In the last few years, we've heard louder rumblings over data privacy concerns worldwide (and rightly so). Today’s digital world poses a privacy threat to citizens everywhere, but in the world of clinical research, it's a threat long ago raised and mitigated by regulatory agencies.
Specifically, with respect to clinical research, the revocation of Safe Harbor by the European Court of Justice in October 2015 is spreading broad ripples throughout the research community. Well-meaning global biopharmaceutical companies have formed internal task forces to evaluate vendor compliance, often headed by legal team members or regulatory groups.
There is a rush to halt the collection and transfer of routine demographic data with particular data identifiers at clinical research organizations, core laboratories, data management groups, etc. throughout the U.S.
Understandably so, as the Article 29 Working Party (WP29) announced a deadline of January 31, 2016 for enforcing the transfer of personally identifiable information from European countries to the United States, threatening legal action. Meanwhile, the EU-US Privacy Shield has just been announced by the European Commission, but doesn't yet have the approval of WP29. Meanwhile, the panicked pace threatens the thoughtful consideration of the impact to the clinical trial experiment itself.
Unintended Effects on the Clinical Researcher
How might these legal actions limit the collection or transmission of clinically significant data, interrupting its use by those trained to interpret the data collected in light of it? This industry is already highly regulated by such agencies as the Health Insurance Portability and Accountability Act (HIPAA), the Food and Drug Administration, the European Medicines Agency, and also each individual European country.
On one hand, U.S.-based clinical researchers are part of a covered entity through HIPAA and are accountable to identify any risks to subject data integrity and privacy information security. Simultaneously, investigators must not restrict activities necessary to assure scientific data integrity and human subject protections during clinical research per the International Conference on Harmonisation, Good Clinical Practices, and other regulations.
Given this juggling act, clinical research in the United States is inherently highly regulated and already requires the protection of subject privacy. The systems used to collect, transmit, and process international clinical data for global studies are 21 CFR part 11-compliant and typically transmitted via encrypted pathways. Is the data of European subjects enrolled in global clinical trials less secure due to the sudden reversal of Safe Harbor? Is it more secure with the proposed privacy shield?
The request to collect and transmit PII data—including date of birth where needed for clinical data integrity—rightly belongs in the informed consent form template issued by the study team and approved by ethics committees. Good clinical practices require that informed consent form templates already disclose study practices regarding the collection of regulated health information (and prospectively gain patient consent for it).
Will Your Study Be Affected?
Reactive, hastily enforced regulations can easily jeopardize the sound conduct of a clinical trial and its data flow, potentially threatening both subject safety and data quality. Some PII is necessary to safely evaluate subject tests and procedures.
It’s completely within the rights of the regulatory agencies and the courts to place limits on the disclosure of medical information. But the Facebook decision to the clinical research industry seems to ignore the FDA’s standards that are already protecting study participants and data quality—and these are audited and enforced.
When it comes to the arena of clinical research, overstepping boundaries could be a matter of life or death — by denying critical information from reaching the appropriate experts in the data collection, processing, and evaluation stream. Regulations aimed at ensuring that companies maintain subject privacy are completely justified. But stopping the flow of encrypted data within closed, Part 11-compliant systems to those who need to interpret a patient’s case may cross this boundary.