When starting a clinical trial, safeguarding patient privacy is one of many aspects of regulatory compliance to implement from the outset. With many other considerations to take care of, working closely with a Data Protection Officer (DPO) can make the job of complying with key privacy regulations a lot easier. In this three-part series, we will explore fundamental privacy considerations at different stages of a clinical trial. The first part will look at the essentials of compliance in data handling at the set-up phase:
Implementing privacy-by-design from the beginning
Privacy-by-design is a key requirement of the GDPR (Article 25). This GDPR principle challenges organisations conducting a clinical trial to entrench data protection practices in the designing of a clinical trial, to ensure that sensitive data collected is handled with due care.
The DPO’s involvement ensures that crucial guidelines are followed, including:
- Restricting access to the personal data of the patient to only those involved in conducting the trial,
- Ensuring secure storage and transfer of data, with the appropriate encryption measures in place,
- Implementing pseudonymisation or anonymisation techniques,
- Advising on data minimisation,
- Overseeing the application of other security measures to mitigate identified risks.
This ensures that measures are implemented proactively and allows teams to address potential risks and vulnerabilities before they become major issues.
Informed consent or patient consent?
According to the Clinical Trials Regulation, the patient’s informed consent is a requisite for their enrolment into the clinical trial. This entails the voluntary and free expression of their willingness to participate after receiving comprehensive information regarding all facets of the clinical trial.
If the organisation chooses to rely on the patient’s consent as a lawful basis for processing personal data, it is advisable to document this separately from the informed consent form (ICF). GDPR not only establishes different requirements for consent related to personal data processing but also mandates that it be distinct from any other statements made by individuals that are unrelated to privacy.
Risk Mitigation
Before collecting data, an organisation must assess whether a data protection impact assessment (DPIA) is needed, which is often the case for clinical trials. A DPIA is necessary whenever the data processing is likely to pose high risks to the rights and freedoms of individuals. Given that clinical trials involve patients’ sensitive data concerning their health, it is recommended to document the assessment, particularly the following critical areas:
- Description of Processing: Detailing the nature, scope, context, and purposes of data processing.
- Necessity and Proportionality: Assessing whether the data collection and processing are necessary and justified for the intended purpose.
- Risk Assessment: Identifying potential risks to the privacy and rights of individuals, such as data breaches, unauthorised access, or misuse.
- Mitigation Measures: Proposing safeguards, security measures, and controls to reduce the identified risks.
- Consultation with Stakeholders: In some cases, organisations must consult with individuals or data protection authorities when high risks are identified.
A DPO is an essential asset in ensuring that clinical trials meet the highest standards of data protection from the start. By engaging a DPO early in the planning process, organisations can confidently navigate complex GDPR requirements, ensuring both compliance and the protection of sensitive patient data.
HewardMills has extensive expertise in guiding international clients on integrating privacy-by-design principles from the outset, ensuring compliance throughout every stage of a clinical trial. Look out for the next part in our series on clinical trial compliance, and feel free to contact us to discuss your data protection needs.