Clinical Trial Regulations and ICH-GCP’s have implemented privacy rules to the processing of research participants personal data, however there’s nothing on these regulations that rule the processing of personal information from Investigators and study staff; and even though we know that the processing of individual’s personal data involved in the conduct of the research is required to check their suitability, there’s no harmonization on the procedures to collect and process data in compliance with data protection laws.

According to the GDPR, every processing activity is subject to data protection controls, even if data is processed for business related purposes, to which individual is part.  In this regard, Sponsors will need to comply with GDPR principles, including:

1. Principle of lawfulness, fairness and transparency

2. Principle of purpose limitation

3. Principle of data minimization

4. Principle of accuracy

5. Principle of storage limitation

6. Principle of integrity and confidentiality

7. Principle of accountability

How does it translates to the processes of collecting Investigator/Site Staff data?

On the first instance, Sponsors should have a lawful basis for processing investigators/site staff data and must provide information about how such data will be processed in the scope of the research. Considering that it’s a requirement of clinical trial’s regulations to check the suitability of the investigators/site staff, the processing of personal data required to perform such checks would be based on a legal obligation imposed to the Sponsor by clinical trial regulations. Any data that Sponsor processes that is not required to perform suitability checks, would be processed based on the legitimate interest of the Sponsors, considering these do not override the interests of the individuals. In this regard, a legitimate interest assessment (LIA) is recommended to be performed and saved for accountability purposes. Once identified the lawful basis for processing investigators/site staff data in the scope of the research, it’s important to provide the privacy notice to the individuals, this is usually achieved by adding such privacy notice to study documents that need to be reviewed/signed by the Investigator/site staff.

The processing activities on investigators/site staff data need to fulfill clear purposes and should not exceed those purposes, otherwise Sponsor would need to rely on another lawful basis to be able to process data for those other purposes. When discussing this topic in our industry, what’s important to note is that if Sponsor wants to use Investigators/site staff data for other purposes that are not related to the conduct of the clinical trial, they might need to collect investigators/site staff consent for that.

Regarding data minimization principle, Sponsors cannot process data that is not necessary for the purposes of the research, so if they receive information from Investigators that is excessive taking into account the purposes for processing, they need to eliminate it before saving it in study files. As an example, CV’s from Investigators sometimes include home address and date of birth, we could argue that date of birth might be needed for the legitimate interests of the Sponsor in making travel arrangements for investigator’s meetings but hardly could argue that the collection of home address is legitimate.

It is also important to ensure that whenever new information comes-up regarding an investigator/site staff member, or information was recorded with errors, that his is immediately modified in the records of that person. Likewise when data is no longer necessary, it should be deleted. In clinical trials, investigators/site staff data should comply with the obligations imposed by the clinical trial regulation on records retention.

When it comes to the principles of integrity and confidentiality, the Sponsors must be aware that investigators/site staff personal information shall be kept confidential and that only a certain number of authorized recipients shall have access to the data; in this regard security measures must be implemented to protect the data and procedures on how to deal with personal data breaches should include investigator’s data.

Lastly, the accountability principle requires documentation, so it’s important that assessments, procedures and guidelines are documented to show that Sponsors are implementing privacy controls on the processing of investigators/site staff personal data.

In addition to this, Sponsors should have procedures in place to respect the exercise of individuals’ rights, such as right to access, rectification, erasure, objection, etc., and should request any third-party processors to implement equivalent privacy controls, not to mention, if data is transferred to third-countries outside the EU/UK, appropriate safeguards should be in place to comply with cross-border rules on data protection.

To conclude, the processing of investigators/site staff personal data must be equally protected as the personal data of research participants, taking into account the applicable variables such as the likelihood of the risks and severity for the rights and freedoms of the individuals which would determine the type of security measures to apply. Nonetheless, Investigators/site staff data are often disregarded with less privacy controls in place which could become an easy spot for authorities to check for compliance. It is important to be reminded that privacy laws apply generally to all processing of personal data and a lack of compliance with GDPR and applicable privacy laws on investigators/site staff data could result, in the application of high fines imposed by the data protection authorities.

Implementing a robust privacy program does not happen overnight but it’s something that can be achieved step-by-step when there’s a clear vision of the general strategy for the organization. We have to be able to see the full picture and be able to identify how to connect the dots.

DCA