Clinical research has special provisions under GDPR, as well as the U.K. Data Protection Act 2018.
Paul Gillingwater, MBA recently addressed a Clinical Trials conference in Brussels, discussing Health care and clinical data protection. Here are some of his thoughts.
As medical information is special category data, it is governed by Article 9 of GDPR, which prohibits processing unless certain conditions are met. One of those conditions is stated as follows:
Art 9(2)(j) “… processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.”
This refers to Article 89, which states:
Art 89(2) “Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.”
The key point here is that clinical studies have a history of employing a specialized contract with patients, based on a principle known as Informed Consent. The U.S. Army Yellow Fever Commission “is considered the first research group in history to use consent forms, under the leadership of Major Walter Reed in 1900.
They are used in most cases, however there are times when consent cannot be obtained from the patient. For example, children are presumed to be unable to give consent, and therefore it must be obtained from their parent or guardian. Patients who are unconscious or mentally incompetent are also unable to give consent.
At present, most clinical research studies use Informed Consent as both the basis for conducting medical procedures, as well as for all special category and personal data processing associated with those procedures, including secondary processing.
Under GDPR, bundling of consent is generally not recommended.
Article 7(4) says that “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
Together with the provisions of Article 6, this means that consent, while acceptable for a single purpose, should not be used in a way that bundles together different purposes, as one of those purposes may be highly valued by the data subject compared to the secondary purposes, meaning that consent is not necessarily freely given.
For example, a patient may wish to participate in a potentially life-saving clinical trial, but not wish to boost the profits of a drug company that benefits from the research.
In practical terms, this means that a patient wishing to participate in a clinical study, especially with a primary care health provider, would not be given the choice to opt out of subsequent secondary processing of their personal data, such as safety trials by a for-profit drug company if bundled consent is used.
Therefore, my view is that medical procedure consent should be unbundled from consent for secondary processing, and the patient should be given the choice to opt for one but not the other, or to opt out of secondary processing at any time, e.g. after a successful procedure or course of treatment.
GDPR doesn’t end there, however. It stipulates that secondary processing of special categories of personal data may still proceed even without the consent of the data subject, but only if it’s for the purpose of medical or other scientific research, and such research would be “seriously impaired” by the withdrawal of consent of the data subject.
See Article 89(2), which mentions that derogation, noting however that paragraph 1 conditions and safeguards apply:
The Paragraph 1 safeguards include the usual technical and organizational measures, but especially pseudonymization.
Art 89(1). “Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.”
This means that pseudonymized data is still considered to be within the scope of GDPR, as long as there remains even a small chance that individuals may be re-identified, e.g. the Health Care Organization or Sponsor of the study retains an identification key. Only if the data is fully anonymized (and possibly aggregated) can the data no longer be said to be personal, and therefore falls outside the scope of GDPR.
The implication of this is that a patient may grant consent to participate in a study, and then subsequently withdraw it, or request their right to erasure.
However, if scientific research is genuinely being pursued — and there is evidence such as publication in a scientific journal — then it seems likely that the derogation can be applied allowing their personal data to continue to be processed, but only if the data is protected by pseudonymization and other technical and organizational measures.
In such a case, the lawful basis for processing would become legitimate interests, which would require the production of a Legitimate Interests Assessment, with all that entails.
A further lawful basis for the continued processing of personal data within a clinical study after the withdrawal of consent could be legal obligation. This could be evidenced by the existence of a regulation that requires the manufacturer of the medical device, drug or clinical pathway to demonstrate conformity with regulations through clinical investigation.
In summary, while consent remains a critical factor for participation by patients in a clinical trial, it remains to be seen whether the withdrawal of that consent for secondary purposes will frustrate the effectiveness of the trial, since apparently both the right to object to processing and the right of erasure are not absolute due to the derogations available for scientific research. (See Recitals 47 and 157.)
Another factor which supports this view is the difference between the Data Protection Directive of 1995, and GDPR.
Where the former suggests that processing of data for scientific purposes may be carried out without consent if the nature of the processing is “compatible” with the initial purpose; the latter reverses this, and allows secondary processing even if the new purpose is not compatible with the original purpose – but only if appropriate safeguards are in place, and the processing is deemed to be “scientific” research, which under GDPR has a broader definition.
To ensure that your clinical research sponsor is managing GDPR most effectively, it is recommended that you appoint a Data Protection Officer (DPO).
This is especially important where you are processing special categories of personal data on a large scale. Chaucer offers DPO as a Service to customers around the world, in addition to its EU Representation service. For more information, please click here.