Personal Data: new interpretative recommendations in Clinical Trials
On January 23, 2019, the European Data Protection Board (EDPB) published an opinion on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) regarding the processing of clinical trial data.
The legislations provided by the CTR and the GDPR apply simultaneously in the context of clinical trials. The European Commission has therefore consulted the EDPB in order to clarify the interaction and coordination between the two legislations (Opinion 3/2019). In this context, the EDPB’s indications are useful for those interested in conducting a clinical trial in order to fully comply with the regulatory provisions, in light of the effective implementation of the CTR, expected starting 2020, following the preparation of the portal and the database of clinical trials in the EU.
In the Opinion 3/2019, the EDPB focused on identifying the appropriate legal basis for all processing operations of patient data during clinical trials (primary use) and for any processing of the clinical trial data for other scientific purposes (secondary use), also identifying cases where the participant’s consent may not be necessary.
It is, however, necessary to specify that the indications issued by the EDPB must be integrated into the national legislation on the processing of health data (adopted pursuant to Article 9, paragraph 4 of the GDPR), and in particular with the provisions of Article 2-septies of the amended Data Protection Code, based on which the Italian Data Protection Authority (Garante) adopts further warranty measures. In this regard, the Garante’s draft resolution issued on December 13, 2018 (subject to public consultation), identified the provisions of the Garante’s previous general authorizations that seem to be compatible with the GDPR. Moreover, it is advisable to consider Article 110-bis of the amended Data Protection Code, which requires the Garante’s authorization in the event that further processing for scientific purposes is carried out by third parties, other than the data controller who processed the data for primary use.
Primary use of personal data: processing in the course of the clinical trial protocol
In the context of primary use, the EDPB considered it appropriate to distinguish two main types of processing: operations related to reliability and safety purposes and those carried out specifically for research activities in relation to clinical trials.
In the first case, the EDPB identified Article 6(1)(c) of the GDPR as the legal basis for the processing of data related to reliability and safety purposes. It consists of the requirement for the data controller to comply with legal requirements, such as drafting safety reports, filing data in the clinical trial files, communication data to the competent authorities, among other things. The corresponding legal basis for the processing of special categories of data, including those relating to health, is Article 9(2)(i) of the GDPR, which refers to the need for processing, “for reasons of public interest in the area of public health, such as […] ensuring high standards of quality and safety of health care and of medicinal products or medicinal devices.”
As mentioned above, the legal basis for the processing of data carried out specifically for research activities in the field of clinical trials varies. In this case, according to the specific circumstances of the clinical trial, data processing can be based on the explicit consent given by the subject concerned or can relate to a different legal basis as explained below.
The critical points of consent as the legal basis for data processing
The requirement for participants’ informed consent is provided for by the CTR and the GDPR, but with varying logic and purposes. The informed consent required by the CTR aims to safeguard human dignity and the integrity of the person, while explicit consent from the perspective of the GDPR is necessary as a prerequisite for the processing of data, including health data. According to the GDPR, consent shall be explicit, freely given, specific, informed and unambiguous. In particular, since consent shall be given freely, the person concerned shall be guaranteed a real and true choice.
However, in the context of clinical trials, it would be contradictory if a subject gave consent to attend the trial for the purposes of the CTR and, at the same time, denied consent for the processing of personal data, thus making it impossible to attend the clinical trial (which undoubtedly involves the processing of the patient’s personal data). In this respect, it is unlikely that the participant’s consent would meet the requirements of the GDPR, in particular regarding the requirement that the consent is “freely given”.
Moreover, the EDPB also has doubts as to whether consent can be a valid legal basis in situations where there is an imbalance of power between the data subject and the controller: for instance, where the participant is not in good health or the participant belongs to economically or socially disadvantaged groups, or where there is a situation of institutional or hierarchical dependency.
Therefore, according to the EDPB’s opinion, consent may not be an appropriate legal basis for the processing of participants’ personal data in clinical trials.
Data processing with an alternative legal basis to consent
In light of the concerns surrounding free consent in the context of clinical trials, it seems preferable for the controller to adopt an alternative legal basis.
In particular, the EDPB suggests the following legal bases:
(i) Article 6(1)(e) of the GDPR, when the “processing is necessary for the performance of a task carried out in the public interest” (for example, where the conduct of a clinical trial falls directly within the mandate, missions and tasks ascribed to a public or private body under national law); or
(ii) Article 6(1)(f) of GDPR, which provides that the processing of data “is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”.
However, for processing special categories of data, such as genetic data and health data, the existence of only one of the legal bases provided for in Article 6 is not sufficient, and it is necessary to combine it with one of the legal bases provided for in Article 9 of the GDPR. In particular, the EDPB suggests that, depending on the specific case, either letter (i) which requires the existence of a public interest in the area of public health, or letter (j) which refers to scientific purposes as the objective of the processing, provided that the safeguarding measures set out in Article 89 of the GDPR (such as the pseudonymization of data) are respected.
Therefore, the EDPB confirms that there are legal bases, alternative to consent, for the processing of patient data in the context of clinical trials. Consequently, for the cases in which such legal bases are applicable, consent under the GDPR is not necessary, while informed consent under the CTR remains essential.
Secondary use of clinical trial data for scientific purposes outside the clinical trial protocol
It is possible that data controllers have an interest in processing data outside the clinical trial protocol for which the data was collected. In this case, the CTR requires that the Controller obtains specific consent for the additional purposes.
Under the GDPR, it is necessary to identify a specific legal basis for this additional processing, which may or may not correspond to the legal basis used for the processing of data in the course of clinical trials, that is for primary use. Therefore, where other legal bases cannot be considered applicable to such secondary use, the participant’s consent becomes once again necessary, provided that such consent complies with the requirements of the GDPR (free, specific and informed). In relation to the secondary use of health data used in clinical trials for further scientific research purposes, the EDPB has clarified that it is not possible to exclude, a priori, the presumption of its compatibility with the initial purposes as provided for in Article 5(1)(b) of the GDPR.
In conclusion, it cannot be excluded that the controller may process the data for a different purpose without identifying a new legal basis. Given the complexity of the topic, the EDPB will have to give its opinion on this issue in the future. In the meantime, the Committee does not rule out the application of the presumption of compatibility in the area of clinical trials.