Site Contracts - Controller/Processor...Who is Who?
Determining the roles of the Sponsor, Clinical Trial Site and CRO is important not only to raise appropriate Clinical Trial Agreements but mostly to understand the privacy obligations of each party in the conduct of a Clinical Trial.
According to the GDPR, “controller” means the natural or legal person, who, alone or jointly with others, determines the purposes and means of the processing of personal data; while “processor” means a natural or legal person, who processes personal data on behalf of the controller.
In this regard, the roles of the parties in a Clinical Trial shall fit these two definitions.
We know that the Sponsor, defined by the Clinical Trial Regulation as an individual, company, institution or organization which takes responsibility for the initiation, for the management and for setting up the financing of the clinical trial is a Controller.
We also know that a CRO is a Processor to the Sponsor as it provides clinical research services to the Sponsor on a contract basis.
So, what about the Clinical Trial Sites, Investigators and the rest of the Site Staff?
The Clinical Trial Regulation clarifies that the “Investigator” is the individual responsible for the conduct of a clinical trial at a clinical trial site; usually the Investigators are employees to the Clinical Trial Site, as well as the rest of the Site Staff, so they shouldn't be individually considered as controllers/processors.
The Draft Guidelines issued by the EDPB, on the concept of Controller and Processor, support that view by stating that “In principle, there is no limitation as to the type of entity that may assume the role of a controller but in practice it is usually the organization as such, and not an individual within the organization that acts as a controller.”.
This leaves us to the determination of the privacy role of the Clinical Trial Sites and here is where there’s no consensus.
According to the 29 Working Party Opinion 1/2010 on the concepts of "controller" and "processor", both Clinical Trial Sites and Sponsors make important determinations with regard to the way personal data relating to clinical trials are processed and for this reason they should be regarded as joint data controllers.
This view is supported by the fact that even though the Sponsor is the one who draws up the trial protocol and provides the necessary guidance for the conduct the clinical trial, the Clinical Trial Sites carry out the trial autonomously and have direct responsibilities for the compliance with Clinical Trial Regulation and Good Clinical Practices (GCP’s).
In Europe, many Regulatory Authorities (“RA’s”) have accepted the above position, defining the Sponsor and Clinical Trial Site as joint-controllers; but some others such as the RA in the UK and Belgium, defend that the Clinical Trial Site is a Processor to the Sponsor.
Supporters of Sponsor’s sole controllership model argue that it is the Sponsor who determines what data is collected for the research study through the protocol, case report form and/or structured data fields in a database, hence the Sponsor shall be the controller in relation to the research data. In line with this, the EDPB in the issued Guidelines 07/2020 on the concepts of controller and processor in the GDPR (pending adoption) also defends that the criterion for the determination of the Controller in a clinical trial is established by the determination of who is responsible for drafting the protocol.
However, such position seems to be very simplistic and disregards what Clinical Trial Regulation says about the responsibilities of the Sponsor and the Investigator in Clinical Trials. To clarify, according to this Regulation, Sponsor takes responsibility for the initiation, for the management and for setting up the financing of the clinical trial while the Investigator takes responsibility for the conduct of a clinical trial at the Site.
Given the above considerations, many sponsors and clinical investigators have come to regard their relationship as that of independent controllers, with the sponsor controlling the processing of the sponsor trial master file and the investigator controlling the processing of the investigator site files, this is EFPIA position, but I wonder if we are talking about a trial master file (Sponsor & Investigator TMF) wouldn’t the purpose for processing the data be the same, which would lead us to consider both parties as joint-controllers?
There’s also a different view on the independent controllership position, that clarifies that the Sponsor is the responsible for the personal data processed for the purposes of the clinical trial and the Site is the responsible for the personal data processed for the purposes of medical care. Here, we have two controllers for two different purposes, however, the processing operations for the purposes of the trial and for the purposes of medical care sometimes overlap.
Such overlap, the same way we have an overlap of controllers with the joint-controller position, needs clarification and distribution of responsibilities in the CTA or DPA.
If a Site will include data in the patient’s records that results from a clinical trial, the Site is at the same time acting as Processor to the Sponsor and as Controller for the purposes of medical care, in the independent controller position, and the responsibility of compliance with applicable laws when Site is processing data, shall rely with the Site as a Controller, because such responsibilities exceed the responsibilities of the Site as a Processor.
So in a situation of a data breach, unless the breach is due to a wrongful processing by a Sponsor representative (e.g. monitor checking medical history) the Site should be the one responsible for a privacy breach at the Site and the one who needs to notify the SA’s and the data subjects if needed.
This view, allows us to rely on the responsibilities of the Site as a Controller to comply with the GDPR, avoiding to perform a due diligence on the Site regarding the security measures in place to protect the data as per art. 28/1.
To conclude, and even though there’s no unanimity to the roles of the Sponsor and the Site in a Clinical Trial, the important factor is that, without independence of the position we defend, that we exercise the necessary diligence not only to document the position that we defend but to take steps in line with such position.
DCA
