities) the relevant legal ground under Article 6 of the GDPR to process such data is compliance with a legal obligation. In addition, a derogation under Article 9 of the GDPR to permit the processing of health data is required, which would be where the processing is necessary for reasons of substantial public interest in the area of public health.
However, the legal obligation ground is not available for operations purely related to clinical research activities. For such activities the EDPB suggests one of the three following legal grounds under Article 6 of the GDPR.
- Explicit consent of the data subject – The EDPB states that informed consent under the CTR should not be confused with the idea of consent as a legal ground under the GDPR. Rather, for a controller (e.g., a clinical trial sponsor) to rely on consent under the GDPR, it must ensure that all conditions in the Working Party 29 Guidelines on Consent are met. In particular, sponsors should ensure the consent is freely given (i.e., the study subject has a genuine choice and there is no clear imbalance between the study subject and the controller). Notably, the EDPB considers there to be a clear imbalance of power where the study subject is not in good health. In addition, the EDPB reiterates the position under the Guidelines that where a study subject withdraws their consent to processing, all research activities carried out with the clinical trial data on the basis of consent should cease. For these reasons, the EDPB does not consider that consent under the GDPR will be an appropriate legal ground in most cases and where relied upon a careful assessment should first be carried out.
- Task carried out in the public interest – An alternative legal ground is performance of a task carried out in the public interests when the clinical trial falls within the tasks vested in a public or private body by national law (e.g., public authorities and universities). However, this legal ground is unlikely to be relevant for a commercial company and/or charitable research organisations.
- Legitimate interests – The EDPB states that where not in the public interest an alternative legal ground for processing clinical trial data is where it is in the legitimate interests of sponsor – although, a legitimate interest assessment should still be undertaken and documented. Depending on the specific circumstances, the most relevant derogation under Article 9 of the GDPR to permit processing of health data would be either where the processing is necessary for reasons of substantial public interest in the area of public health, or where the processing is necessary for scientific research purposes in accordance with Article 89(1) of the GDPR.
Secondary uses of clinical trial data for scientific purposes
The EDPB states that where personal data are further processed for scientific research purposes, other than those purposes defined in the clinical trial protocol, then these secondary uses shall not be considered incompatible provided that the processing is subject to appropriate safeguards which ensure technical and organisational measures are in place—and in particular to comply with the principle of data minimisation. In such a case, further processing will be permitted without the need for a new legal basis.
The Opinion is helpful in that it provides some much needed clarity in what has been a very uncertain area since implementation of the GDPR. What does remain to be seen is how ethics committees will respond to the Opinion and, in particular, the view that consent is in most cases not an appropriate legal ground for the purposes of the GDPR in the context of clinical trial activities.
In terms of what sponsors should do next, we recommend the legal grounds relied on in the context of their clinical trial activities be carefully reviewed. Where necessary, this may involve reviewing clinical trial protocols, reviewing and updating informed consent forms and undertaking legitimate interest assessments as well as other GDPR actions.