Confusion in personal data protection obligations in clinical trials
Even though a specific code of conduct and a structured process apply to clinical trials, there are lacking dedicated, specific regulations on protecting the personal data obtained in such trials.
As a result, the processing of patient personal data is subject to general regulation in Poland, which is the Personal Data Protection Act of 29 August 1997, “PDPA”, which Act implemented Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995.
The PDPA implies that a sponsor of clinical trials be a data controller, as the sponsor decides on, cumulatively, (i) purposes of personal data processing, and (ii) techniques/mode of personal data processing. The requirement is confirmed in ongoing legislative work.
A sponsor, however, usually does not actually have the personal data of participants in trials, which is caused by how trials are in practice organized. Firstly, sponsors outsource trials to investigators who coordinate them. An investigator has the task of selecting participants for trials and collects and processes the personal data of those persons, including data on health. Sponsors usually only eventually receive reports on trials that contain statistical information, unless they request access to source documents, which does not happen often.
In consequence, a sponsor is made primarily responsible for assuring protection of the personal data that the sponsor does not in fact have. Furthermore, a sponsor has a number of obligations that are imposed by PDPA on a data controller, but it is not possible in practice to comply with the obligations for the time that the sponsor does not obtain the data from an investigator. A sponsor, however, is usually only interested in obtaining the results of the trials, not the data.
The current legislation has not resolved the problem.
Three solutions can be considered, de lege ferenda:
- to define an investigator to be a data controller, which would mean that the investigator would have to organize and finance structures and facilities to protect data;
- to compel sponsors to obtain personal data from an investigator immediately after the data is collected, so that the sponsor can perform the duties of a controller;
- to exclude clinical trials from the PDPA completely and establish specific regulations to protect the data obtained in clinical trials.
I am of the opinion the latter option would be the most efficient, as tailored to the trails nature and specificity.
The text was first published on January 14th, 2011 on datonomy, the data protection blog