Artikel | 27 Nov 2019

Processing personal data for research purposes

Responsive image

 

Part 2 – Clinical trials

This two-article series focuses on some key legal aspects for life sciences companies when processing personal data for research purposes. In Part 1, we discussed the term “research” from a legal perspective and explained what advantages a company may have, as well as what consequences there may be when processing personal data for research purposes.

On 23 January, the European Data Protection Board (“EDPB”) published the document “Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR)” (the “Guideline”). The reason for the creation of the Guideline was that the European Commission requested consultation with the EDPB regarding the interplay between the two abovementioned regulations.(1) In this second part of the article series, we will discuss the processing of personal data relating to clinical trials conducted in Sweden and what legal basis such processing may be based on, in view of the EDPB’s statements in the Guideline.

The Clinical Trials Regulation and the Clinical Trials Information System (CTIS)
For those not familiar with the CTR, the Regulation aims to achieve a higher degree of harmonisation of clinical trials legislation within the EU and to simplify the permit procedure. Applications for clinical trial permits are submitted via the EU clinical trials por-tal and database CTIS. (2)  However, despite the CTR entering into force on 16 June 2014, the Regulation still cannot be applied due to technical issues with the development of CTIS.

In October 2019, the European Medicines Agency’s Management Board endorsed the six-monthly monitoring report on the development of CTIS, in which the performance of the IT supplier is assessed against the agreed key performance indicators. The Management Board stated that the measures proposed in the report should be further developed, including regarding the quality of the work delivered by the supplier of CTIS. (3)

The CTR is now estimated to become applicable sometime during 2020 and will replace the existing EU Clinical Trial Directive (EC) No. 2001/20/EC and national legislation that implements the Directive. (4) Although applications for clinical trial permits will be submitted through CTIS, planned research will still require ethical review in accordance with the Swedish Act concerning Ethical Review of Research Involving Humans (Sw. Lag [2003:460] om etikprövning av forskning som avser människor) (the “Ethical Review Act”). (5)

Primary use of clinical trial data
In the Guideline, the EDPB divides the use of personal data relating to clinical trials into two main categories: primary and secondary use. “Primary use” of clinical trial data means all processing operations related to a specific clinical trial protocol during its entire lifecycle, from the launch of the trial to erasure of the personal data at the close of the archiving period.

The EDBP does not consider that the same legal basis can be applied to all processing of personal data relating to primary use. In this regard, the EDPB refers to two main processing activities where the processing needs to be based on different legal grounds, i.e.:

1. Processing operations related to reliability and safety; and
2. Processing operations purely related to research activities.

The table below summarises what legal basis the above two processing activities may be based on.

Secondary use of clinical trial data for scientific purposes outside the clinical trial protocol
Regarding secondary use of clinical trial data outside the clinical trial protocol for scientific purposes, this is addressed in Article 28(2) of the CTR, which states the following:

“[…] the sponsor may ask the subject or, where the subject is not able to give informed consent, his or her legally designated representative at the time when the subject or the legally designated representative gives his or her informed consent to participate in the clinical trial to consent to the use of his or her data outside the protocol of the clini-cal trial exclusively for scientific purposes.”

In this context, secondary use only concerns situations when the sponsor plans to process personal data collected from the individual participating in the clinical trial, but outside the scope of the clinical trial protocol. However, such secondary use must only involve the processing of personal data for scientific purposes.

Article 28(2) of the CTR further states that the scientific research making use of the data outside the protocol of the clinical trial shall be conducted in accordance with applicable law on data protection. In this regard, it should be noted that consent as referred to in Article 28(2) of the CTR must be separated from consent as described in the GPDR, i.e. these are two different types of consent.

If a sponsor or an investigator plans to process personal data gathered during the course of a clinical trial for scientific purposes other than the ones defined by the clinical trial protocol, such secondary use requires another legal basis compared to the one used for the primary processing. This means that the legal basis for the secondary use could be exactly the same as the applicable legal basis for the primary use (see the legal bases described for the primary use above), or it could be another legal basis. Such assessment must, however, be made on a case-by-case basis.

When a company wishes to process personal data for purposes other than those for which the personal data was originally collected, it must be remembered that there is a presumption of compatibility under Article 5(1)(b) of the GDPR. Thus, the main rule is that personal data collected for one purpose may not be processed for a different purpose at a later date.

An exemption to this main rule, also found in Article 5(1)(b) of the GDPR, applies if the secondary use concerns personal data processing for archiving purposes in the public interest, or scientific, historical research or statistical purposes. These purposes shall not be considered incompatible with the initial purpose, provided that they are in accordance with the provisions of Article 89 of the GDPR, which requires the data controller to ensure adequate safeguards and derogations in relation to the processing. If these conditions are met, the data controller may process personal data for secondary use without a new legal basis. With regard to the meaning of scientific research as referred to in the exemption in Article 5(1)(b) of the GDPR, further information can be found in Part 1 of this article series. The tables below show a high-level example of primary and secondary use of personal data relating to a specific clinical trial.

Exampel

To conclude, it is of the utmost importance that any processing of personal data relating to clinical trials is carefully assessed in each individual case. In relation to secondary use and the exemption under Article 5(1)(b) of the GDPR, the EDPB has also stated that this will require specific attention and guidance from the EDPB in future (12).

(1) See the Guideline, p. 3.
(2) See Bill 2017/18:196, p. 35.
(3) See the European Medicines Agency’s website
(4) See the Guideline, p. 3.
(5) See Bill 2017/18:196, p. 50.
(6) See the Guideline, p. 3 ff.
(7) See Bill 2017/18:298, p. 95.
(8) See the Guideline, p. 6.
(9)See Bill 2017/18:298, p. 127.
(10) See the Guideline, p. 7.
(11) See Bill 2017/18:298, p. 95 and 137.
(12) See the Guideline, p. 8.

See Part 1 of this article series here
 

Kontakt:

Verksamhetsområde:

Life Sciences

Vill du komma i kontakt med oss?

Fyll i formuläret samt vilket kontor du vill bli kontaktad av, så hör vi av oss inom kort.