Clinical trials have become increasingly important for pharmaceutical companies and medical device manufacturers, which are focused on collecting as much data as possible on products and devices and their adverse effects. All of this "big data" also have high value, not only for clinical trials, but also for further analysis and R&D to improve products.

But the process, regulation, and sensitivity of health care data itself is a serious concern, says Patrice Navarro, counsel in the Hogan Lovells Paris office. And that's where the General Data Protection Regulation (GDPR) comes into play. Collection and processing of data is regulated by both the GDPR and, indirectly, by local public health regulations. To use the data and fully extract its potential value, it's critically important to ensure that data collection, processing, and security is in compliance with the GDPR and local regulations.

In this interview, Patrice Navarro explores the highly regulated realm of health data and clinical trials in Europe, and the numerous actors and stakeholders involved in personal data use and protection.

Why are clinical trials increasing in both importance and number?

Patrice Navarro: Until recently, clinical trials were mainly sponsored by pharmaceutical companies to support their marketing authorization request for a drug. Now, they are also needed post-market to show the benefit of their products. In addition, medical devices have increased in use and importance and medical device manufacturers are obligated to perform clinical trials to prove their devices have the right effect.

In order to do that, you need more post-marketing trials and more papers published in peer-reviewed journals to convince HCPs — healthcare professionals — that your product or device is very useful for patients. So pharma companies and medical device manufacturers need more and more data, including for secondary usage, to analyze for R&D and improve their products and devices.

Why is health care data collection in European clinical trials so complex?

Navarro: Because it involves a lot of different actors and stakeholders with different interests: sponsors, contract research organizations, patients, investigators, sites, ethics committees, and national health care authorities. 

The sponsor is the entity benefitting from and paying for the trial, and that would be the pharma company or medical device manufacturer. You also have contracts with service providers that organize or monitor the clinical trials. 

And of course you have the patients, who are very important. In the key phases of the trials, they are suffering from the medical issue that is at stake here. You also have the investigators, who are the HCPs performing the clinical trials on each site — the sites being hospitals or private clinics. And everything is monitored by ethics communities, national health care authorities, and data protection authorities. 

Tell us more about how clinical trials are highly regulated.

Navarro: They are regulated by both the GDPR and each country's national public health regulations, with rules and practices that vary from country to country.

This explains the variations that can exist among countries, even within the EU, despite on the supposed GDPR harmonization. But it doesn't always work that way, because the GDPR provides a lot of opening clauses, giving flexibility to each EU member state to implement slightly different rules. Health care data is typically one area where each country has some flexibility. Plus, data collection and processing are also impacted by national public health regulations.

You mentioned that many of the actors involved have different roles under the GDPR. Please elaborate on that. 

Navarro: Under the GDPR, and from the point of view of EU data protection, each of these actors can be controllers, joint-controllers, processors, or recipients, depending on the country and the case. So the roles and responsibilities need to be well established before setting up any clinical trial.

Authorities also have concerns about the way sensitive data is handled, and about contact between patients and the companies producing the products or devices.

Navarro: Data collected during clinical trials is sensitive, and there's always this concern from the authorities that the data can have value. Authorities are reluctant to regard very sensitive data as a commodity that could be exchanged and sold among various stakeholders.

Historically, contact between patients and pharma companies has always been a concern as well. We are in a field where we have different actors, but most of the time the patients are not the customers of the pharma companies or medical device manufacturers. Patients must receive proper medical treatment, and treatment is often reimbursed by national health care organizations and must be prescribed by health care professionals. 

The authorities refuse to imagine a case where a patient would be asking for one specific medical treatment. Treatment has to be prescribed by HCPs and it's paid for, most of the time, in most EU countries, by a public or private health care organization. So the main concern is that the pharma companies should not advertise to patients. Of course, there is some exception where direct contact is possible. 

This is why pseudonymization, or de-identification, of patients is a widely accepted principle in all EU countries. A sponsor, meaning the pharma company or medical device manufacturer, will not get the names of the patients involved in a trial.

Explain more about why certain issues around data collection, clinical trials, and privacy are so highly debated. 

Navarro: One of the most disconcerting areas of divergence between EU member states is the different national positions on whether patient consent is a valid legal ground for processing personal data in clinical trials. 

Because clinical trials involve the use of "data concerning health," the controller must cumulatively respect both the provisions of the GDPR's Article 6, governing the basis on which data may be lawfully processed, and the conditions provided in Article 9, governing the processing of special categories of personal data, including data concerning health.

In most countries, pharma and medical device companies conducting clinical trials use patients' consent as the legal basis to legitimize their data processing operations. Traditionally, to enroll and enter into a clinical trial, each patient or participant must accept and sign an informed consent form, where the protocol of the trial is explained and information about that protection is provided. And there is a consent granted by the patient.

But some authorities, like in the UK or the European Data Protection Board, are reluctant to accept consent as valid. This conclusion is based on the belief that patients are unable to freely give their consent in some trial situations, because the patient may fear he will not get access to medical treatment if he refuses. Or, in a case where the participant receives an indemnification for his participation. 

So we have to be careful. Consent is still a good legal basis in many cases and still seems to be the common practice. But it's not always the case and has to be carefully considered, depending on the country where the clinical trial will take place. 

What are your key recommendations to protect health data? 

Navarro: Sponsors must be extra careful when they're setting up the trials. They must integrate data protection rules and processes from the very beginning, as they will structure the way things are done. This includes integrating rules in the contract with the research organization, CRO, and in the clinical trial agreements, data privacy or data control agreements, and data processing agreements, where there could be a data privacy agreement that would be entered into with the sites and investigators.

The informed consent forms should also be carefully drafted to match both data protection rules and the reality of the data protection activities that will be done by the sponsor — the pharma company or device manufacturer. This should be sorted in advance and the variations between the countries where the trials take place must be taken into account early on. In some countries, the investigators and sites will almost always be processors, and in other countries they will be controllers or joint-controllers. This will have an impact early on, in all the contractual accommodations and on the way the trial is set up.

You also say that IT security is a high concern.

Navarro: Cybersecurity is something we should never overlook, of course, when we talk about data protection. Most of the big fines decided lately by authorities were about security. And here we are touching on something really sensitive. So cybersecutiy is a very high concern for all the actors, and when the sponsor is contracting to use what we call the eCRF — the database where all the clinical trial data will be input by the sites and investigators — security must be at the top of their priorities. 

Best practices around training are also an important factor of data processing.

Navarro: Yes. Some companies have a lot of clinical trials going on and are always in a rush because everything has to be done quickly to start clinical trials. So it's very important that proper training is proposed to the clinical affairs team, any employee involved in clinical trials, and in the processing of the resulting data. Training is usually very efficient because in this industry we are talking to highly educated people who quickly understand the ins and outs of data protection rules. But the training has to be very practical, focused on the day-to-day issues and high-level principles, or it won't be clear what to do with clinical trials.

My position is, we may be talking about a lot of contractual documentation, principles, and legal bodies, but all of these should never make us forget what is at stake here. The key point is to put ourselves in the shoes of the data subjects — the patients — and ensure that at any time we are protecting their rights and personal data. Compliance with the GDPR should not make us forget that the data subjects are always at the center. Sometimes we have to step back and look at things practically. It's really basic: are we correctly protecting the subjects and their personal data?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.