Clinical Trials – selecting a lawful basis under the GDPR

Clinical trials, by their very nature, usually involve a large amount of sensitive personal data. This processing of personal and sensitive data means that the data protection laws apply; in the UK this is the General Data Protection Regulation 2016 (GDPR) and the UK Data Protection Act 2018 (DPA18). Data protection law is not the only relevant factor though. Clinical trials are also subject to the Clinical Trials Directive (CTD), soon to be replaced by the Clinical Trial Regulation (CTR), which will apply from mid-2020.

It is clear from the respective legislation that neither is designed to take precedence over the other – the CTR makes explicit reference to the Data Protection Directive (now replaced by the GDPR) and that the processing of personal data in clinical trials – both pieces of legislation apply at the same time. This can cause confusion, particularly around overlapping areas like consent as we look at in more detail below.

Controller or processor?

At the outset of a clinical trial, it is vital to understand who is doing what with personal data involved. We find that there is often confusion in clinical trials around the roles and responsibilities of each party but it is important to assess respective roles because, from a GDPR perspective, that will determine the responsibilities of the parties with regard to the personal data they process.

One of the primary responsibilities of the data controller is to ensure personal data is processed fairly and lawfully which includes a requirement that it be processed in accordance with one of the Article 6 lawful bases, and, where sensitive personal data is involved, on the basis of an Article 9 exemption.

The sponsor of a clinical trial will usually be a data controller, as it is responsible for determining the personal data to be collected for the study, as set out in the protocol, case report form and/or structured data fields in a database. This often leads to the question of whether the other parties in the clinical trial are data processors (eg the Clinical Research Organisation).

This will very much depend on the trial and the extent to which the other parties are making decisions about the personal data involved in the trial. It is essential to understand the other parties' roles in the decision-making process with regard to the personal data. Are they simply following the instructions of the sponsor? If yes, then they are likely to be processors. But if those other parties are making their own decisions in relation to the processing of the personal data, such as choosing participants or the type of data to be collected in the trial, they may also be controllers, and potentially joint or co-controllers with the sponsor.

Additionally, a party may be both controller and a processor for different purposes. This is a complex issue which calls for granularity of approach and being prepared to accept that there may not be a simple or clean answer.

Do you have to get consent to process personal data in clinical trials?

If you are a data controller in relation to personal data being used or generated during a clinical trial, under the GDPR, you need to process personal data under one of the lawful bases set out in Article 6. Each processing operation in a clinical trial must be carried out under its own lawful basis – you cannot select a single lawful basis to cover all the data processing during the trial.

Consent is one possible lawful basis and there has traditionally been a focus on patient consent in the world of clinical trials. This is because "informed consent" must be obtained before a patient can participate in a clinical trial under the Clinical Trials Directive (and the CTR when it comes into force). Confusion often arises because some think this means that consent will automatically be the lawful basis for processing any personal data under the trial but CTD (or CTR) consent is different to GDPR consent and even where consent is selected as the lawful basis for processing clinical trials data, the GDPR and CTD requirements must be met separately.

The GDPR sets a high standard for achieving valid consent, requiring that it is informed, specific, freely given and an unambiguous indication of the data subject's wishes. If you are also relying on consent as an exception to the general prohibition on processing special category (or sensitive) personal data which includes health data, consent also needs to be explicit.

If there is any sort of power imbalance between the person giving the consent and the recipient, consent will not be freely given. This is where clinical trials run into an issue – it is likely a trial participant will be motivated to enter the trial because they need access to a medicine or because there is a financial incentive, meaning that there is an imbalance of power and their consent cannot be freely given. Another issue is that consent must be capable of being withdrawn without detriment to the data subject. It will clearly be problematic if a data subject withdraws their consent during a trial.

Given the complexities of obtaining valid GDPR consent in a clinical trials context, it may not be the most appropriate lawful basis on which to rely so what is the best alternative approach?

Primary and secondary purposes

To help decide which lawful basis should be used for which process, the processing purposes must be separated out in a granular manner. Clarification in relation to the data protection elements in the clinical trial landscape was offered by the European Data Protection Board (EDPB) in its Opinion, published in January 2019, covering the interplay between the new CTR and the GDPR.

The EDPB Opinion offers some guidance on selecting lawful bases for processing personal data in clinical trials. It suggests that the processing purposes of a clinical trial can be clearly set out into two types – the first being the primary purpose of the protection of health, and the secondary purpose being research activities. The Opinion also states that these two distinct purposes will have different lawful bases.

According to the Opinion, the most suitable lawful basis on which to rely with regard to the primary purpose of processing (the protection of health) in clinical trials will be that the processing is necessary for compliance with a legal obligation (Article 6(1)(c) GDPR), for example, the legal obligations around safety reporting. The relevant Article 9 exemption to the prohibition on processing special category personal data will be that the processing is necessary for reasons of public interest in the area of public health (Article 9(2)(i) GDPR).

The secondary purpose (research activities), requires a slightly more complex analysis to decide the appropriate lawful basis. The Opinion clearly states that this processing cannot be based on compliance with a legal obligation, considers three other options (public interest, legitimate interest and consent) and states that consent will not be the appropriate legal basis in most cases.

The UK's Health Research Authority guidance goes further and explicitly states that consent is not an appropriate basis for the processing of personal data for research purposes. This means that the lawful basis will usually be for the performance of a task carried out in the public interest (if the controller is a public authority) or because it is necessary for pursuit of the legitimate interests of the controller (where it is a private body), as long as these interests prevail when balanced against the privacy rights of the data subject (in this case, the clinical trial participant). The most relevant Article 9 exception is likely to be that processing is necessary for archiving purposes in the public interest, scientific or historical research purposes (Article 9(j) GDPR).

If you are relying on the exception set out at Article 9(j) GDPR, remember that under Article 89 GDPR, personal data used for research purposes must be subject to appropriate safeguards that respect the principle of data minimisation (such as pseudonymisation).

Article 89 also allows for Member State derogations. The DPA18 states that such processing of personal data for research purposes must be in the public interest. We await guidance on what this means in practice, but in the meantime, our interpretation is that it does not necessarily exclude clinical trials that have commercial elements, as long as there is also a public interest.

Next steps

The biggest takeaway is exercise extreme caution if you seek to rely on consent as an appropriate lawful basis to process personal data for clinical trials under the GDPR, or as an exception to the ban on processing sensitive data. If you do decide to rely on it, don't confuse informed consent under the CTD/CTR with consent under the GDPR. You should also ensure that you are clear and can demonstrate that clarity at a granular level about the data flows, purposes and the parties' roles within the clinical trial and, given the risks inherent to such a tricky area of new and overlapping laws, seek legal advice if you are unsure.

For more on the controllers and processors and on lawful basis selection for life sciences data processing, see our article.

Please contact us if you have any questions or would like more detailed advice.