Tips for Managing Data Protection and Data Privacy in Clinical Trials
Technology continues to play a larger role in clinical trials, and subsequently, regulatory bodies are placing intense scrutiny on data protection and data privacy in clinical trial procedures and policies.
Learning all of the new jargon and terminology related to electronic data protection and understanding its implications is like learning a foreign language; it can be overwhelming.
But you can learn how to tackle today’s concerns before they become tomorrow’s violations.
As a clinical research professional, you are comfortable in a highly-regulated environment. Establishing a data protection plan mirrors the steps to prepare for and carry out a clinical trial.
Florence’s Compliance Team built our GDPR and data protection program from the ground up and continues to stay on top of the evolving privacy landscape.
We sat down with our compliance team to discover how you can apply your clinical trial experience to data protection to develop a foolproof program for your organization.
To see our conversation, download our Data Protection Webinar Recording.
Understanding Terms for Data Protection and Data Privacy in Clinical Trials
Every industry has jargon. Once you understand the terminology, everything else becomes much more straightforward. Data protection and data privacy in clinical trials is no different.
You may not know it yet, but you already know more about data protection as a clinical research professional than most people. Your expertise in clinical trial processes has positioned you to gain a deep understanding of both the fundamentals of data protection and the intricacies of how it works.
The compliance team suggests starting by applying the clinical trial concepts you already understand to data protection.
First, Florence categorized standard data privacy and data protection terms and corresponding clinical trial terms beneath a friendly nickname for easy comprehension.
Data Protection Category & Term Chart
Consider your clinical research experience and use this chart as a method to understand and map the terminologies between clinical research and data protection.
The goal is to learn the parallels between clinical research and data protection by leveraging your clinical research experience, reducing the mental effort to understand more terms!
The below chart is not an exhaustive list and is up to interpretation! Florence is merely sharing how we approached mapping these terms. Many terms could fall into more than one category.
Category [Friendly Nickname] | Clinical Research Term Examples | Data Protection Term Examples |
---|---|---|
Roles | Sponsor, CRO, Sites, Principal Investigator (PI), Vendors (EDC, eReg, IWRS). | Joint-Controller, Controller (Data Exporter), Processor (Data Importer), Sub-Processor, Third-Party Vendor, Contractor, Sub-Contractor, Supplier. |
The Rules | IRB-Approved Protocol, Protocol Clarification Letters (PCL), IRB Approvals, Internal Activation (Laboratory, Radiology, Nursing), Quality, Internal SOP, Departmental Policies. | Privacy Regulation (GDPR, CCPA, HIPAA), Laws, Governance. |
Compliance | Pre-Site Selection (PSSV) / Qualification, Facility Readiness (CAP/CLIA, Lab Normal Ranges), Team Qualification (CV, CITI, HIPAA, GCP, etc.). | Accountability, Audit Readiness, Compliance with all Requirements, Training, Documentation. |
Agreements | Clinical Trial Agreement (CTA), Business Associate Agreement (BAA), Non-Disclosure Agreement (NDA). | Data Processing Agreement (DPA), EU Standard Contractual Clauses (SCC), BAA, NDA. |
Participants | Study Population, Disease Area, Patients, Subjects, Participants, Healthy Volunteers, Vulnerable Populations. | Categories of Data Subjects, Child Protection, Inmate Protections. |
Eligibility | Subject Selection, Inclusion Criteria, Exclusion Criteria, Eligibility Review. | Jurisdictions, residency. |
Informed Consent | ICF Contents (Risks and Benefits, SOE). | Notice, Privacy Policy, Data Minimization. |
Obtain Consent | Verbal or Written Informed Consent Form (ICF). | Opt-In (Affirmative) Consent, Opt-Out Consent. |
Authorized Consent | Emergency Consent Waiver, IRB Pre-Screen Waivers. | Opt-Out Consent, Lawful Basis (Contract, Legal Obligation, Public Task, Vital Interests, Legitimate Interests), Legitimate Interests Assessment (LIA). |
Data | Data Sets, Assessments, Specimens, Vitals, Radiology, Laboratory, Pathology, EMR notes, Schedule of Events (SOE), Quality of Life (QoL), EKG, Methodology, Lab Manual. | Types of Data, Special Categories of Data, Processing Activities. |
Data Scope | Data Management (Collection, Retention, Archival), Electronic Data Capture (EDC), Case Report Form (CRF) Design, eRegulatory. | Purpose Limitation, Data Accuracy, Third-Party Vendor, Sub-Processor, Written General or Specific Authorization for Sub-Processing. |
Data Transfer | Material Transfer Agreement (MTA). | Cross-Border Data Transfer Mechanism. |
Rationale | Background, Study Rationale, Objectives, Purpose. | Lawful Basis (Consent, Contract, Legal Obligation, Public Task, Vital Interests, Legitimate Interests). |
Rights | Withdrawal of Subject. | Data Subject Access Request (DSAR) – Access, Portability (Machine Readable Format), Erasure, Rectification, Object, Restrict Processing, Profiling, Automated Processing. |
Safeguard Plan | Safety Management Plan, DMC/DSMB Charter, Risk Management Plan. | Data Protection Program, Technical and Organizational Security Safeguards, Integrity and Confidentiality. |
Safety Oversight | Data Monitoring Committee (DMC), Data Safety Monitoring Board (DSMB), IRB, Central IRB, Medical Monitoring, Auditing. | Data Monitoring Committee (DMC), Data Safety Monitoring Board (DSMB), IRB, Central IRB, Medical Monitoring, Auditing. |
Safety Reporting | SAE Reporting, IND Safety Letters, SUSAR, CAPA Protocol Violations, Ethics. | Breach Response, Incident Response Plan, Incident Identification System, Violations, Supervisory Authorities. |
Changes | Informational Amendments, Protocol Amendment, Updated FDA/EMA Guidance, Regulation, or Requirements, Updated SOP, COVID-19 Guidance, Remote Source Data Verification (SDV). | Data Protection Impact Assessment (DPIA), Updated Regulation/Law Guidance, CCPA, Brexit UK GDPR, EU-US and Swiss-US Privacy Shield Invalidation (Schrems II). |
Download our easy-to-use pack of custom flashcards to commit these terms to memory.
Building a Roadmap for Data Protection Compliance
After mastering the terminology you will need when incorporating a robust data protection program into your clinical trial operations, the next phase is building a roadmap.
The compliance team reminds us that it is essential to focus on each stage of your roadmap’s top priorities to implement your program successfully.
We will use the “Crawl, Walk, Run” approach to shape your data protection roadmap.
If you want to learn more about GDPR Specific Guidance for Clinical Trials, please download our guide here.
Crawl Stage: Internal Organization
Before you do anything else, you must crawl. In this stage, you will focus on getting your internal organization ready for data protection and data privacy in clinical trials agnostic to any particular study. You will concentrate on regulations and procedures.
Research and document all the in-scope regulations that will need to be adjusted so that your operations and procedures are audit-ready with accurate interpretations and alignment. Reviewing the flashcards focused on “The Rules” and “Compliance” will help you in this area.
Next, establish necessary procedural safeguards for safety reporting and Data Subject Access Requests (DSAR) to protect individuals’ data and rights.
Helpful flashcards for your internal organization:
- Safeguard Plan
- Safety Oversight
- Safety Reporting
- Changes
Walk Stage: Study-Specific Procedures
The “walk” stage’s key focus is essential procedures across your sponsor, CRO, and site relationships to protect an individual’s data. Roles such as controller vs. (sub)processor are dependent on who is directing the decision, which can add to the complexity.
To get a clear understanding of who holds a particular role for each activity, map out each study-specific activity and associated roles of all contributors as your team prepares for a Data Protection Agreement (DPA).
The IAPP has an excellent sample DPA to help you understand the moving parts of data protection. From there, you can map out your study-specific information.
Next, consider all data subjects and map out all associated workflows.
Data protection is about the individual, not just the study participants, so your list of data subjects should include associated sponsor, site, and CRO employees.
Note: Check with your organization if your data protection program protects your organization’s internal employees. Programs vary, and some organizations may consider external protection as opposed to internal protections.
Helpful flashcards for data subjects and associated workflows:
- Participants
- Eligibility
- Informed Consent
- Obtain Consent
- Rights
Walk Stage: Protect the Data from All Angles
Finally, once you map out roles and responsibilities, begin protecting the data from all angles. Data mapping and the following documentation requirements can be daunting. This article is not exhaustive but helps point you in the right direction.
In short, ensure that you understand:
- How the personal data flows, including associated processing activities and vendors that collect, store, process, and disclose the data
- The rationale for each processing activity including documentation for completed Legitimate Interests Assessments (LIAs) and Data Protection Impact Assessments (DPIAs), where applicable.
Since this article doesn’t cover all steps, be sure to review all of the in-scope data protection laws and regulations.
Additionally, the UK’s ICO offers excellent resources for UK GDPR compliance planning. If a particular topic doesn’t apply (e.g., pediatric or inmate requirements), keep that in your program records and address it. Note how you comply and when topics don’t apply to ensure that information is readily available during an audit.
Helpful flashcards for data protection:
- Data Transfer
- Data
- Data Scope
- Rationale
Run Stage: Evolving Changes
Once your program is established and the data you are processing for each study is adequately protected, you need to stay educated on the evolving landscape.
Kaitlin uses these three key topics to focus her compliance team’s efforts on evaluating trends and updates:
Privacy
- Example. Global, local, country, and state regulations that shift or are newly created, specifically regarding the processing and handling of personal data.
Security
- Example. Privacy Shield invalidation and global, local, country, and/or state standards regarding the overall protection, movement, and access to personal data. Including best practices on backups, data breaches, encryption, cross-border data transfers, access, etc.
Internal
- Example. Internal guidances, policies, SOPs, and any contractual obligations.
- Remember your clinical research agreements and contracts that might have requirements beyond the regulations. Also, consider clinical research standards like GxP and or certification requirements like CITI.
Aligning Data Protection With Your Existing Study Lifecycle
Incorporating data protection into existing study workflows can be challenging.
Kaitlin often sees customers battle with change management, training resources, and applying data privacy concepts to different trial stages.
When in doubt, leverage your clinical research knowledge and consider protocol-specific training. Identify the areas that your team handles and identify the parallel to data privacy by referring to your flashcards.
Below are a few examples (not an exhaustive list) where you may consider adding data protection into your existing study lifecycle.
Sponsor Study Design Considerations
Typically in this stage, you are already completing tasks like protocol design, budgeting, and mapping out study specifics.
Add additional data protection steps to your existing processes that might include:
Defining: Categories of data subjects, type of data, lawful basis, Data Protection Impact Assessment (DPIA), and Legitimate Interest Assessment (LIA).
Adding: Master Data Protection Agreement (DPA), and procedures for security breaches and Data Subject Access Request (DSAR).
Cataloging: Key contact information like Controller, (Sub-)Processor Data Protection Officer, Supervisory Authorities.
Sponsor-Site Qualification Considerations
During site selection, sponsors and sites must work together to marry their separate programs to protect all individuals involved to establish a collaborative and complementary program as a research team.
During this process, it is also vital to consider any technology vendors you use and their data protection role.
When mapping out the key players and how to marry programs, you may run into term contradictions. Slow down and review the data flow.
Once you know who decides (or “controls”) the personal data, you’ll have a sense of who the “Controller” is. There can also be Joint-Controllers. Then you need to determine who is receiving the personal data, the role of the “Processor”, and then a “Sub-Processor.”
For example, as an eReg vendor, Florence is often considered a Processor to our Sponsor customers while simultaneously a Sub-processor to our CRO customers, who themselves are a Processor to the sponsor.
Once you have the roles solidified, you’ll have a sense of the due diligence process and requirements.
Typically in this stage, you are already doing tasks like reviewing employee credentials and reviewing site requirements.
Additional data protection steps may include:
- (Sub-) Processor due diligences
- Execute DPA, Processor Data Protection Officer, EU Standard Contractual Clauses (SCC+), and Binding Corporate Rules (BCR).
Sponsor-Site Activation and Unplanned Considerations
You can plan for the future but unexpected events can always arise. Extending your data protection plan to include unexpected or unlikely events is helpful, just like preparing for SAEs and SUSARs.
Additional clinical research and/or data protection steps that you may include are:
- Consent Withdrawal: Follow DPA DSAR notification and track DSAR fulfillment
- Breach: Follow DPA notification to Controller and SA
Sponsor-Site Closeout Considerations
Lastly, consider requirements and items that take place during closeout, premature termination, and/or suspension.
As you apply data protection to this phase of your trial, some steps you may consider are:
- Data and Record Retention
- DSAR and breach responses fulfilled
- Audits closed out
- Cross-border data transfer
- Notice (premature term/suspension)
Creating a Framework for Data Protection Questions
As you begin creating a data protection plan and even after you have an established program, many questions will arise within your team and from outside contributors.
Creating a framework to dissect questions after building a program or activating a study is extremely important.
Anytime someone suggests that they have an “easy” data protection question, pause with caution and be sure that you understand what is being asked. Always consider the privacy, security, and internal/regulatory perspectives.
The clarity of the question determines the quality of the response you receive or give. And the quality of the response directly impacts your data protection program. Don’t cut corners and miss an opportunity to implement a safeguard by not considering all of “The Rules.”
You can’t prepare for every question that arises, so having a viable framework to apply to any question will ensure that you properly address data protection questions.
This framework is not a 100% guarantee, but it’s how Kaitlin approaches questions and is a good start – adapt as you see fit!