Understanding Data Privacy: Three Key Concepts for Your Clinical Trials

Personal data privacy is not a new concept when it comes to healthcare. In fact, the right to privacy hasn’t changed in over 130 years.

In the mid-1990s, when the utility of the Internet was in question, the future-focused US Congress was determined to standardize electronic health information. In doing so, it rolled out nationwide security and privacy standards for protected health information (PHI), still in use today. With a similar vision for the future, Europe adopted its earliest protections on the movement and processing of personal data.

While personal health information protections have been established for decades, today’s booming rate of technology adoption and complexity of data flows has created a new demand for how patient and participant data is collected, stored and shared among sites, sponsors, CROs, internal and external stakeholders.

As healthcare slowly adopted new technologies, a revolutionary milestone happened – the launch of the General Data Protection Regulation (GDPR) in May 2018. This regulation revitalized an Internet-crazed world to reflect and recognize digital “privacy” as part of our fundamental human rights as set forth by the United Nations (UN) in 1948, through the GDPR’s framework. Since then, important parameters for technology use in clinical trials emerged.

Now as we rapidly shift towards remote-enabled technology, with around 80% of sites, sponsors, and CROs anticipating most monitoring to be remote by 2023, it is critical to understand how this regulation will impact your organization. The first step is understanding the basics.

Personal Data Privacy Basics

Privacy laws and regulations are established to protect the individual’s human right to “be let alone” and protect information that might reveal their identity. There is a plethora of privacy regulations across the globe.

If you work in health care or research in the US, HIPAA may immediately come to mind as a regulation that protects the individually identifiable health information of patients.

The GDPR was originally created as a regulation to standardize the personal data protection of all EU individuals, but it has become the gold standard for many other countries and industries when designing their own programs.

Although navigating multiple regulations can be confusing, privacy regulations are intended to protect you as an individual and are not meant to contradict each other.

Now, what is actually considered personal data? Put simply, it’s anything that when put in combination might identify you, even identifiers that most people wouldn’t consider. For example, say that you are the only female in your department and your employer’s office is located in a shared building. Those two pieces of information when combined may reveal your identity, so therefore they are considered personal data and would need to be protected.

For more information about creating a GDPR framework for your clinical trials and navigating terms please read this article or watch our webinar recording.

Personal Data Privacy Concepts

Grouping personal data privacy into general concepts can help you to more easily keep key concepts in mind while building out your own data privacy program.

1. Notice

Providing notice means informing an individual (or “data subject”) on how their personal data is handled (or “processed”) and protected. Some examples of notices that may be familiar to you are consent forms, privacy policies, cookie pop-ups on websites, contracts, and end-user license agreements.

It is mandatory to supply individuals with a notice of how, why, when, where, and what happens with their personal data.

2. Permission

It is required that you receive permission from an individual (or another authority) to demonstrate a lawful basis before you collect or use their personal data in any way.

GDPR is the golden standard. Feel confident to leverage GDPR compliance frameworks when building your own data privacy program. Per GDPR, it’s lawful to handle personal data if one of the six reasons apply:

  • Consent: The individual explicitly agrees. In health care, this might be verbal, written, or even waived. Document the encounter before any of the processing activities begin.
  • Contract: An agreement either with the individual or required to fulfill the individual’s request. After the contract is signed, the personal data is handled precisely as the terms outlined in the contract.
  • Legitimate Interests: When a business legitimately requires the information to be collected or used. Be extra careful when assessing and documenting that this is an appropriate basis for processing.
  • Legal Obligations: The law requires the data to be collected or used.
  • Vital Interests: Personal data must be handled, or the individuals’ life is at risk.
  • Public Interest: Impacts the public and may be the direction of official authorities.

Another relevant type of permission in clinical trials is an IRB Waiver. In emergency, life-threatening, and/or minimal risk scenarios, obtaining consent isn’t always practical. In these cases, waivers can be granted to allow you to perform the activities without the individual’s direct consent.

3. Choice

Whenever you are handling someone’s personal data, the individual must be given the opportunity to exercise their rights as they are outlined in the privacy laws and regulations.

For GDPR, individuals can submit a Data Subject Access Request (DSAR) to exercise their rights and choose how their data is handled. For example, they can ask for/to:

  • Be Informed of, Access, and/or Obtain a Portable Copy of the personal data the company is storing.
  • Rectify and/or erase how companies handle their personal data.
  • Object and/or prohibit automated decision-making (including profiling) of a company and withdrawal their permission to obtain or use their personal data.
  • Restrict the processing of their personal data.

Be sure to test your notice, permission, and choice policies with procedures to see what works best for you and your organization.

What’s Next?

When it comes to personal data protection, it is most important to understand what categories of personal data are handled, the lawful basis, and how to protect it. Any identifiers that can be used in combination to identify an individual are considered personal data.

Once you understand these basics, you can begin to dive deeper into GDPR and use it as a golden rule when building out your own data privacy program.

If you are a clinical research professional, you have been working with and protecting personal data already in your everyday work. As you move to more technology-based processes, it is critical to build in new processes or build on existing processes to protect all individuals’ data that engage in or work on a clinical trial.

If you want to see frequently asked quested about GDPR and a list of definitions, visit our GDPR library.


Kaitlin Sitchenko, Director of Compliance for Florence Healthcare