GDPR consent in the context of clinical trials
Under the General Data Protection Regulation (“GDPR”)[i], processing personal data is only lawful if and to the extent at least one of the specified lawful… Read more
Under the General Data Protection Regulation (“GDPR”)[i], processing personal data is only lawful if and to the extent at least one of the specified lawful bases apply[ii]. These lawful bases include inter alia: (i) the data subject giving consent (“Consent”)[iii]; (ii) necessity for compliance with a controller’s legal obligation (“Compliance with a Legal Obligation”)[iv]; (iii) necessity for a task carried out in the public interest (“Public Interest”)[v]; and (iv) necessity for the purpose of legitimate interests pursued by the controller or third party, provided such interests are not overridden by the interests or fundamental rights and freedoms of the data subject (“Legitimate Interests”)[vi]. Furthermore, processing of special categories of personal data, such as data concerning health, is prohibited unless an exemption applies[vii].
Prior to the implementation of the GDPR, the Health Research Authority (“HRA”)[viii], the Medical Research Council (“MRC”)[ix] and the UK Information Commissioner’s Office (“ICO”)[x] all indicated that Consent under the GDPR is not an appropriate lawful basis for processing personal data for health and social care research and suggested that Legitimate Interests was the more appropriate lawful basis in the context of clinical trials.
However, there has been disagreement among the regulatory bodies across the European Union and accordingly, on 23 January 2019 the European Data Protection Board (“EDPB”) responded to a request by the European Commission to consider its Q&A document on the interplay between the Clinical Trials Regulation (“CTR”)[xi] and GDPR [xii].
The EDPB’s opinion distinguished between processing of clinical trial data related to a specific clinical trial protocol (i.e. from start of trial until deletion after the period of archival) (“Primary Use”) and use of clinical trial data for other scientific purposes (“Secondary Use”).
Primary Use activities can further be broken down into:
- processing relating to protection of health, while setting standards of quality and safety for medicinal products by generating reliable and robust data (“Reliability and Safety Purposes”); and
- processing related to research activities (“Research Purposes”).
In respect of Reliability and Safety Processing, the EDPB concluded that such processing is expressly provided for by the CTR and other relevant national provisions and therefore the appropriate lawful basis is Compliance with a Legal Obligation. The corresponding exemption for processing special categories of personal data (i.e. health) data in the context of clinical trials is that the “processing is necessary for reasons of public interest in the area of public health, such as…ensuring high standard of quality and safety of health care and of medical products and medical devices…”[xiii]. The EDPB’s conclusion is not surprising given that the GDPR[xiv] defines ‘public health’ broadly, including “all elements related to health”[xv].
Processing for Research Purposes cannot be justified under the Compliance with a Legal Obligation lawful basis and therefore an alternative lawful basis must be relied upon.
Various recitals to the GDPR indicate that Consent could be used for the Research Purposes[xvi], including recital 161, which explicitly refers to the CTR in relation to individuals consenting to participate in scientific research activities in clinical trials and recital 33 states that data subjects should be entitled to Consent to certain areas of scientific research in keeping with recognised ethical standards. The EDPB did explore this possibility in their opinion, but warned that informed consent of participants in clinical trials under the CTR[xvii] should not be confused with Consent as a lawful basis under the GDPR. In particular, under the GDPR, controllers must ensure that all the conditions for valid Consent are present in respect of the clinical trial (i.e. Consent must be freely given, specific, informed and unambiguous) [xviii].
The EDPB identifies complications with obtaining “freely given” Consent in the context of a clinical trial, given that data subjects must have a genuine or free choice and control in whether to give Consent[xix] and Consent cannot be regarded as a valid lawful basis where there is a clear imbalance of power between the data subject and the controller[xx]. It may be difficult for participants to have a real choice over giving Consent and there may be such imbalance of power between the sponsor/investigator and a participant in clinical trials.
Reliance on Consent is further complicated by the requirement to allow the data subject to withdraw consent at any time[xxi], which would require the sponsor/investigator to cease processing the relevant personal data including for the purposes of research activities.
The EDPB therefore suggest that in most cases Consent will not be an appropriate lawful basis for the purposes of processing under the GDPR and instead controllers should seek to rely on either Public Interest or Legitimate Interests.
Whether the Public Interest lawful basis is available will depend on the law of the member state[xxii] and will only be available for clinical trials where, “the conduct of the clinical trial directly falls within the mandate, missions and tasks vested in a public or private body by national law”[xxiii]. This is unlikely to apply to commercial companies.
Where a controller seeks to rely on Legitimate Interests it will need to undertake a balancing exercise to ensure its processing is lawful and the ICO recommends that this is documented by way of a legitimate interests assessment that is continuously updated[xxiv].
Special categories of personal data exemptions
As mentioned above, since special categories of personal data (i.e. health) data is likely to be processed in the context of a clinical trial, when relying on Public Interest or Legitimate Interests an exemption will also be required. This is in contrast to Consent, where explicit consent can be used as an exemption. The EDPB considers that controllers should, depending on the circumstances, seek to rely on either of the following exemptions:
- “reasons of public interest in the area of public health”[xxv]; or
- “necessity for achieving…scientific…research purposes…in accordance with Article 89(1) based on Union or Member State law”[xxvi].
Clinical trial operators seeking to rely on the scientific research exemption can take some comfort in the fact that recital 159 of the GDPR states that such research should be, “interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research”.
In relation to Secondary Use, the European Commission in their Q&A document stated that if an investigator would like to further use the personal data gathered during a clinical trial for any other scientific purposes, other than the ones defined by the clinical trial protocol, the investigator must ensure that it has a lawful basis for such processing that is new and separate from the one relied upon for the primary purpose. The EDPB disagreed with this position, stating that this approach does not factor in Article 5(1)(b) of the GDPR, and therefore such secondary use shall be presumed compatible with the original purpose of conducting the clinical trial provided the processing is:
- “for…scientific… research… purposes”; and
- performed in accordance with the provisions of Article 89, which imposes an obligation on the controller to have appropriate safeguards in place and, in particular, calls attention to the principle of data minimisation and to the concept of pseudonymisation.
The EDPB was largely consistent with the approach previously suggested by the HRA, MRC and ICO, and controllers should consider:
- relying on Compliance with a Legal Obligation (under Art 6(1)(c) and Art 9(2)(i) of the GDPR) as a lawful basis for Reliability and Safety Purposes;
- relying on either:
- Public Interest (under Art 6(1)(e) and Art 9(2)(i) or (j) of the GDPR); or
- Legitimate Interests (under Art 6(1)(f) and Art 9(2)(j) of the GDPR),
as a lawful basis for Research Purposes; and
- only relying on Consent under specific circumstances where all conditions for explicit consent are met and withdrawal of consent will not adversely impact the proposed use of the data (under Art6(1)(a) and Art 9(2)(a) of the GDPR).
Following release of this opinion, controllers should review the position they have adopted with respect to the lawful bases on which they rely for the processing of personal data in the context of a clinical trial, in order to ensure it is consistent for both primary and secondary use.
[ii] GDPR, Art 6(1)
[iii] GDPR, Art 6(1)(a)
[iv] GDPR, Art 6(1)(c)
[v] GDPR, Art 6(1)(e)
[vi] GDPR, Art 6(1)(f)
[vii] GDPR, Art 9(1) and Art 9(2)
[xiii] GDPR, Art 9(2)(i)
[xiv] GDPR, Recital 54
[xv] “public health” should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32008R1338&rid=2
[xvi] GDPR, Arts 6(1)(a) & 9(2)(a)
[xvii] “A subject’s free and voluntary expression of his or her willingness to participate in a particular clinical trial, after having been informed of all aspects of the clinical trial that are relevant to the subject’s decision to participate or, in case of minors and of incapacitated subjects, an authorisation or agreement from their legally designated representative to include them in the clinical trial.” CTR, Art 2(21)
[xviii] “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” GDPR, Art 4(11)
[xix] GDPR, Recital 42, and the Article 29 Working Party Guidelines on consent https://ec.europa.eu/newsroo m/article29/item-detail.cfm?item_id=623051
[xx] GDPR, Recital 43
[xxi] GDPR, Art 7(3)
[xxii] GDPR, Art 45
[xxv] GDPR, Art 9(2)(i)
[xxvi] GDPR Art 9(2)(j)