The GDPR is often used in an inappropriate way and unfortunately in a less than pragmatic fashion. The legal system is not a binary system, it is far more complex than that.
What should be done where two legal frameworks apply to a single situation and these legal frameworks seem to contradict each other? For instance, how should we react if another legal provision conflicts with those provided for in the GDPR ?
Long before us, some wise old men reached a decision in this regard and decreed: “specialia generalibus derogant”. If two laws can apply to a certain situation, the specific law has priority over the general law.
Within the context we are referring to, the GDPR is the general legal framework as its very title testifies incontrovertibly to this : “GENERAL data protection regulation”, whereas the specific legal framework will thus be the regulations applicable to clinical trials.
According to Article 13 of the GDPR, “where personal data relating to a data subject are collected from the data subject, the controller shall […) provide the data subject with […] the contact details of the data protection officer…”. The same principle also applies according to Article 14 of the GDPR “where the personal data have not been obtained from the data subject”.
At this juncture, a subtle distinction regarding clinical trials should be noted, which does not allow the strict compliance with the provisions of the GDPR, namely the fact that this information is not provided to the data subjects directly by the data controller, “at the time the data concerned are obtained”.
It is in fact the investigator who is in direct contact with the data subject, who will inform the latter verbally and provide an information form, prepared by the sponsor often in conjunction with the coordinating investigator.
For its part, the sponsor does not have, at any time, direct contact with data subjects included in the trial, nor does he have access to their identity. The information regarding the trial and the data subjects necessarily passes through an intermediary, i.e. the investigator who is managing and overseeing the implementation of the trial.
Since 25 May 2018, we have fortunately not found any changes to information forms providing that this information must be imperatively provided by the sponsor. However, since this date, many people consider that the information forms must state the identity and contact details of the sponsor’s DPO.
Such information would therefore enable people taking part in trials, in application of item 4 of article 38 of the GDPR, to contact the sponsor’s DPO with regard to any question about the processing of their personal data and above all about the exercise of the rights they have under the GDPR.
For those who have been working in the field of clinical trials for some years, doesn’t this situation seem rather shocking?
Indeed, under these circumstances, the sponsor’s DPO could be in direct contact with volunteers and patients taking part in clinical trials, although trials are conducted by an investigator who is, as a basic principle, a doctor.
Even though the DPO is bound by professional secrecy and must perform his duties completely independently, is there any justification for a DPO to be the recipient of information relating to the health of people taking part in a clinical trial? What would the DPO do with this information? He would have no other option than to invite the data subject to contact the investigator and his team as only they have access to the volunteer’s data and in particular the raw data and observation logs. They alone are able to enforce the data subjects’ exercise their right to access, correct, oppose or even, within certain limits, restrict the use of their data.
Given these conditions, is it useful to increase the number of intermediaries and to disclose to the sponsor’s DPO, whether in-house or not, the identity of a person taking part in a clinical trial who is for example testing a new chemotherapy?
This solution eventually results in an increase in the risk of data breach and thus a reduction in the protection of data about people taking part in a clinical trial.
Furthermore, we should bear in mind that specific rules exist to limit these risks and the adverse effects of the GDPR, namely the provisions regarding the processing of data concerning health, and those regarding medical confidentiality which are fully applicable to the field of clinical trials.
An investigator in this situation remains first and foremost a doctor bound by medical confidentiality. In this respect it should be borne in mind that the provisions of the French Public Health Code, namely its article R4127-4, provide that:
“The professional confidentiality instituted in the interests of patients is incumbent on every doctor at the conditions established by law.
The confidentiality covers everything which the doctor comes to know in the exercise of his profession, i.e. not only what he is told, but also what he sees, hears and understands”.
Moreover, article L. 1110-4 of the same code provides that “Except in the event of exemptions expressly provided by law, this confidentiality covers all personal information coming to the knowledge of the professional, and any member of the personnel of these establishments, services or organisations and any other person in contact, by his activities, with these establishments or organisations. It is required of all professionals working in the healthcare system”.
However, there is no specific provision allowing this confidential information to be shared with the sponsor’s DPO. It is thus surprising that investigators agree to the contact details of the sponsor’s DPO being provided on information forms considering the risks of breach of medical confidentiality, by which they are legally bound.
National and international texts governing clinical trials and in particular the guideline for good clinical practice (GCP) are clear on this matter:
“1.16 – Confidentiality
“Prevention of disclosure, to other than authorized individuals, of a sponsor’s proprietary information or of a subject’s identity”. (GCP ICH E6)
GCP also provide that only the investigator may hold, during and at the end of the trial, a complete list of the volunteer identification codes (8.3.21, 8.3.22 and 8.4.3). This list (concordance table) allows all the subjects taking part in the trial to be identified in case a follow-up should be necessary and this list must remain confidential.
Only the supervisory authorities and Clinical Research Associates (CRA) or auditors can, subject to certain conditions, access the identity of people taking part in a clinical trial.
“5.15 – Record Access
5.15.1 The sponsor should ensure that it is specified in the protocol or other written agreement that the investigator(s)/institution(s) provide direct access to source data/documents for trial-related monitoring, audits, IRB/IEC review, and regulatory inspection.
5.15.2 The sponsor should verify that each subject has consented, in writing, to direct access to his/her original medical records for trial-related monitoring, audit, IRB/IEC review, and regulatory inspection” (GCP ICH E6)
Direct access consists of permission to examine, analyse, verify and reproduce all the files and reports needed for the assessment of a clinical trial. Anyone with direct access to these documents must take all reasonable precautions, within the limits of applicable regulatory requirements, to ensure the confidentiality of the identity of the subjects.
No national, European or international text gives the sponsor’s DPO permission to access the identity of people taking part in clinical trials.
However, by requiring the provision of the identity and the contact details of the sponsor’s DPO on the information form, the DPO is potentially given access (if contacted by a volunteer) to information which he should not know, namely the volunteer’s identity, which could be analysed as a form of incitement to breach medical confidentiality.
Furthermore, the indication of the DPO’s contact details on the information form does not appear useful as the volunteer/patient can easily contact the DPO without this information being provided on the ICF. This identification remains possible since the sponsor must, in application of item 7 of article 37 of the GDPR, publish the contact details of the DPO and notify them to the supervisory authority. Therefore, by knowing the identity of the sponsor, it is thus normally possible to identify the sponsor’s DPO, either through basic research or by contacting the sponsor directly.
Thus, if a volunteer/patient feels that he has suffered a prejudice relating to his participation in a trial or that his rights have not been respected by the investigator, he may still be able to contact the sponsor’s DPO to enforce his rights.
Finally, in conclusion and to further prove the relevance of the adage “specialia generalibus derogant”, let us just review a few facts:
- The investigator is responsible for the information about people who may be taking part in a trial and, following a cooling-off period, for obtaining their consent.
- The investigator, in his capacity as doctor or qualified person, remains at all times bound by the requirement of confidentiality regarding the state of health of the person taking part in the trial and can only agree to share this information with people who are expressly authorised by law.
- As such, the investigator is the sole and exclusive contact for people taking part in clinical trials and the volunteer can only exercise the rights granted by the GDPR through the investigator.
Therefore, to ensure the protection of data about people taking part in clinical trials and to comply with the GDPR, the contact details of the sponsor’s DPO must not be stated on the information forms!