Pharma IT Blog

Blogging about hot topics related to Pharma and IT. Please use the mail icon to subscribe to new blog posts.

EU General Data Protection Regulation (GDPR) and Clinical Trials in Pharmaceutical Industry

The EU General Data Protection Regulation will become effective on the 25th of May 2018. Pharma IT offers several services in respect to the implementation of GDPR in pharmaceutical companies.

GDPRAll companies within the Pharmaceutical sector will need to assess their use of personal data no matter if it relates to employees, partners, suppliers or patients. Not all processes and systems that handle personal data will be in scope for the GDPR regulation, but without a basic assessment companies risk to be fined by the rather large penalties that is part of the regulation.

In this article, we will discuss GDPR regulation in respect to patient data in clinical trials in the pharmaceutical industry. The article will not cover all aspects but it will give an introduction and will by example discuss some of the initiatives that might be needed to comply with the GDPR regulation.

In Figure 1 an overview of the clinical trial route map is shown. On the figure we have marked 3 places (green stars) where we believe that personal patient data should be considered in respect to GDPR. It will not be the only parts of the Clinical Trial Process that will need to be handled in respect to GDPR, but it will be the scope of this article.

Before continuing let’s discuss some basic elements of the GDPR. Below we are assuming basic knowledge of GDPR definitions (Article 4 of the regulation).

Basic elements

Scope: The GDPR applies to processing of personal data wholly or partly by automated means, and the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system (Article 2).

The above wording implies that all IT system that are handling personal patient data within the clinical trial process is in scope of GDPR. That said handling of personal patient data in documents can also be in scope depending on process they are part of and if they in the end will be stored in a filing system.

Processing of special categories of personal data: The GDPR prohibit processing of personal data revealing race, ethnic origin, genetic, biometric and health data with exception if the processing is authorised by a law providing appropriate safeguards or the processing is necessary to protect the vital interests of the data subject (Article 9).

Within Clinical Trials as well as the Pharmacovigilance process, the mentioned data types may have to be stored and processed, but with the exceptions mentioned this should still be possible in the execution of clinical trials. The above elements should be part of assessing GDPR against company processes and should eventually be part of the Data Protection Impact Assessment (DPIA) for the individual process/IT system.

Right to erasure: The GDPR provides a right for the data subject to obtain from the controller the erasure (removal) of personal data (Article 17) unless the processing of the data fall under the previous mentioned Article 9 or Article 6, “Lawfulness of processing” which states “for compliance with a legal obligation to which the controller is subject”.

Given that the personal data stored as part of the clinical trial is relevant for the study in questions these articles prevent the need for erasure of personal data when as an example the clinical trial regulation requires clinical trial data to be stored for 25 years after the trial has ended.

Records of processing activities: GDPR states that each controller and controller's representative maintains documentation of all processing systems and procedures under their responsibility (Article 30).

The above requirement will most likely be the major task for most pharmaceutical companies. Via the Data Protection Impact Assessment (DPIA) systems and processes should be identified and assessed. The DPIA should form the basis to identify the required activities - one of those being implementation of a documentation system including guidance for all parties involved on how they should behave in the processing of personal data if this is not already in place in the company.

Data Protection Impact Assessment: GRPR states that a Data Protection Impact Assessment shall be required (Article 35) if processing on a large scale of special categories of data referred to in Article 9 (race, ethnic origin, genetic, biometric and health data) takes place.

It is not defined in the regulation what is meant by large scale but unless clinical trials are very small they will most likely be in scope for the GDPR.

Data Protection Officer: The GDPR states that a Data Protection Officer shall be designated in any case where the core activities of the controller or the processor require regular and systematic monitoring of data subjects on a large scale (Article 37).

It is not defined in the regulation what is meant by large scale but unless clinical trials are very small they will most likely be in scope for the GDPR.

The GDPR contains more elements than mentioned above, but for now we will continue this article by discussing some of the more specific process examples.

Process examples

Clinical Trials

Figure 1: clinical trial route map (source: Clinical Trials Toolkit, National Institute for Health Research)

The three examples selected in the figure are the following:
1. Informed Consent
2. Statistical Data Analysis and Clinical Trial Reporting
3. Safety Reporting

Informed Consent

Informed consent is already today an integrated part of executing clinical trials. GDPR will force additional requirements on the process of informed consent. Chapter III “Right of the data subject” of the regulation contains many requirements - specifically Article 13 “Information to be provided where personal data are collected from the data subject” – that must be incorporated into the informed consent process.

Statistical Data Analysis and Clinical Trial Reporting

During the cycle of the clinical trial, personal data is collected for statistical data analysis and clinical trial reporting to support the original purpose of the trial. This process should be assessed for compliance with GDPR.

Execution of clinical trials is usually handled in a complex setup where the pharmaceutical company/sponsor contracts with CROs that handles the contact to hospitals and healthcare professionals that enrol patients in the study. The sponsor can also handle the contact to hospitals and healthcare professionals directly and within a given study the setup can vary from country to country or region to region. Even though the patient data collected is pseudonymised* company representatives might when monitoring the trial have had direct access to personal information or combined pseudonymised* data that in some cases might be sufficient to identify individuals. In all circumstances, it is the responsibility of the sponsoring company to ensure that personal data is handled as per GDPR requirements either as a joint controller setup (Article 26) or by regarding the CRO, hospitals and healthcare professionals as processors working on behalf of the sponsoring company (Article 28).

Safety Reporting

When running clinical trials, or managing marketing authorisations for pharmaceutical products companies must ensure proper handling of adverse event reporting.

Individual Adverse Events is personal data and normally the data should be pseudonymised*/anonymized (which is in line with Article 6) but from time to time mistakes happens and personal data is received as part of receiving the adverse events (for example laboratory reports or similar with patient identifiers sent in error). It is important that guidelines in respect to how such information is handled are in place and companies should also consider if safety measures should be established in respect to the fax, email, shared folder or IT system that is used when adverse events are received and when the received information is archived. As an example, processes for revoking user access to shared email accounts need to be in place and user access should be reviewed with regular intervals.

Besides the individual adverse events companies are also obligated to perform several types of aggregated reports and signal detection. The data is still pseudonymised*/anonymized, but in some cases companies might in the process of generating aggregated reports or performing signal detection be using Excel or similar extracts with data from the received adverse events. The data or intermediates in the process might be stored on local drives, shared drives, SharePoint sites or similar. In respect to GDPR it should be considered if the safety and security measures regarding the handling of this data is sufficient – again the focus should be on user access management, so that only the right people have access to the data at any given point in time.

In respect to GDPR Pharma IT recommends that the following activities are planned and executed:

  • Create a process overview of departments handling personal data
  • Map the personal data processed into the process overview
  • Map the existing security measures and compliance to the GDPR
  • Identify gaps to the GDPR in the created process and data flow overview
  • Create Data Protection Impact Assessment document based on the above collected information
  • Initiate project/tasks to close the identified gaps (if any)

In many cases, existing systems and processes will be sufficient and compliant with GDPR, but the full process and IT systems will still need to be reviewed in the view of GDPR and where gaps are identified these should be closed before 25th of May 2018.

* the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information

the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information

Conclusions on SAP ATTP implementation
EudraVigilance – what are the implications

Related Posts


No comments yet
Already Registered? Login Here
Monday, 19 February 2018
If you'd like to register, please fill in the username and name fields.