FDA Guidance on data retention when subjects withdraw from clinical trials and how this could be different with the GDPR
According to FDA Guidance , when a subject withdraws from a study, the data collected on the subject to the point of withdrawal remains part of the study database and may not be removed, additionally, no new data shall be collected unless patient consents to that.
So if a subject withdraws from a study and does not consent to continued follow-up of associated clinical outcome information, the investigator must not access the subject’s medical record and transfer such information to study databases, it is only allowed to consult public records, such as those establishing survival status.
HOW THIS COULD BE DIFFERENT FROM AN EUROPEAN PERSPECTIVE, CONSIDERING LEGITIMATE INTEREST UNDER THE GDPR?
Under the GDPR, researchers can conduct research based on the legitimate interests of the data controller (or third parties) except where such interests are overridden by the fundamental rights and freedoms of the data subject.
Although research is not specifically mentioned as a legitimate interest, Recitals 157 to 159, identify the benefits associated with personal data research and create a correlations between legitimate interest in scientific research and public interest.
To determine whether legitimate interest would prevail, it is necessary to consider how the legitimate interest should be weighed or balanced against individual rights and freedoms. Clearly some types of processing activities, such as processing necessary to protect public health, are very compelling.
The reason why we shall base the lawfulness of the processing on both legitimate interest and public interest, instead of jumping directly to article 9 of the GDPR, is because, while we’re dealing with special categories of data, it doesn’t mean that rights and freedoms of the data subjects should not be considered, so the requirement is to apply both legal assumptions:
(1) there is a legitimate interest of the controller and this shall be communicated to the data subjects together with their rights to object
(2) because we’re dealing with special categories of data, additional protection shall be guaranteed, public interest would prevail to the rights and freedoms of the individuals as long as proportionality and security of the data is ensured in order to safeguard the fundamental rights and interests of the data subjects.
So, considering this, could we defend that collecting survival status of a patient that has withdrawn from a clinical trial, based on Sponsor’s legitimate interest would be according to the EU laws?
Unless clinical regulations specifically prohibits it, I am of the opinion that as long as data protection principles apply, such as principle of data minimization, security of processing and information; controllers should be able to make use of the legitimate interest under the GDPR to collect survival status of a data subject that has withdrawn from a clinical trial.
The use of the legitimate interests by the controller supported by reasons of public interest, to collect data after data subject’s consent withdrawal, does not exclude controllers to be bound by the GDPR’s notice requirements, meaning that, in particular, controllers shall inform data subjects if processing is based on the legitimate interest and what are the rights available to them.
In line with this, the best and most efficient way to inform the patients about the collection of the survival status based on the legitimate interest would be the ICF and a brief summary of the legitimate interests and reasons for the collection of the data should be provided to the data subjects for transparency purposes.
It seems that after all, the new privacy regulation brings innovation and empowers business while protects at the same time the interests and fundamental rights of the data subjects. It improves transparency and creates and estimulantes the exercise of balance and proportionality with focus on development and future achievements.
Regards,
DCA
