Confusion in personal data protection obligations in clinical trials

Even though a specific code of conduct and a structured process apply to clinical trials, there are lacking dedicated, specific regulations on protecting the personal data obtained in such trials.

 As a result, the processing of patient personal data is subject to general regulation in Poland, which is the Personal Data Protection Act of 29 August 1997, “PDPA”, which Act implemented Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995.

The PDPA implies that a sponsor of clinical trials be a data controller, as the sponsor decides on, cumulatively, (i) purposes of personal data processing, and (ii) techniques/mode of personal data processing. The requirement is confirmed in ongoing legislative work.

A sponsor, however, usually does not actually have the personal data of participants in trials, which is caused by how trials are in practice organized. Firstly, sponsors outsource trials to investigators who coordinate them. An investigator has the task of selecting participants for trials and collects and processes the personal data of those persons, including data on health. Sponsors usually only eventually receive reports on trials that contain statistical information, unless they request access to source documents, which does not happen often.

In consequence, a sponsor is made primarily responsible for assuring protection of the personal data that the sponsor does not in fact have. Furthermore, a sponsor has a number of obligations that are imposed by PDPA on a data controller, but it is not possible in practice to comply with the obligations for the time that the sponsor does not obtain the data from an investigator. A sponsor, however, is usually only interested in obtaining the results of the trials, not the data.

The current legislation has not resolved the problem.

Three solutions can be considered, de lege ferenda:

  • to define an investigator to be a data controller, which  would mean that the investigator would have to organize and finance structures and facilities to protect data;
  • to compel  sponsors to obtain personal data from an investigator immediately after the data is collected, so that the sponsor can perform the duties of a controller;
  • to exclude clinical trials from the PDPA completely and establish specific regulations to protect the  data obtained in clinical trials.

I am of the opinion the latter option would be the most efficient, as tailored to the trails nature and specificity.

Please advise on how the problem has been solved in your jurisdiction.

2 thoughts on “Confusion in personal data protection obligations in clinical trials”

  1. An interesting article Sylwia which has prompted us to look deeper into this area from a UK Data Protection perspective!

    My experience with the UK pharmaceutical company (sponsor) that I’ve dealt with, is that they are always involved in selecting participants for clinical trials and therefore a limited number of the sponsor’s employees have access to personal data of those participants. The absolutely regard themselves as data controllers and they maintain responsibility for obtaining consent from participants and keeping such personal data secure.

    This particular organisation, in most cases, carries out the trials administration and process itself (albeit through a different internal division) however when producing reports and data relating to the trial, they only use and publish anonymised data. To the extent that they outsource any of the trial process to a third party they always regard that third party as a data processor and they (as sponsor) retain responsibility as data controllers.

    Hope that’s helpful!

  2. One additional complication is that more work is being done by third parties outside of the EU. Aside from the use of standard contractual clauses (which also do not fit weel within a clinical trial), this makes notice and consent more difficult.

    As the holder of the contracts and the entity ultimately responsible, I believe the sponsor must be the controller. However, there must tbe better guidance on how the rights of patients are protected as the road from the point of collection to the point of storage becomes convuluted.

Leave a Reply

Your email address will not be published. Required fields are marked *