Clarifying Data Use in Pharma: Future Research in Clinical Trials vs. Further Processing of Personal Data

The evolving landscape of medical research and data privacy presents complex challenges, particularly for Data Protection Officers (DPOs) and researchers who navigate these waters. It's crucial to understand the different regulatory frameworks that govern the use of personal data in clinical trials and its future uses. This article explores the key differences between future research under the clinical trial regulations and further processing of personal data under the General Data Protection Regulation (GDPR) and discuss how DPOs can integrate various legal requirements into Informed Consent Forms (ICFs) to ensure compliance and protect participant privacy.

Future Research in Clinical Trials

Future research within the context of clinical trials refers to the utilization of data for research purposes that were not explicitly detailed in the initial protocol but are foreseen as potentially necessary for future medical advancements. Governed by the European Medicines Agency (EMA) and Clinical Trial Regulation (EU) No 536/2014 (CTR), this use of data is tightly controlled. Regulations require that any such future use be explicitly mentioned and consented to at the trial's outset. Moreover, the data intended for this type of future research must be meticulously managed to ensure it is used solely for the ethically approved scientific purposes initially outlined when the data was collected.

Further Processing for Scientific Research Under GDPR

On the other hand, the GDPR governs the processing of personal data for scientific research purposes which includes the further processing of personal data for purposes that are compatible with the original one.

While under clinical trials regulations future research means that actual research activities are performed with the data or biological samples collected in the scope of the trial, further processing of personal data is broader and includes the use of pseudonymized data collected in the scope of the trial, for multiple uses, such as assessments, business analysis, publications, etc.

In this sense, GDPR offers a more flexible framework as data initially collected for one purpose, may be repurposed, provided it adheres to core data protection principles and controls.

Distinguishing Legal Basis and Scope

The key to future research under the CTR is the explicit consent of the research participant. Participants must be clearly informed about how their data might be used in the future, and their consent is specifically obtained for each potential research area. This ensures a high degree of transparency and participant awareness.

Also, the scope of future research under the CTR is strictly defined by the parameters set out in the initial consent forms. Any deviation from these predefined purposes often requires additional consent and a new ethical approval process. This strict adherence ensures that participants’ data is used in a manner they have explicitly agreed to, thereby protecting their rights and maintaining trust in the clinical trial process.

In contrast, under the GDPR, the processing of personal data for scientific research purposes usually relies on the legitimate interest of the sponsor in conducting the research, and further processing personal data can be allowed without the need to rely on a new legal basis, as long as the use of data are compatible with the original collection purpose.

Ethical and Regulatory Oversight

Future research in clinical trials is subject to rigorous ethical and regulatory oversight. Clinical trials are closely monitored by regulatory bodies to ensure compliance with the original research purposes, maintaining transparency and adherence to what participants have consented to. On the contrary, while further processing of personal data for scientific research under the GDPR must adhere to ethical standards, data protection authorities do not monitor the processing of personal data by organizations, but expect organizations to implement accountability measures, to ensure the respect for the rights of the individuals, this includes appointing a DPO to monitor compliance or perform a data protection impact assessment (DPIA) to help identify and mitigate risks to the rights of data subjects, ensuring that the processing remains within acceptable ethical and legal boundaries.

Conclusion:

Understanding the differences between future research under CTR and further processing of personal data under the GDPR is essential for crafting ICFs that comply with both clinical trial regulations and data protection laws. By grasping these distinctions, DPOs can guide their organizations effectively through the intricate regulatory environment, ensuring that their contributions to medical science are conducted responsibly and with a high regard for participant privacy. This expertise is crucial not only for maintaining compliance but also for enhancing trust in pharmaceutical research and its wider impacts.

As a key responsibility, DPOs must ensure a comprehensive understanding of the various data usage scenarios. This understanding enables them to draft ICFs that respect both the CTR and GDPR, by incorporating separate consent options for future research. Furthermore, it is imperative that the ICF clearly explains the legal bases for processing personal data throughout the trial, including any further compatible uses. Such clarity and transparency are fundamental to upholding ethical standards and protecting the rights of participants in clinical research.

Have specific questions? Reach out to our experts now through our contact page or drop us an email at info@rdprivacy.com