1. Overview on Data Privacy
(Clinical Data Manager’s Perspective)
Vinayak Thorat
Clinical Data Manager
vinayak.thorat@ancillarie.com
2. “No one shall be subjected to arbitrary
interference with his privacy, family, home or
correspondence, nor to attacks upon his honor
and reputation. Everyone has the right to the
protection of the law against such interference
or attacks.
- Universal Declaration of Human Rights – Art. 12
3. “Everyone has the right to respect for
his private and family life, his home
and his correspondence.
-European Convention for the Protection of Human Rights and
Fundamental freedoms
4. “The confidentiality of records that
could identify subjects should be
protected, respecting the privacy and
confidentiality rules in accordance
with applicable regulatory
requirement(s).
-ICH Guideline for Good Clinical Practice (GCP)
7. Introduction
Why is Personal Data Protection important?
• It is an Universal Human Right
• Possible damages to the business and the image of a company
• Important financial & individual risks for non- compliance
Inability to perform research
Important fines
Legal consequences
• Important risks for the data subjects
Identity theft and Fraud
Discrimination
7
8. • Data privacy refers to the standards surrounding protection of personal data.
• Personal data can be defined as any information that can lead to identification,
either directly or indirectly, of a research subject;
e.g. Subject names, initials, addresses, and genetic information.
Important Definitions
8
9. What Constitutes Private or Personal Information?
According to EU Directive 95/46/EC,
Private of personal information means any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable person is one who can
be identified, directly or indirectly, in particular by reference to an identification
number or to one or more factors specific to his physical, physiological, mental,
economic, cultural or social identity.”
9
10. What Constitutes Private or Personal Information?
Per HIPAA: 45 CFR Section 164.501:
“Private or Personal Information that is a subset of health information, including
demographic information collected from an individual and:
• Is created or received by a health care provider, health plan, employer, or health
care clearing house;
• Relates to the past, present or future physical or mental health or condition of an
individual; the provision of health care to an individual; or the past, present, or
future payment for the provision of health care to an individual; and
That identifies the individual; or
With respect to which there is a reasonable basis to believe the information
can be used to identify the individual.”
10
11. How privacy protection gave to research subjects ?
• Protocol review and approval by an Institutional Review Board (IRB)
• Right to informed consent
• Right of the subject to withdraw consent and have no further data
collected
• Right to notice of disclosure
• Confidential collection and submission of data
11
12. Who are responsible?
Primarily Site management or clinical monitoring team are responsible for
subject data privacy;
However, Data Management Personnel should be acquainted with common
issues related to data privacy and should follow regulatory and organizational
guidelines to ensure the privacy of research subjects.
12
14. Minimum Requirements
• All personnel involved in handling (directly or indirectly) of Personal identifiable
information (PII) must be trained on data privacy concepts & issues; company
policy; regulatory agency policy and applicable local, state, federal, and
international laws.
• Data collection tools should capture minimum PII; e.g. CRF, clinical, laboratory,
genetics database, data transfer specifications, ePRO etc.
• Documents which are accessible to data management team should not content PII
except subject identifier.
• Timely review and updates of company privacy policy/ related SOPs.
14
15. Best Practices
• Educate associated personnel regarding subject data privacy
• Develop organization SOP for data privacy
• Define internal and external accountability in the company policies
• SOP should be present and implemented for data transfer.
• All privacy considerations must be addressed and documented.
• Setup internally or tie up with quality assurance department to ensure
compliance with data privacy regulations.
• Maintain proper physical and electronic security measures.
e.g.: Storage of Paper CRFs should be stored in regulated access environment; for
electronic records password authentication and firewall security must be present.
15
16. Legislation and Regulatory Guidance
• EU Data Protection Directive 95/46/EC
• EU Data Protection Directive 2001/20/EC
• General Data Protection Regulation: Regulation (EU) 2016/679
16
17. EU Data Protection Directive 95/46/EC- 7 Principles
• Notice: Data subjects should be given notice when their data is being collected;
• Purpose: Data should only be used for the purpose stated and not for any other
purposes;
• Consent: Data should not be disclosed without the data subject’s consent;
• Security: Collected data should be kept secure from any potential abuses;
• Disclosure: Data subjects should be informed as to who is collecting their data;
• Access: Data subjects should be allowed to access their data and make corrections
to any inaccurate data; and
• Accountability: Data subjects should have a method available to them to hold data
collectors accountable for not following the above principles
17
18. Clinical Trials Directive (Directive 2001/20/EC)
• The Clinical Trials Directive is a European Union directive that aimed at facilitating
the internal market in medicinal products within the European Union, while at the
same time maintaining an appropriate level of protection for public health.
• It seeks to simplify and harmonize the administrative provisions governing clinical
trials in the European Community, by establishing a clear, transparent procedure.
• The Member States of the European Union had adopted and publish by 1 May 2003
the laws, regulations and administrative provisions necessary to comply with this
Directive.
• The Member States had applied these provisions at the latest with effect from 1
May 2004.
18
19. The Articles of the Directive 2001/20/EC
• Scope (Directive does not
apply to non-interventional
trials).
• Definitions
• Protection of clinical trial
subjects
• Clinical trials on minors
• Clinical trials on
incapacitated adults not able
to give informed legal
• Ethics Committee
• Single opinion
• Detailed guidance
• Commencement of a clinical
trial
• Conduct of a clinical trial
• Exchange of information
• Suspension of the trial or
infringements
• Manufacture and import of
investigational medicinal
products
• Labelling
• Verification of compliance of
investigational medicinal
products with good clinical
and manufacturing practice
• Notification of adverse
events
• Notification of serious
adverse reactions
• Guidance concerning reports
• General provisions
• Adaptation to scientific and
technical progress
• Committee procedure
• Application
• Entry into force
• Addressees
19
20. General Data Protection Regulation: Regulation (EU) 2016/679
• The General Data Protection Regulation (GDPR) is a regulation by which
the European Parliament, the European Council and the European
Commission intend to strengthen and unify data protection for individuals within
the European Union (EU).
• The primary objectives of the GDPR are to give citizens back the control of their
personal data and to simplify the regulatory environment for international
business.
• When the GDPR takes effect it will replace the data protection directive (officially
Directive 95/46/EC) from 1995.
• The regulation was adopted on 27 April 2016; It enters into application 25 May
2018 after a two-year transition period.
20
21. General Data Protection Regulation: Regulation (EU) 2016/679
• The regulation applies if the data controller or processor (organization) or the data
subject (person) is based in the EU therefore, regulation also applies to
organizations based outside the European Union if they process personal data of
EU residents.
• Valid consent must be explicit for data collected and purposes data used. Consent
for children must be given by child’s parent or custodian, and verifiable. Data
controllers must be able to prove "consent" (opt-in) and consent may be
withdrawn.
• Data Protection Officers are to ensure compliance within organizations.
• Any incident related to data breach, is mandatory to notify the Supervisory
Authority within 72 hours from the data breach.
21
22. Safe Harbor Principles
• Notice: Subjects must be informed of how their data will be collected and used.
• Choice: Subjects must be able to opt out of collection of their data and its transfer to
third parties.
• Data transfers: Any transfers of data to third parties must only be to other
organizations that have rigorous data-protection policies.
• Security: All reasonable efforts must be made to prevent the loss of any data
collected.
• Data integrity: Data must be reliable and relevant to the purpose for which it was
collected.
• Access: Subjects must be able to access information about them that is collected, and
have an opportunity to have this data corrected or deleted if necessary.
• Enforcement: A mechanism must be in place to effectively and consistently enforce
these rules.
22
23. Clinical data managers should ensure that access to data is restricted to
qualified and approved personnel
Important Considerations
23
24. Central Committees
• Reports to and meetings with various committees may necessitate presentation of
some study data in the form of reports from database, original or copies of source
data.
• In any cases, personal subject identifiers should be removed prior to presentation
of data to the committee, and in some cases, study identifiers may need to be
added.
• Independent committee should be present to ensure data anonymity.
Important Considerations
24
25. Data Collection
• Data collection instruments should be designed with subject identifiers which can be
anticipated while designing CRF, Clinical database, laboratory database and data
transfer specifications etc.
• Subject genomic data should be handled with utmost care, which includes,
Storage of this data into completely independent data servers and physical locations
Independent qualified resources
Detailed and Specific SOPs dedicated to the processing and use of this data
• Different data collection methodologies may required for different considerations:
e.g. for Paper Based Studies: SOPs for redaction of personal identifier, handling,
transfer and storage of documents required.
Important Considerations
25
26. Data Transfers
• Data transfer specification document should be produced prior to data transfer.
• Data transfer process should be exhaustively tested to ensure transferred
information could not jeopardize data privacy.
• The planned data transfer should be reviewed to ensure all transferred data matches
the database.
Computer and Network Security
• Any lapses in computer or network security may jeopardize the integrity of the
database, and therefore, data privacy.
• Organization’s information technology personnel develops SOPs for computer and
network security
• Data managers have a responsibility to use systems appropriately and responsibly.
Important Considerations
26
27. Vendor Management & Lab Data Management
• Different standards should be present depends upon level of access
• Vendors having access to clinical database should be meet international standards.
• Vendor facility audit should be conducted to ensure facility compliance & data transfer
and reporting specifications should be compliant with respective regulatory guidelines.
• Personal identifiers should be redacted & should not contain any subject-specific
information prior to submission to data management e.g.: Mr. Mike became
unconscious due to hypoglycemia.
• If any deviation/violation in privacy policy observed by data management team, it should
be addressed to appropriate internal or external clinical site management team for
corrective and preventive actions or as per organizations SOPs/Policies.
Important Considerations
27
28. Redaction (editing before presenting) of Personal Data
• Redaction is the act of appropriately editing text from a document before releasing
the document to other personnel or departments. E.g.: Mr. Mike became
unconscious due to hypoglycemia change it to Subject felt unconscious due to
hypoglycemia.
• Organizations should have SOPs for redaction of personal data.
• Primarily responsibility of redaction of personal data lies to site or monitor,
however data managers should be mindful while performing data management
activities to identify and rectify the data privacy issues.
Important Considerations
28
29. Global studies should adhere to the most restrictive
regu lation s of th e cou n tries in volved .
29
30. References
• International Conference on Harmonisation. Harmonised Tripartite Guideline for Good Clinical Practice. 2nd ed.
London: Brookwood Medical Publications; 1996.
• European Parliament and Council of Europe. Directive 95/46/EC of the European Parliament and of the Council of
24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free
movement of such data. Strasbourg, France: European Parliament and Council of Europe; 1995. Available at:
http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm. Accessed November 10, 2008.
• European Parliament and Council of Europe. Directive 2001/20/EC of the European Parliament and of the Council of
4 April 2001 on the approximation of the laws, regulations and administrative provisions of the Member States
relating to the implementation of good clinical practice in the conduct of clinical trials on medicinal products for
human use. Strasbourg, France: European Parliament and Council of Europe; 2001. Available at:
http://ec.europa.eu/enterprise/pharmaceuticals/eudralex/vol1_en.htm. Accessed November 10, 2008.
• Antokol J. Protecting Personal Data in Global Clinical Research. The Monitor.2008:22;57–60.
• Code of Federal Regulations, Title 45, Part 164.501, Uses and disclosures for which consent, an authorization, or
opportunity to agree or object is not required. Washington DC. US Government Printing Office; 2002. Available at:
http://www.access.gpo.gov/nara/cfr/waisidx_02/45cfr164_02.html. Accessed November 10, 2008.
30