The EU Data Protection Directive (95/46/EC) and the General Data Protection Regulation (2016/679) (GDPR) govern the collection, processing and transfer of personal data, including health data. The Data Protection Directive governs, among other things, the activities of pharmaceutical companies engaged in clinical trials and pharmacovigilance activities. The GDPR, repealing the Data Protection Directive, entered into force on May 24, 2016, and will apply from May 25, 2018. It will introduce new data protection requirements in the EU as well as substantial fines for breaches of the data protection rules.
What data protection issues should be considered when conducting clinical trials?
At present, the collection, processing and transfer of personal data of study subjects must be conducted in accordance with the requirements provided in the Data Protection Directive and the related implementing provisions of the EU member states. However, the GDPR, will become effective on May 25, 2018. Sponsors conducting clinical trials in the EU must therefore adopt appropriate measures to ensure that activities concerning the processing of study subjects' personal data comply with the GDPR. In addition, sponsors must document how these procedures, including related interactions with third-party processors, function in practice. Furthermore, sponsors and investigators must take into account the fact that the processing of health data can be conducted only in specific circumstances. These circumstances include the study subject having provided his or her explicit consent to the processing of his or her health data.
The GDPR defines the "data controller" as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data carried out in the EU. The sponsor of a clinical trial is commonly considered to be the "data controller". Sponsors of clinical trials which are not established in the EU and wish to transfer trial subjects' data outside the EU must take into account the following issues:
What data protection issues should be considered when conducting pharmacovigilance activities?
The EudraLex Volume 9 - Good Pharmacovigilance Practices (GVP), Module I – Pharmacovigilance systems and their quality systems, provides that the fundamental right to personal data protection must be fully and effectively guaranteed in all pharmacovigilance activities. As part of a record management system, specific measures should be taken at each stage of the storage and processing of pharmacovigilance data to ensure data security and confidentiality. This should involve the strict limitation of access to documents and databases to authorized personnel respecting the medical and administrative confidentiality of the data.