i

ARTICLE

Data privacy in clinical trials – who does what?
Dounia van de Weerd ‑ Skalli - Privacy & data protection professional - LL.M CIPP/E CIPT

A clinical trial is a complicated arrangement involving numerous parties and legal obligations. Laws and regulations regarding data privacy make clinical trials even more complex, because many of these parties process highly sensitive personal data. In this article, we will tell you about the specific roles you may encounter when conducting a clinical trial under the General Data Protection Regulation (GDPR). In addition, we will explain the responsibilities that each role entails. You will discover why it is important to know the difference between a controller, a joint controller and a processor and we will investigate the relationship between these parties.

Controller

A controller can be briefly defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.[1]

Any type of entity can take on the role of a controller. This means that an organization, an individual or even a group of individuals can assume the role of a controller. The controller exercises influence over the processing that occurs as a result of its decision-making power. The decision why and how personal data will be processed can be made solely by the controller or jointly with other entities. However, it is always the controller who must decide on the means and purposes of processing personal data.

In the setting of a clinical trial, the sponsor will be regarded as the controller as it is the sponsor who determines why and how personal data will be processed.

Joint controller

When different parties jointly determine why and how personal data should be processed, joint controllers will be present. In order to determine whether joint controllers are present, a factual analysis must be made of the actual influence each party has on the purposes and means of processing personal data.

The most common circumstances where parties will be joint controllers, are when they are involved in the same processing operation or when the parties pursue purposes which are complementary or closely linked. This, for instance, could be when there is a mutual benefit arising from the same processing operation.

In the setting of a clinical trial, the Clinical Research Organization (CRO) will be regarded as the joint controller if it and the sponsor jointly determine why and how personal data should be processed. This can be agreed upon in the study protocol of the clinical trial.

Processor

A processor can be briefly defined as a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller [2]. A processor, just like a controller, can be any type of entity. In order for an entity to qualify as a processor, two conditions must be met. Firstly, it must be a separate entity regarding the controller and secondly, it must process personal data on behalf of the controller.

The role of processor does not arise from the nature of an entity that is processing data but from its concrete activities in a specific context. The nature of the service will determine whether the processing activity amounts to processing of personal data on behalf of the controller within the meaning of the GDPR.

In a clinical trial setting, vendors, such as hospitals or testing sites, will be regarded as processors as they act on the instructions of the controller.

The fact remains that every clinical trial is different. It is a complex arrangement involving several parties, each of which has important roles and responsibilities to fulfill.

Relationship between the parties

The concepts of controller & processor are functional concepts, which means that they aim to allocate responsibilities according to the actual roles of the parties. This means that the legal status of either a controller or processor is determined by its actual activities in a specific situation, rather than by title – it cannot just be based on a decision.

The controller is responsible for compliance with the GDPR and must be able to demonstrate this. One way in which the controller can do this is to only make use of a processor or processors providing sufficient guarantees to implement appropriate technical and organizational measures [3] when processing personal data.

The relationship between controller and processor must be governed by a contract or other legal act, such as a data processing agreement. This relationship can be regarded as one of subordination in light of the fact that the processor must act upon the instructions of the controller and not the other way around. If a processor does not act accordingly, it can be subjected to fines for non-compliance with the GDPR.  In a clinical trial, a hospital must act according to the sponsor’s instructions in processing the personal data of the trial participants.

The relationship between joint controllers is slightly different as they have to decide together who will perform which tasks. To ensure compliance with the GDPR, they must divide responsibilities by means of an arrangement. This arrangement must state in clear and plain language which tasks have been allocated to which joint controller. In a clinical trial, the CRO and sponsor will have to jointly determine which entity will attend to which tasks, such as which entity will answer requests from trial participants.

Protection of personal data

One of the most important responsibilities for the controller, joint controllers and processor is that the personal data that is collected and processed during a clinical trial must be sufficiently protected. This responsibility applies regardless if the personal data are regular or special categories of personal data.

A security measure that parties can implement is to pseudonymize personal data. Data is processed in such a way that the personal data can no longer be attributed to a particular trial participant without the use of additional information [4]. This additional information must be kept separately, and technical and organizational measures must ensure that the personal data is anonymous. In a clinical trial, an example would be to pseudonymize the data collected from the sponsor’s report forms. For example, by having the hospital or testing facility assign a code to each trial participant. The key-code used is also kept separately and securely.

The fact remains that every clinical trial is different. It is a complex arrangement involving different parties, each of which has an important role and responsibilities to fulfill. Therefore, we strongly recommend performing an analysis with each clinical trial to determine which entities play which role with regard to the processing of sensitive data. And take appropriate measures to ensure that each party fulfills its responsibilities and obligations with respect to their specific role.

For a complete overview of the responsibilities and obligations of the different parties in a clinical trial, please refer to our white paper ‘Five crucial steps towards a GDPR proof clinical trial’.

 

[1] Article 4(7) General Data Protection Regulation, EU 2016/679
[2] Article 4(8) General Data Protection Regulation, EU 2016/679
[3] Article 28(1) General Data Protection Regulation, EU 2016/679
[4] Article 4(5) General Data Protection Regulation, EU 2016/679

Towards a GDPR proof clinical trial
Webinar
Data privacy in clinical trials – how to assess and protect data?
Article
Five crucial steps towards a GDPR proof clinical trial
White paper