Third-Party Data Sharing in Clinical Trials: Navigating GDPR Compliance
In clinical trials, collaboration with third parties, such as contract research organizations (CROs), vendors, and strategic partners, is essential for advancing research and bringing new therapies to market. However, the sharing of sensitive data with these entities presents challenges, particularly regarding compliance with data protection regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA).
For clinical trial sponsors, who are data controllers under GDPR, ensuring compliant data sharing with third parties is a top priority. Meanwhile, under HIPAA, sponsors typically receive only de-identified data, making data sharing with third parties less complex but still requiring careful management.
1. Understanding Data Protection Obligations as Controllers
As the data controllers in clinical trials, sponsors bear the ultimate responsibility for determining how and why personal data is processed. Under GDPR, this includes ensuring compliance when sharing data with third parties such as CROs or vendors. As controllers, sponsors must:
Ensure that third-party processors act solely based on the sponsor’s instructions.
Provide trial participants with clear, transparent information about how their data will be processed and shared with third parties.
Implement robust technical and organizational measures to safeguard the personal data.
While HIPAA differs in that, as clinical trial sponsors typically only receive de-identified data, which has been stripped of personal identifiers, the need for careful data management and compliance remains. De-identified data, under HIPAA, cannot be used to identify individual participants, but any breach or improper handling still reflects on the sponsor.
2. Conducting Thorough Due Diligence on Third Parties
As sponsors remain fully responsible for the data they control, selecting compliant and secure third-party vendors or CROs is critical. Due diligence should focus on the third party’s ability to maintain high standards of data protection. Important areas to assess include:
Data security measures: Review the third party’s security protocols, such as encryption, secure access, and breach response mechanisms.
Compliance history: Investigate whether the third party has a clean record regarding compliance with GDPR, HIPAA, or other relevant regulations.
Past data breaches: Look into any prior security incidents or breaches to gauge the third party’s overall risk profile.
Selecting the right third party ensures that trial data is handled securely and lawfully, minimizing the risk of non-compliance or breaches that could harm both participants and the sponsor.
3. Establishing Data Processing Agreements (DPAs)
For GDPR compliance, sponsors must ensure that all third parties processing personal data sign a Data Processing Agreement (DPA). The DPA outlines the roles, responsibilities, and obligations of the sponsor (data controller) and the third party (data processor). Key elements of the DPA include:
The purpose and scope of the data processing.
The type of personal data shared, the categories of data subjects, and the specific processing tasks.
The security measures the processor must implement to protect the data.
Breach notification procedures and cooperation with regulators.
Since sponsors are ultimately accountable for how third parties handle clinical trial data, a well-crafted DPA is essential. It not only clarifies expectations but also protects the sponsor from liability in the event of non-compliance by the third party.
Under HIPAA, sponsors generally deal with de-identified data, meaning a Business Associate Agreement (BAA) might not be required in cases where data sharing does not involve identifiable health information. However, if any third party works with identifiable health information under a different part of the research (such as patient recruitment), a BAA would be necessary to govern their handling of that data.
4. Maintaining Consent and Transparency
In clinical trials, the management of participant consent is a cornerstone of compliant data sharing. Under GDPR, sponsors must ensure that the informed consent process explicitly covers any data sharing with third parties. This includes:
Identification of vendors: Participants need to be informed of the third parties, or categories of third parties that will receive their data and for what purpose.
Cross-border transfers: Participants must be given the right to request a copy of the Standard Contractual Clauses signed with vendors located in third countries (if applicable).
Data Subject Rights: Participants must be able to exercise their rights at any time, and both Sponsor and vendors must be able to appropriately respond (if applicable).
While HIPAA de-identification requirements often simplify consent obligations by removing identifiable data from the dataset, sponsors still need to be transparent about their data-sharing practices and ensure that participants understand the extent to which their data will be used, even in a de-identified form.
5. Monitoring and Auditing Third-Party Practices
As data controllers, sponsors are responsible for the ongoing oversight of third-party data handling. To ensure compliance, sponsors should establish a system for regularly monitoring and auditing their partners. This could involve:
Regular audits: Sponsors should reserve the right to conduct audits of their third-party partners’ data protection practices, ensuring that data is handled according to the agreed-upon security measures.
Subcontractor controls: Third parties must always seek the Sponsor's approval before engaging any new service provider to handle personal data on the Sponsor's behalf and ensure that any onward transfers comply with GDPR requirements.
Maintaining strong oversight of third-party partners helps sponsors identify potential risks early and ensures that data is managed in compliance with applicable laws and regulations.
Conclusion: Data Protection as a Core Responsibility for Sponsors
In clinical trials, sponsors play a central role as data controllers and are accountable for ensuring that third-party data sharing complies with data protection regulations. This was recently confirmed by an Opinion issued by the European Data Protection Board (EDPB) - Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s); which emphasized the responsibility of data controllers for personal data processed by subcontractors. The EDPB recommended that controllers extend their due diligence throughout the entire processing chain, ensuring oversight doesn't stop with direct vendors but includes all subsequent parties involved in data handling.
By placing data protection at the heart of third-party collaborations, clinical trial sponsors can safeguard participant rights, mitigate risks, and ensure the successful, compliant execution of their research programs.