Mary Kay Sobcinski, Sr. Clinical Principal Advisor
In part 1 of this blog, we discussed the background of GDPR and key elements for sponsor consideration. In part 2, we’ll discuss specific requirements, including new terms with specific definitions, implications for clinical researchers and sponsors, and required elements to include in GDPR-compliant informed consent forms (ICFs).
Informed Consent Process Requirements
There are specific elements related to data privacy that must be included in the data privacy notice. For clinical studies, the easiest method to ensure the information is presented is to include it in the study’s informed consent form (ICF). Consent must be unambiguous, given in writing, and cannot be obtained by passive means such as unchecking a pre-checked box. The process for informed consent can meet all of these stipulations.
Informed Consent Elements
Many of the same principals apply to informed consent when complying with GDPR. However, ensure your written consent includes the following elements:
Identity and the contact information for the data controller (sponsor).
Contact information for the data protection officer (designated sponsor contact).
Special categories of “sensitive personal data” that will be collected for the study, such as:
– Age, sex, ethnic and racial background.
– Health and medical conditions including past medical history.
– Study procedures and response to procedures.
– Information related to the participant’s sex life.
– Biological samples (e.g., urine, blood, tissue and the results learned from analyzing them).
– Medical images (e.g., ultrasound scans) and the results learned from evaluating them.
Data privacy rights:
– The right to request information about the handling of the participant’s data.
– The right to request correction of data if they are inaccurate or incomplete, and to restrict processing while they are being corrected.
– The right to request transfer of data to the participant or others in a commonly used format.The right to withdraw consent at any time, including the right to withdraw from study participation, follow-up or further handling of data. Note: It is acceptable to add a limitation that data already processed are legally covered by the original consent, but no further data will be collected.
– The right to request deletion of the participant’s data if the data are no longer needed, or there is no other legal requirement for their use.
Note: FDA regulations require retention of the participant data for specified periods of time; therefore, it is acceptable to state that data will be kept indefinitely.
Transfer of data: A statement about the circumstances under which data will be transferred, to whom, and safety measures taken to protect the data (e.g., data are encoded).
If data will be transferred outside the EU: A statement that the countries who are receiving the data may not have had their data protection level confirmed as adequate by the European Commission, and any safety measures taken to protect data privacy rights.
Note: The European Commission has not confirmed that the US has an adequate data protection level and does not believe that the US level is adequate under GDPR at this time. However, actions can be taken such that compliance can be achieved on a case-by-case basis.
The policy for retention of data: A statement describing how long data will be stored e.g., indefinitely or “in perpetuity.”
A statement than consent is “freely given,” which must include an active and explicit statement that consent is freely given and can be freely withdrawn easily and without penalty.
The purpose of the data request: specify that the intent of data collection is “for the scientific purposes of the research.”
Impact on Study Management and Data Collection
GDPR also impacts studies in process. Consider the following four points:
1. If existing ICFs aren’t compliant, the sponsor needs to re-consent subjects to continue to collect data going forward.
2. Data collected before GDPR are not required to have been collected under GDPR-compliant ICFs.
3. If a subject withdraws from a study, the data already collected can still be used and stored indefinitely, as long as this is clearly stated in the ICF.
4. Informed consent checklists, if used, should be updated to include GDPR requirements.
As a sponsor and data controller, you retain the responsibility for onward transfer of data, meaning data protection contracts should be in place with any vendor that accesses or may access personal or sensitive data. These contracts must clearly define all of the aspects of data integrity and security required to comply with GDPR.
The uncertainty and angst surrounding GDPR compliance is akin to that which accompanied the introduction of HIPAA requirements in 2003, but as with HIPAA, time and ongoing discussions will provide clarity to this evolving topic.
RCRI experts are ready to support you as you delve into GDPR compliance. To be put in touch with an expert, contact Samantha Spence at firstname.lastname@example.org or 952-224-2260.
Advarra Regulatory The GDPR and its impact on the clinical research community (including non-EU researchers). Advarra. https://www.advarra.com/the-gdpr-and-its-impact-on- the-clinical-research-community-including-non-eu-researchers/ Accessed 31 Jul 2018.
Clinical Trial General Data Protection Regulation: the impact on clinical trials and data subjects. http://www.clinicaltrialsarena.com/uncategorized/general-data-protection-regulation-the- impact-on-clinical-trials-and-data-subjects-5937623-2/ Accessed 31 Jul 2018.
General Data Protection Regulation (GDPR): https://gdpr-info.eu/ Accessed 31 Jul
Gogates How does GDPR affect clinical trials? Applied Clinical Trials. http://www.appliedclinicaltrialsonline.com/how-does-gdpr-affect-clinical-trials Accessed 31 Jul 2018.
Kirsch Howe GDPR affects personal data use in in clinical trials. MassDevice. https://www.massdevice.com/how-gdpr-affects-personal-data-use-in-clinical-trials/ Accessed 31 Jul 2018.
LMK Clinical Research. Is your TMF ready for GDPR? Part two: know your http://www.lmkclinicalresearch.com/blogs/tmf-ready-for-gdpr-part-two/ Accessed 31 Jul 2018.
Proffitt What Europe’s new privacy regulations mean for US trials. Clinical Informatics News. http://www.clinicalinformaticsnews.com/2017/10/24/what-europes-new-privacy-regulations- means-for-us-trials.aspx Accessed 31 Jul 2018.
This two-part blog serves to summarize RCRI’s research on General Data Privacy Regulation (GDPR) compliance for medical device sponsors. It does not serve as legal advice; it is a summary of information gleaned by RCRI through a review of the GDPR itself and publicly available resources on current interpretations of GDPR compliance. RCRI recommends that sponsors obtain legal counsel on this very new and evolving clinical research topic.