The GDPR gives people the right to request that their data is deleted. This is commonly known as the ‘right to be forgotten’ (art. 17 GDPR). In the context of clinical trials, such a request is most often made after a trial participant withdraws from the trial. After withdrawing from the trial, the personal data collected are no longer necessary for treating the participant. Should a request for data deletion be granted in that case?
Exemptions to the right to be forgotten
The right to be forgotten is not absolute. In clinical trials, the retention and reporting of data is a critical element to safeguard the integrity of the trial and draw valid research conclusions. Data cannot simply be deleted once a participant requests it – right?
The GDPR recognizes that there should be a balance between the protection of personal data and privacy on the one hand, and research and innovation on the other. As part of this, there are several situations in which a person cannot request that their data is deleted. Among others, this is the case when:
- There is a compelling public health reason, and the data is processed by a medical professional bound by professional secrecy (e.g. doctors, nurses, and hospital support staff)
- There is a legal obligation that prohibits the deletion; or
- Keeping the data is necessary for the integrity and reliability of scientific research.
Which exemptions apply for clinical research?
The three situations above could all apply to clinical research. In particular, retention of personal data is usually required to ensure the clinical trial results are reliable and unbiased (situation 3).
Moreover, there are several legal obligations to retain research data (situation 2). This can include obligations adopted by regulatory agencies such as the EMA or national authorities. There are often legally specified retention periods in which data must be kept. For example, pharmacovigilance data must be retained for at least 10 years after the expiry of the marketing authorisation.
For interventional studies in the EU, there is a specific legal obligation: art. 28(3) of the Clinical Trials Regulation (CTR) specifies that withdrawing consent shall not affect the use of data obtained before the withdrawal. Recital 76 of the CTR even explicitly states that “while safeguarding the robustness and reliability of data from clinical trials used for scientific purposes and the safety of subjects participating in clinical trials, […] the withdrawal of informed consent should not affect the results of activities already carried out, such as the storage and use of data obtained on the basis of informed consent before withdrawal”.
What about non-EEA laws, e.g. from the FDA?
The GDPR only allows to disregard a request for deletion based on a legal obligation if that obligation comes from EU law or the law from an EU member state. In principle, non-EU law does not create a valid exemption. Most notably, this means that codes and regulations from the US FDA may not be considered.
However, this does not have to pose a big problem. Most clinical trials that need to comply with the GDPR must also comply with the EU CTR and EMA regulations, and can hence rely on the exemption. And even if that is not the case, there is still the other exemption that applies: even if there is no specific legal obligation, data may still be retained if it is necessary for the integrity and reliability of the clinical research.
What should a sponsor do when conducting a clinical trial
What does this mean for planning and conducting a clinical trial? First of all: know which personal data you have and where it is located (also data stored at your partners, like CROs and laboratories). Data maps or data flows are great tools for this. There are set time frames for responding to requests from data subjects, which you can only meet if you are prepared.
Secondly, be aware that trial participants can make a request for deletion. The study sponsor (controller) is responsible for making sure there is a process in place for this, and ultimately responsible for handling the requests. However, we recommend directing the requests as much as possible to the organisation that actually has the patient data – most often this is the hospital or institution that treats the patients. We also recommend having a written procedure that specifies how data subject requests are handled to enable an efficient, predictable, and controlled process.
Thirdly, make sure you comply with other elements of the GDPR. Most notably, it is important that you don’t collect more data than required, and that patient data and other personal data are adequately protected. Think about technical measures like encryption and access controls, about pseudonymization and/or anonymization, and about defining clear roles, responsibilities, and training. Also make sure to set clear retention periods for personal data, based on the requirements of your research, GCP obligations, and other legal obligations.
Clinical trial processes typically involve sensitive data that is collected and used by a multitude of organisations. Involving a specialized support company for privacy in Life Sciences (like Vivenics) greatly helps to correctly identify risks and take appropriate measures.
What to do when responding to a request for deletion
When you receive a request for data deletion, it’s best to involve the Data Protection Officer (DPO) or other privacy support staff as soon as possible. Be clear in your communication to the requestor and manage expectations (e.g. about response times). At the same time, try to get as much information about the request as possible – often, requests can be narrowed down or withdrawn completely if the requestor is taken seriously and is being heard.
If the request and the requestor’s identity are verified, then the involved privacy staff can assess if the data must be deleted or not based on the exemptions described above.
When a request is made for data that was collected long ago, keep in mind that the exemption only applies if you still need the data. The CTR mandates that (raw) data should be kept for a set retention period. After the retention period is expired, the exemption for deletion no longer applies and you must delete the data.
Need help or advice with data subject requests or other privacy aspects in clinical trials? You can reach us on +31 (0)88 8483 100 or via firstname.lastname@example.org.