The obligations of organisations carrying out clinical trials are not universal across the EU, and can often come as a surprise to those submitting research for approval within individual Member States. Ireland is no exception, with specific measures under Irish law that must be met when conducting clinical trials. Further, while you may have a handle on the law and how your organisation will comply throughout the clinical trial lifecycle, you also need to navigate the approvals process through individual study sites.
This article will discuss key data protection considerations for those carrying out clinical trials in Ireland, as well as to provide some tips for moving your study submissions through the approvals process at individual study sites.
This piece is an introduction to a series of articles which will provide guidance to those carrying out clinical trials in Ireland, across the EU and UK. Further topics to explore include lawful basis in health research, future research, controllership, third country transfers and security.
Suitable and specific measures
It is clear that the introduction of the EU Clinical Trials Regulation (CTR) and the GDPR provide a more harmonised approach to carrying out clinical trials across the EU. However, distinct differences lie where individual Members States introduce their owns conditions for conducting health research.
Section 36(2) of the Irish Data Protection Act 2018 (DPA 2018) provides for suitable and specific measures to be taken to protect the fundamental rights and freedoms of individuals. Whereas many such measures are familiar and implemented as standard practice in research – pseudonymisation, encryption, and strict limits on retention – Ireland has introduced the Irish Health Research Regulations 2018 for those processing or further processing personal data for the purpose of health research.
Below we explore some of the specific measures that must be taken by clinical trial sponsors and those undertaking activities on their behalf to conduct clinical trials in Ireland.
Data Protection Impact Assessment (DPIA)
Clinical trials must be assessed on their data protection implications, with a Data Protection Impact Assessment (DPIA) undertaken where the review indicates a high risk to the rights and freedoms of individuals. DPIAs are often undertaken by default by individual study sites.
Multiple industry bodies, health service providers and data protection networks have drafted or are drafting their own DPIA template to be used by their members. It remains to be seen whether any DPIA template will result in a standardised and streamlined approach to progressing DPIAs. However, a sponsor or the organisation assisting a sponsor in the approvals process can prepare for the areas that will be reviewed at each site by:
- Identifying controller, joint controller and processor relationships, and documenting the role of each.
- Clearly establishing and documenting the GDPR legal basis for processing, under Article 6 and 9 of the GDPR.
- Documenting study data flows and data sharing, including third country transfers of personal data and appropriate safeguards.
- Ensuring the security measures currently in place, or planned, to protect study data are at minimum, at a level appropriate to the risk the processing of study data presents.
- Ensuring information sheets and /or supplementary study documents meet Article 13 of the GDPR requirements.
- Maintaining a data breach procedure that can be followed by the Principle Investigator (PI) and their study team.
- Considering whether data may be used for future research and the lawful basis for doing so.
- Being able to demonstrate that explicit consent meets the threshold required by Irish Health Research Regulations.
Explicit consent must be obtained for individuals to participate in research, unless specific exemptions are met or where a consent declaration is obtained. This consent can be considered separately to other ethical standards or procedural obligations in obtaining consent for health research, and the lawful basis relied on under Article 6 and 9 of the GDPR.
- Identify the scope of the specified research.
- Provide study information, in a timely manner, in an intelligible and easily accessible form, using clear and plain language.
- Give choices to individuals in the areas of research that they want their information to be used in and third parties that they are willing to have their information shared or not shared with.
- Allow the withdrawal of consent in a convenient way and where that is not possible, explains the limits of withdrawal.
- Obtain consent by means of a statement or a clear affirmative action signifying agreement of the processing of the personal data.
- Document consent in written, electronic or other format with a copy of the record of consent provided to the individual.
Controllership and governance arrangements
Appropriate governance arrangements must be in place which specify the controllers, joint controllers and processors involved in the research. Prior to this, the designation of each party must be established. Whereas many other EU Member States and the UK have taken clear but differing positions on controllership between sponsors and study sites, the Irish Data Protection Commission has not made the same rigid assessment, nor is it defined in Irish law e.g., sponsor and study site acting as joint controllers.
As such, the normal practice of analysing the factual elements and circumstances of the clinical trial’s processing activities must be followed, and should establish which party/ies act as controller, joint controller or processor. For example, the analysis among other considerations in establishing what parties determine the purposes and means of processing include:
- a review of which parties contributed to the study protocol;
- what their roles are under EU CTR;
- what control each party has over the study data; and
- if any party will further process data outside of the protocol.
Key to navigating the approvals process and managing compliance throughout the clinical trial lifecycle is ensuring that your organisation has a responsive and engaged data protection team that is knowledgeable of local laws and requirements for conducting health research. This should be the case whether your data protection team overseeing a clinical trial is in-house, with a Clinical Research Organisation (CRO) or external advisory team.
Trilateral’s Data Protection and Cyber Risk Team have extensive experience in navigating the GDPR, the CTR and local data protection requirements, and in supporting organisations undertaking complex research studies to comply with their data protection obligations. We offer a range of data governance services, including compliance support. Please feel free to contact our advisors, who would be more than happy to help.
This article will be updated with further links as we add to our series on data protection in clinical trials.