Jan 2018 – ongoing
Jul 2017 – Jan 2018 • 7 months
Jan 2016 – Jun 2017 • 1 year, 6 months
Dec 2013 – Jan 2016 • 2 years, 2 months
Mar 2013 – Nov 2013 • 9 months
Sep 1999 – Nov 2011 • 12 years
French, Dutch, English
Medical devices studies
Data protection regulation in clinical trials in Belgium
The General Data Protection Regulation (“GDPR”) is applicable since 25 May 2018 throughout Europe. One of the sectors hit especially hard by the new changes to the data protection law is the drug development industry. Namely, anyone who is involved in a clinical trial, from sponsors and investigators to CROs and vendors.
Specific guidance on GDPR implementation for clinical trials was however missing until recently. On 28 March 2019, the members of the Executive Committee of the Belgian Data Protection Authority have been appointed by the Belgian Parliament in plenary meeting. As a result, the Belgian DPA can now really start its enforcement activities and impose administrative fines for violations of the GDPR. The aim of the GDPR is to standardize and strengthen the protection of personal data throughout Europe and for other country’s data being dealed with within the EU.
The increasing use of the internet, electronic records, and the advancement of clinical trial technologies enabling the collection and use of data, has no doubt played a part in the need for new regulations. Big data is becoming increasingly important in clinical research, which also poses new challenges for data security and privacy.
Applicable areas – key changes: data Subject Rights :
o Prior Consent
o Transparent plain language
o Breach Notification
o Right to Access: should be able to be exercised at any time directly with the professional involved in the trial, or through a professional designated for that purpose. Respect for the right of rectification is also essential, and the data subject that intends to oppose the processing of personal data for research purposes may, at any time and without having to justify his decision, express his opposition by any means to either the head of research, the trial site or to the professional holder of this data.
o Identification: of data subjects should only be possible through the use of a number code or alphanumeric code. Only the site staff involved in the trial can keep and store the key allowing direct identification of the participants to the trial; identification of the data subjects is only necessary/allowed in limited circumstances; access to indirectly identifying information of patients should be limited; access to directly identifying information of patients should be even more limited and sufficient guarantees should be put in place. For example, the controls conducted to ensure the quality of the trial results must be carried out under the direction and supervision of a healthcare professional, the patients must be informed beforehand and not have objected to the realization of the control.
o Right of Correction
o Right of Restriction
o Right to Object
o Right to be Forgotten, which is part of GDPR and centers on study subjects who decide they want their data removed from a study.
o Data Portability / transfer: outside of the European Union should be strictly necessary for the implementation of the trial or the exploitation of its results.
Under the GDPR individuals’ rights are expanded. Previously, the DPD included the individual rights of access, rectification, erasure, objection, and the right not to be subject to automated processing decisions. The GPDR enumerates all of these rights, expands on almost all of them, and introduces new ones.
o The personal data should only originate from the participants to the trial, the professionals working on the trial and/or from compliance and lawfully accessible databases.
o All research should respect the ‘data minimization’ principle. Only data that are adequate, relevant and limited to what is necessary for the purpose of completing the trial should be gathered.
o Publication of the results shall under no circumstances allow the identification of the participants to the trial, and access to the data by an independent expert should be strictly limited and subject to security controls.
o The ‘data processing notice’ to be provided to, and the information on the rights of the participants should be transparently mentioned on the questionnaire, the accompanying letter or the trial information note. Where personal data are collected orally, the professional involved in the trial shall deliver the required information in a written document, and express, free, informed written consent of the participants shall be obtained.
o Retention period of personal data in the information systems of the controller, in the trial center or with the professional involved in the trial until the release of the relevant product, or up to two years after the last publication of the results of the trial, or, if there is no publication, until the final report of the trial is signed off. Afterwards, paper or computer-based archiving remains possible.
o Guidelines regarding the processing of personal data of the professionals collaborating on the trial.
o Implementation of sufficient security measures, covering the risks identified in a Data Protection Impact Assessment.
o Rules concerning agreements with data processors involved (e.g. CRO).
o Designation of a a data protection officer (“DPO”) as internal compliance advisor.
No transitional period is foreseen. Sponsors and CROs should ensure that future clinical trials are compliant and avoid any requirement to make retrospective amendments to consent forms and other clinical trial documentation. Companies need to ensure that their internal policies are aligned with the regulations defined in GDPR. Data privacy and DP protection is somewhat new in certain countries, like the US, and it will go on to grow in importance, on a global scale. It’s essential to identify trusted partners to ensure clinical trials are executed to the latest regulatory standards and the highest quality.