Upholding patient privacy is crucial throughout the clinical trial process, however, organisations must continue to maintain these safeguards even after the trial concludes. In the final blog of our three-part series, we look at how DPOs support Sponsors and Contract Research Organisation (CROs) in safeguarding personal data as a clinical trial comes to an end.  

During a clinical trial, various types of sensitive and personal data are collected for patient identification and tracking. However, after the trial concludes, only core data needed for regulatory compliance and future research should be retained, while personal identifiers can typically be deleted securely to comply with GDPR data minimisation principles (Article 5(1)(c)). 

Regulatory requirement across jurisdictions 

As a clinical trial draws to a close, organisations should note that data protection regulations are not a one size fits all and may vary from jurisdiction to jurisdiction. For example: 

  • The EU’s GDPR requires explicit consent for processing sensitive data (Article 9) and transparency on how the data will be used (Articles 13 and 14), this is especially important where organisations plan to use the data post-clinical trial. 
  • The US’ Health Insurance Portability and Accountability Act (HIPAA) governs health data, requiring explicit consent for use or disclosure beyond the trial (45 CFR § 164.508).  

Other countries, such as Canada, Australia, and Japan, also emphasise informed consent and anonymisation of all sensitive data that is collected.  

Whilst some of the regulations overlap, international trials must navigate varying compliance obligations to protect participant privacy as there is no single global privacy standard. This becomes especially tedious where a clinical trial ends abruptly, either due to termination of the product or the sponsor’s liquidation. 

Potential challenges in the conclusion stage 

When concluding a trial, organisations must ensure that all data is accurate, relevant, and retained for the purpose it was originally collected and processed. The DPO ensures that this process aligns with the Patient Information Leaflets and Informed Consent Forms provided to participants at the beginning of the study. 

How a clinical trial concludes can impact data protection practices. For example, if a trial ends prematurely, this may impact data integrity and accuracy due to incomplete data collection. Regardless of a trial ending prematurely, data must be securely stored and retained for regulatory or future research purposes, additional safeguards such as anonymisation or erasure of inaccurate data may need to be carried out.  

A planned conclusion of a trial allows for a more structured approach to data review, analysis, and retention. It is important to note that the retention period applies to a specific number of years after the official end date of the clinical trial, not the planned end date. 

Retention periods and exceptions for clinical data 

Once a trial concludes, data no longer needed for scientific or research purposes must be disposed of per the relevant retention periods. The GDPR (Article 5(1)(e)) limits personal data retention to what is necessary for its original purpose. However, trial data often falls under exceptions due to its potential value for future research or regulatory needs. For instance, records in the Trial Master File (TMF) can be retained for up to 25 years under the Clinical Trials Regulation (CTR), allowing for inspection, verification, and secondary research use. 

Once the retention period expires, proper disposal is critical, especially for electronic records, which GDPR mandates be securely erased or anonymised. While physical records can be shredded, electronic data requires tracking across devices like USBs and laptops to ensure all data is erased in a secure and timely manner.  

DPOs can help establish suitable retention and deletion schedules. In cases of external archiving, Sponsors must ensure data protection standards, with the help of the DPOs advising on third-party agreements and overseeing audits. 

Privacy regulations like GDPR and HIPAA emphasise the importance of transparent, secure data management for retention and disposal post-clinical trials. HewardMills can help ensure compliance by assessing your organisations retention periods, storage, and disposal methods, aligning practices with GDPR or relevant privacy standards. 

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.