During the earlier days of privacy, the pharmaceutical industry was already ahead of time in providing measures for protecting the privacy of the persons involved in their activities.
Traditionally, policies to protect privacy in research have relied on anonymization of the data and, in the case of research using personally identifiable information, seeking the prior consent or authorization of the individual. Informed consent forms, masking, generalization and randomization techniques, alongside procedures to prevent disclosure, are a common, mandatory practice in clinical research.
So when GDPR started to rise beyond the horizon the general reactions were twofold: “We already have everything in place, nothing is needed” and “How can we prevent additional burden put upon us?”.
Big pharmaceutical companies were anxious to make sure their interests were covered. Opinions were issued on preliminary versions of the GDPR text and meetings with politicians were frequently held.
Indeed, within GDPR quite a few references are made to Pharmaceutical Research & Development, e.g. the research privileges under GDPR (Articles 5.1(b)/(e), 14.5(b), 17.3(d), 21.6):
• Presumption of compatibility of purposes for further processing
• Longer retention periods
• Exception from right of information / erasure / objection
• Additional derogations under member state laws (Article 89.2)
Everything under control, you might think. But is this truly the case? Where do we stand more than a year after GDPR became effective? Is it really that clear and easy?
Different interests and many opinions
First of all, there are a lot of parties involved in both the pharmaceutical area and the privacy area. A lot of parties with a lot of opinions and interpretations, and local laws with from the European Regulations.
On the pharmaceutical side we have of course the EMA, who are now based in Amsterdam. Besides this, we have National (and sometimes regional) Health Authorities, Ethic committees, Patient representative bodies, Individual Sites and Investigators (whether or not a member of a larger partnership).
On the privacy side, we have one European wide regulation, with the European Data Protection Board (the EDPB) to give guidance and the Court of Justice of the European Union (CJEU) to give case law, but also national Privacy supervisory Authorities (Like ICO, CNIL, or AP) which give different guidance, remain silent or leave it to the market.
So what’s going on?
With all these different parties, it may be difficult to keep an overview of what matters most. In our view, the important issues currently at the table are:
• Are you as sponsor of a clinical trial the sole controller of the personal data gathered during the clinical trial? Or is the Site also a controller and are sponsor and Site joint controllers?
• Are we using anonymous data (and is GDPR not applicable) or pseudonymized data?
• Is the ICF enough to get valid consent for GDPR? How to communicate to participants of clinical trials given all pharma guidelines on style, use of words and length of the texts in the communication with involved persons? What will be the impact on the Master ICFs?
• If consent is not valid (because you can doubt the freely given criterium with a participant not in good health conditions), what is the legal ground for primary use of personal data from clinical trials?
• What is the legal basis for processing personal data from clinal trials for secondary use? When is secondary use applicable, or can it still be under the first purpose definitions?
• Outsourcing and co-sourcing will stay on the rise, but how to become GDPR compliant and accountable which so many parties, from different countries, involved in the process?
On each of these issues, no single one congruent opinion exists.
The EDPB earlier this year tried to give some more clarity with their opinion on the Q&A which accompanied the Clinical Trial Regulation (CTR), but parties seem to have no intention to solve the issues or get on the same page.
This unclarity and the different points of view in different countries cost extra money and cause delays for the whole pharma industry. It also leads to the situation that for one clinical trial, participants have different positions, are treated differently and need different forms of communication.
It will take a considerable amount of time to get all issues solved and have one European approach on GDPR compliancy in the pharmaceutical area.