On 19 December 2012, the European Data Protection Supervisor (EDPS) and the Assistant Supervisor, M. Giovanni Buttarelli, published a new Opinion that sets out their views on the Commission proposal for a new Regulation on Clinical Trials on Medicinal Products for Human Use (the Regulation). The Commission proposal, released in July 2012, touches on a variety of data protection issues, ranging from the legal basis that clinical research organisations (CROs) must rely on when processing sensitive health data gathered in clinical trials to the establishment of a centralized database at the European Medicines Agency (EMA) that is intended to store records of clinical investigators and adverse event reports from across Europe.
In general, the EDPS appears to have welcomed the Commission’s approach; apparently, the Commission draft was altered to adapt to early informal EDPS criticisms, and so already contains provisions that are relatively sensitive to data privacy concerns. Perhaps surprisingly, the EDPS also refrains from commenting extensively on the Regulation’s approach to the issue of how clinical trial participants may provide informed consent to their participation in the trial. However, the EDPS nevertheless does make a number of suggestions about how the draft Regulation should be further modified. We discuss the particular suggestions after the jump.
In particular, the EDPS recommends that:
- The draft Regulation be amended to specifically reference relevant national and EU-level data protection laws, to ensure that there is no ambiguity as to whether such laws continue to apply to activities that will be regulated by the new draft law. (In addition to more general data protection laws, the EDPS also recommends that a specific EU regulation (Regulation EC 45/2001), that governs how Community institutions may process data, also be referenced.)
- A maximum data retention limit be imposed on any processing of data required to be processed under the draft Regulation. The draft Regulation sets up databases that will contain clinical investigator details; the Commission has suggested the correct period of retention of such data would be for at least a period of “several years” after the end of a clinical trial, to enable regulators to investigate alleged investigator misconduct. The EDPS has asked that the draft Regulation be amended to also include a maximum data retention period for such types of data.
- Case safety reports be required to anonymise information before being assimilated into the central databases. The EDPS questions the “necessity” of using directly identifiable health personal data when reporting safety issues in case reports (as currently happens in the course of standard pharmacovigilance procedures). To reduce the impact of this practice on individual privacy, the EDPS recommends that such reports be anonymised or pseudo-anonymised as much as possible, prior to entry into centralized databases. To counterbalance this recommendation, the EDPS also suggests that tracing numbers and other such mechanisms also be used, to prevent anonymisation techniques from limiting the utility and ultimate traceability of the reports, and to prevent duplicate submissions of incident reports.
- Certain databases run by Community institutions (e.g., to hold clinical investigator data or to record adverse event reporting information) be operated in full compliance with data protection laws. In particular, the EDPS asks for the legislation to make explicit (i) whether personal health data will be processed in a particular database, and (ii) that data subjects continue to have a right to block processing of their data in such a database. For a separate database, to be operated by the EMA, the EDPS advocates for a new provision that would define more clearly the situations in which patient data will be processed, and that would require specific safeguards for the processing of such data. In another separate suggestion, the EDPS also advocates for implementing measures (to be adopted after the initial Regulation is enacted) to set out detailed data protection implications for the technical and functional requirements of the envisaged databases.