There has been much industry debate around the most appropriate legal basis for the processing of personal data in connection with clinical trials, in light of the GDPR and the Clinical Trials Regulation (CTR). National ethics committees and regulatory bodies have so far struggled to reach consensus on the issue. Some countries focus on a requirement for consent, whilst others lean on legitimate interests.
Welcome clarification has been provided by the European Data Protection Board (EDPB) in a recent Opinion, which can be found here.
Whilst the GDPR seeks to protect individuals with regard to the processing of personal data, the CTR aims to greater harmonise the rules for conducting clinical trials throughout the EU. Specifically, the CTR introduces an authorisation procedure based on a single submission via a single EU portal, an assessment procedure leading to a single decision, rules on the protection of individuals, and informed consent and transparency requirements.
Interplay between the CTR and the GDPR
As we might expect, the Opinion clarifies that both the GDPR and the CTR apply simultaneously and that whilst the CTR contains specific data protection provisions, it does not allow derogation from or in any way diminish the legal requirement to comply with the GDPR.
The Opinion emphasises in particular that “informed consent” provided under the CTR to participate in a clinical trial is not the same as consent to process personal data under the GDPR. Whilst informed consent under the CTR may still be possible, an imbalance of power between the participant and the sponsor/investigator may not enable that consent to be “freely given” as required by the GDPR.
Legal basis of processing within a clinical trial
Taking the processing personal data during the course of a clinical trial (primary purpose), the EDBP distinguishes between two main categories of processing activities: (i) processing operations relating to the protection of health activities (reliability and safety related purposes) and (ii) processing operations relating to research activities.
- Reliability and safety related purposes
The Opinion clarifies that processing of personal data for these purposes can be performed on the basis that processing is necessary to comply with the legal obligations to which the sponsor and/or the investigator are subject to. These may include legal obligations arising out of the CTR itself in respect of safety reporting, archiving of master files and disclosure of clinical trial data.
- Research activities
By contrast, the EDPB considers that processing operations purely related to research activities within clinical trials cannot be based on legal obligations. Instead, processing may be on the basis of:
- a data subject’s explicit consent (subject to the GDPR’s conditions around consent when processing special categories of data); or
- the legitimate interests of the controller, or the public interest.
In respect of consent, any imbalance of power (e.g. illness of a trial participant or a participant being in a situation of dependency), may prevent a data controller obtaining “freely given” GDPR consent and in such case an alternative legal basis may be required. Therefore, a particularly thorough assessment of the circumstances of the trial should be carried out before consent is relied upon as the legal basis for processing personal data.
Data controllers should be mindful that their legitimate interest to process personal data in the context of a clinical trial will need to be balanced against the interests of the individual participants. Legitimate interests cannot be relied upon if overridden by the interests or fundamental rights and freedoms of the individual.
Whether or not the “public interest” legal basis can be relied upon will depend on whether the clinical trials fall “within the mandate, missions and tasks vested in a public or private body by national law”. This may be difficult to meet in the case of commercial data controllers.
Secondary uses of data outside of the clinical trial protocol
A key distinction is made between (i) processing within the clinical trial itself (‘primary use’) and (ii) processing for scientific purposes outside the clinical trial (‘secondary use’).
The EDPB confirms that it is not possible to rely solely on CTR consent to process personal data in the case of secondary use and a separate GDPR legal basis to process is required. That said, the legal basis may be the same or different to that relied upon for the primary use.
Clarification in this area will no doubt be welcomed by data controllers operating in the field of clinical trials. It remains to be seen how ethics committees and national regulatory bodies will respond to the EDPB Opinion and whether this approach will be universally adopted, particularly with respect to consent. In any case, data controllers operating in the field of clinical trials would be well advised to review their approaches to ensure alignment with the Opinion.
Care should be taken to ensure the legal bases relied upon for processing personal data are genuinely satisfied and, for example, data controllers do not fall foul of the more stringent GDPR conditions for consent, as opposed to CTR consent.