Optimal Strategies for Compliance with EMA Policy 0070 on the External Publication of Clinical Data

When the European Medicines Agency (EMA) first introduced plans to create a public database of clinical research findings[1], it had a two-fold aim-to enable secondary analysis by other researches, and to increase public trust by allowing them unprecedented access to the clinical trial data. Policy 0070 was established to provide guidelines and processes for this, with a strong focus on how life sciences companies should protect the privacy of trial participants.

Now, with the EU’s new General Data Protection Regulation (GDPR) coming into force in May this year[2], the impetus for life sciences firms to cement their data management strategies has increased. A further driver for finding optimal approaches to publicly available information is initiatives by other regions, such as North America,[3][4] to adopt similar requirements for external publication of clinical findings.

The road to here

Early attempts by companies to fulfil EMA Policy 0070 requirements have left a lot to be desired. For perceived ease and economy, firms have commonly defaulted to redacting public-facing content so that any clues to people’s identities are simply blocked out.

Although it has served the basic purpose, this rudimentary approach to preparing anonymized clinical reports is less than ideal. For the supposed beneficiaries, the value of a heavily redacted clinical study report (CSR) is questionable. In the main, redaction is a laborious and largely manual process too.

With other anonymization methods, several priorities can be addressed simultaneously-the delivery of higher-value output with greater utility yet still with strong measures to protect patient privacy (information is simply hidden in plain sight); risk is easier to measure; and processes are potentially easier to automate.

Where we are now

It is for all of these reasons that EMA is encouraging companies to move away from document redaction towards other data anonymization approaches-those using rules-based formula that disguise detailed references sufficiently to de-identify participants’ identities, while preserving the quality of the output.

One of the keys to achieving a good balance of these two priorities is the ability to measure and manage risk-which will vary depending on the nature of the clinical study, its population and trial sites. EMA has published hard metrics to define the level of acceptable risk of patient re-identification (set at 0.09)[5]. Yet, with redaction, it is difficult to arrive at a quantitative measure of risk. With more sophisticated anonymization methods, by contrast, it is possible both to calculate risk and also to adjust the actions taken according to the scope for participant exposure.

Lessons learned

Based on its work with a broad spectrum of pharmaceutical companies in preparation of more than 20 Policy 0070-compliant submissions, Kinapse has distilled some optimal compliance strategies and practices. These are important if firms are to get the most from their investments-and set the course for where they need to be in the long term, for instance as Policy 0070 enters phase 2 where original data sets (individual patient data) will require anonymization too.

• Look and think ahead

Given that Policy 0070 is an evolving requirement, effective strategies will be those that take into account longer term requirements as well as what is being demanded of firms now.

Policy 0070 was first introduced in January 2015, with guidance on CSR anonymization published in March 2016, and the first submission made public that October. Phase 2 of Policy 0070, which will require that life sciences companies provide anonymized copies of all of their clinical trial data, is coming down the line, albeit that there isn’t currently a known timeline for this next stage. It is something companies should prepare for nonetheless, as it will require a more systematic and repeatable process than most companies have in place currently.

• Buy yourself time

Do not wait to start planning how to tackle document anonymization. Once companies submit a marketing authorization application to EMA, the guidance specifies that they should ideally take no more than 180 days to provide the equivalent anonymized content for the designated EMA portal, where anyone can look at it. Four and a half months might sound like a long time, but it isn’t really. While there are about 100 different ways we can address a company’s anonymization needs for a given submission package, those options are reduced the closer firms are to the public submission’s deadline. The tightest timeframe Kinapse has worked to so far has been two months-although we still delivered as planned, this was far from ideal.

• Be realistic about the scale of the task, and what will be required

Life sciences companies of all sizes have quickly realized that EMA Policy 0070 compliance is not something they can easily manage themselves. The requirements are still very new, so expertise and experience is hard to come by. It’s also easy to underestimate the need for communication and collaboration between different stakeholders to arrive at what’s needed.

Where firms have tried to fulfill their own requirements internally, they have generally become unstuck-forced to rely on manual redaction, without any quantitative risk assessment or way of measuring and demonstrating success. The entire process is slow and cumbersome, and for each new document they must start from scratch. Ensuring consistency is an additional challenge. And as EMA encourages more sophisticated forms of anonymization, companies could find themselves having to justify why they have defaulted to the lowest-value option in terms of preserving data utility.

We project that the vast majority of Policy 0070 compliance work will be outsourced to specialist service providers in time, because it will make no sense for companies to try to do it themselves. Using a specialist service provider offers greater efficiency and reliability, not least through the chance to centralise activities. It is probably also the best route to accessing enabling technology and tools-including smart algorithms/machine learning, which over time produce faster and more accurate results by building on each anonymization cycle.

Anonymization methods geared to de-identification generally rely on IT to maintain data integrity, measure and manage risk, and provide auditable evidence of measures that have been taken. These techniques can deliver benefits starting at 60% improvements in time and cost efficiency compared to non-technology enabled anonymization processes.

Managed service providers will also keep abreast of data security as they process documents, keeping companies compliant with GDPR and other data safeguarding measures. For clinical trial sponsors, this all adds up to the lowest-risk and most efficient option for managing compliance.

• Don’t view redaction as the definitive solution.

Other than in exceptional cases, defaulting to redaction as a strategy is a false economy. It is not in the spirit of clinical data transparency and it adds the least value for everyone concerned. As international requirements dovetail with EMA’s ambitions, and as Policy 0070 enters its next phase, redaction’s limitations will be exposed. This will mean that any money spent on redaction processes and work now will not count, and companies will have to invest afresh in alternative anonymization strategies. Keep in mind that EMA has now established a dedicated anonymization taskforce[6] to help sponsors come up with ideal methods and techniques for maintaining data utility.

• Choose your compliance partner wisely

Once companies have accepted the need for professional help, they will need to decide what kind of outsourced service is appropriate for their requirements. Some service providers offer advisory services, but not the practical operational delivery-and vice versa. Some are light on technology; others focus too much on technology, to the detriment of human quality control. So there is a balance to be struck.

The optimum combination, particularly at this early and evolving stage of the Policy 0070 compliance cycle, is probably going to be an end-to-end service that can take companies on the whole journey, and ensure nothing is left to chance. Checking out practical project delivery/real-world experience of any service partner, as well as their formal credentials and capabilities, will also be important to minimize risk.

Don’t despair

There is no doubt that the demands of EMA Policy 0070 are considerable, but real industry progress can’t happen without some degree of pain, and putting off the inevitable will simply make matters worse. Cutting corners is not recommended for the same reason-the costs and pain will merely end up being greater and more drawn out. Far better to start out as you mean to go on, and to get the right help and advice up front.

Finally, keep in mind Policy 0070’s raison d’etre: it always helps to have a purpose, so make sure the key stakeholders understand and buy into this. Again, this is something your service provider should be able to help with.

Pooja Phogat is the Head of Development Operations at Kinapse

[1] European Medicines Agency policy on publication of clinical data for medicinal products for human use, EMA, October 2014: http://www.ema.europa.eu/docs/en_GB/document_library/Other/2014/10/WC500174796.pdf

[2] How will GDPR impact Life Sciences organisations, Kinapse, February 2018: https://kinapse.com/insight/gdpr-life-sciences/

[3] Public release of clinical information, Health Canada, February 2018: https://www.canada.ca/en/health-canada/programs/consultation-public-release-clinical-information-drug-submissions-medical-device-applications.html?wbdisable=true

[4] What’s not shared-building on the FDA’s transparency momentum, BMJ blog, January 2018: https://blogs.bmj.com/bmj/2018/01/31/tianjing-li-whats-not-shared-building-on-the-transparency-momentum/

[5] Questions and Answers on the External Guidance of Policy 0070 on Clinical Data Publication, EMA, September 2017: http://www.ema.europa.eu/docs/en_GB/document_library/Regulatory_and_procedural_guideline/2017/04/WC500225881.pdf

[6] EMA Technical Anonymisation Group (TAG): Call for applications, March 2017: http://www.ema.europa.eu/docs/en_GB/document_library/Presentation/2017/03/WC500224906.pdf