Clinical trials have become increasingly significant in the development of modern medicine, frequently attracting news coverage for ground-breaking advancements or novel approaches to patient treatment. Clinical studies depend on gathering and analysing enormous volumes of personal data;often, the most sensitive kinds of health data. To preserve public confidence and comply with applicable data protection regulations, thispersonal datamust be handled in an ethical and legally compliant manner. 

One of the most critical questions that lies at the heart of the governance structure for clinical trialsappears, on first glance, to be surprisingly straightforward: who is the data controller? 

However, in today's clinical data security landscape, one of the most difficult problems is comprehending controllership and how it applies in multi-party research settings. 

What do we mean by “controllership” in clinical research? 

Under the GDPR, the division of decision-making authority over the processing of personal data is where the roles of data controllers and processors diverge. The primary decision-makers who choose the methods and goals of processing are data controllers. They also choose whether to start processing and under what circumstances. The entities that handle personal data on behalf of the controller are known as data processors, and they have little discretion over how the data is handled. 

While this appears simple in principle,in reality, thecomplexities of clinical studies often make it difficult to distinguish between these functions. Personal data is handled by laboratories, data analytics providers, sponsors, and investigators. Each could have some degree of decision-making authority, although it might not be the same.As a result, the issueof controllership in clinical research is complex and frequently disputed.  

However, for the vast majority of health research, the data is gathered for the research project via the protocol, case report form, and/or structured data fields in a database,as decided by the sponsor. As a result, the sponsor controls the research data and would therefore be the sole controller.  

The compliance challenge 

The GDPR expects transparency and accountability from all stakeholders, but clinical trials rarely fit neatly into one structure.Among the persistent difficulties are: 

  • Contractual ambiguity: agreements may designate parties as "processors" or "controllers" without taking into account the realities of decision-making 

  • Participant transparency:participants need to know who owns their data, why, and how to exercise their rights 

  • Cross-border consistency: documentation and roles in multinational research need to be consistent across borders 

Numerous parties, including sponsors, funders, researchers, healthcare groups, academic institutions, pharmaceutical corporations, and private entities, come together for health research. The intricacies and interdependencies among the major roles make it difficult to strictly apply the "controller" and "processor" requirements, even if this multidisciplinary approach adds inherent value to research efforts. 

How to define controllership 

The European Data Protection Supervisor and the Article 29 Working Party have both recognised the intricacy of real-world situations and proposed a number ofcriteriato support figuring out "who-is-who" in a relationship, such as:  

  • Independence and self-reliance  

  • Direct interaction with the individuals who provide the data  

  • Professional skill and judgement  

  • Making decisions actively 

  • Explicit, factual, or legal accountability and competence  

  • Access to data subjects 

We also advise the following best practices indefining controllership in clinical trials: 

  1. Map data flows 

Recognise precisely what personal information is gathered, where it goes, and who decides what to do with it. The basis of legitimate processing is data mapping. 

  1. Evaluate decision-making positions 

Determine who decides the means (how) and the goal (why) of processing. 

  1. Formalise relationships 

Employ Article 26 agreements for joint controllers, clearly defining roles and duties. 

Use Article 28 data processing agreements, in which one party carefully follows the directives of the other. 

  1. Ensure transparency 

Make it clear who the controller or controllers are, how data is handled, and how rights may be exercised. 

  1. Update regularly 

Controllership may change, for instance, when trial data is given to new sponsors or utilised for secondary research. Continuous compliance is ensured by regular evaluations. 

  1. Accountability 

Written documentation of role evaluations, data protection impact assessments (DPIAs), and contractual decisions is necessary for accountability under Article 5(2) of the GDPR. 

The role of the Data Protection Officer 

The Data Protection Officer (DPO) plays a crucial and independent role in ensuring the data controller(s) meet their obligations, especially in complex environments like clinical trials. The DPO provides expert advice on data protection and serves as the primary contact point for data subjects and supervisory authorities. 

Specifically, the DPO is vital in: 

  • Providing expert guidance during the initial data mapping and evaluation of decision-making positions to correctly assign controller or processor roles, thereby mitigating legal risk. 

  • Ensuring the accountability obligations are met, including the proper creation and review of Data Protection Impact Assessments (DPIAs) and the documentation of contractual decisions. 

  • Working with the controller(s) to ensure the required information on data handling and the methods for exercising data subjects’ rights are clearly communicated to participants. 

In practice 

Determining who bears the ethical and legal responsibility for safeguarding participant data in clinical studies goes beyond a theoretical exercise.It is crucial to define controllership to determinewho is legally in charge of deciding how and why participant personal data is used. This ensures compliance with data protection laws, safeguards participants’ rights, and prevents confusion or liability among stakeholders. 
 
Moreso, it is impossible to overestimate the significance of explicit, documented, and transparent controllership as clinical research becomes increasingly decentralised, technology-driven, and data-intensive. 

This is where the support DPOs provide can be invaluable. HewardMills offers globalDPO services and supports organisations navigating complexities within various data processing settings, including clinical trials, by providingactionable guidance on evolving regulatory requirements and best practices.