Remote Access to Study Data in Clinical Trials - What needs to be considered

EMA's GCP Inspectors Working Group added a new Question & Answer No. 3 relating to direct remote access in the section on "Records of Study Subject Data Related to Clinical Trials" of the Good Clinical Practice (GCP) Q&As.

Direct remote access is any access from an access point (location and/or hardware) that is not under the control and supervision of the investigator/institution. Usually, direct remote access involves additional data processing, like collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.

What are the considerations when direct remote access of health data is required in a clinical trial?

The following should be taken into account:

• Direct remote access must be clearly explained in the informed consent documentation.
• The trial protocol must include a description on how the arrangements for remote access comply with applicable data privacy rules. It must also describe the measures that are implemented to ensure confidentiality of records and personal data of trial participants as well as of measures that will be implemented in case of a data security breach in order to mitigate the possible adverse effects.
• A Data Protection Impact Assessment (DPIA) is strongly recommended, prior to remotely accessing confidential health documents, in particular to identify and mitigate risks associated with remote access. 
• Specific points to consider are described for the place where access is granted, during transmission of data and the place where the access is made (e.g., only data required by the protocol or legislation should be documented off-site).

For more information please see EMA's Q&A: Good clinical practice (GCP).