GDPR (679/2016) and Monitoring Nadja Hopponen Contract Lawyer Clinical Research Institute HUCH Ltd ext-nadja.hopponen@hus.fi home page: www.hyksinstituutti.fi brief CRI info on Youtube: https://youtu.be/AQBQOq_M3bo
General Data Protection Regulation What and why me?? Study Monitor
Does this Apply to us? EU data protection rules apply to the European Economic Area (EEA), which includes all EU countries and non-EU countries Iceland, Liechtenstein and Norway.
GDPR in General EU’s General Data Protection Regulation (679/2016) have had the Transition Period, which ended 25.05.2018. Now GDPR is in full force, companies have already had time to work on the new GDPR language. Controller is the most responsible party. Difference to the previous Data Protection Directive(95/46/EC) It is not enough that you do handle the Personal Data Correctly, you need to Demonstrate that you comply with the GDPR.
GDPR is a Regulation A Regulation is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously. Regulations needs to be distinguished from directives, which are to be implemented into national law.
Note; small limitation to the GDPR can be done Nationally These small limitation and national modifications can be made using a National law. In Finland, we have not been able to execute this National Law, so we follow the GDPR as it is. Due to this, the Finnish authorities have given only little guidance with the issues regarding the GDPR and Clinical Trials / Studies.
Why relevant to the Study Monitor? 5.18 Monitoring 5.18.1 Purpose The purposes of trial monitoring are to verify that: (a) The rights and well-being of human subjects are protected. (b) The reported trial data are accurate, complete, and verifiable from source documents. (c) The conduct of the trial is in compliance with the currently approved protocol/ amendment(s), with GCP, and with the applicable regulatory requirement(s).
“The rights and well-being of human subjects are protected” What are these rights? Wikipedia: “Human rights are moral principles or norms that describe certain standards of human behaviour and are regularly protected as natural and legal rights in municipal and international law.” GDPR gives new rights to the People.
Personal Data in accordance with the GDPR ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
As a safety measure all study data should be pseudonymous Study Subject’s personal data is processed, so it is’t so easy to identify the individual For example Study Subject ”643000” Study Subject ”Nadja Hopponen” Note that the Pseudonymous Data is still personal data according to the GDPR.
10 rights given to all Data Subjects Picture Source: www.lawinfographic.com/rights-data-subjects-gdpr/
It is not enough to give rights, we are required to provide the Study Subject’s possibilities to use these rights.
Informed Consent Form Study Subjects should be given all of these rights in the ICF. It is also Mandatory to inform the Study Subjects about the Study Monitor’s role. If this is not mentioned in the ICF, the Study Monitor cannot access the Medical Records of the Study Subject. Same goes with the possible inspection made by the auditor or an applicable authoritative, it should be stated clearly in the ICF.
GDPR related Fines and Liabilities the Controller usually shall be the Responsible Party There are two tiers of administrative fines that can be levied as penalties for non-compliance: Up to €10 million, or 2% annual global turnover – whichever is higher. Up to €20 million, or 4% annual global turnover – whichever is higher. Making sure that your organization is compliant to the GDPR can reduce the change of incurring an administrate fine. Additionally The GDPR also gives Individuals the right to compensation of any material and/or non-material damages resulting from an infringement of the GDPR.
How to make the data anonymized? Basic Rule: If you can print it out, publish it, write it on to a wall, without getting contacted by the police, then the data might be anonymized. There needs to be a documented process, where the data can be anonymized.
Who is the Controller? Which registries we have? At Helsinki University Hospital we have agreed that In every Study there is three registries. Medical Records Controller is always hospital, due to the national Legislations Keycode registry: The ICF’s and the code list (including the names etc. of the subjects) These stay at the Hospital as long as they required to be archived. Hospital is always the Controller of the Keycode registry. Coded Study Data Registry: Contains only pseudonymous Study Data. The Sponsor is the Controller of this Registry. Study registry contains only the coded data collected during the course of the particular Study. This is the Sponsor’s responsibility. If there isn’t a outside Sponsor then, this is the responsibility of the Sponsor-Investigator’s Institution.
Coded Study Data Registry; eCRF as a standard The Study Data is entered in to a eCRF-system. The Party who can influence to the safety measures of the eCRF-system, is usually the one who can be considered as the Controller. At my organization we have a strict policy. The Hospital does not take the Controller responsibilities, if there is an outsider owned eCRF-system in place.
Responsibilities of the Controller Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
Processing? Controller? ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Controller ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Study Monitor is a processor of the Data Subject’s Personal Data Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. The processor shall not engage another processor without prior specific or general written authorisation of the controller.
Build up requirement for Data Protection Agreement Whenever a controller uses a processor it needs to have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. The GDPR sets out what needs to be included in the contract. In the future, standard contract clauses may be provided by the European Commission, and may form part of certification schemes. However at the moment no standard clauses have been drafted. Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.
But why are we suppose to have a Data Protection Agreement Contracts between controllers and processors ensure that they both understand their obligations, responsibilities and liabilities. They help them to comply with the GDPR, and help controllers to demonstrate their compliance with the GDPR. The use of contracts by controllers and processors may also increase data subjects’ confidence in the handling of their personal data.
What needs to be included in the contract? Contracts must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller. Contracts must also include as a minimum the following terms, requiring the processor to: only act on the written instructions of the controller; ensure that people processing the data are subject to a duty of confidence; take appropriate measures to ensure the security of processing; only engage sub-processors with the prior consent of the controller and under a written contract; assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR; assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments; delete or return all personal data to the controller as requested at the end of the contract; and submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
Compliance with the GDPR: The controller shall be responsible for, and be able to demonstrate compliance with GDPR We at HUS/HUCH and the Clinical Research Institute have created our own GDPR clauses, but those can be used only at the situation where we have an investigator-initiated Study, and the Hospital is performing as the Controller of the Study registry. In the Sponsor-initiated Studies the Sponsor is required to provide us with adequate GDPR-clauses.
Issues which needs to be in order ICF All ICF’s needs to be comply with the GDPR Registries There needs to be done a risk assessment, and Controller and Processor needs to be named clearly Contracts Clinical Trial Agreement needs to include the Data Protection Agreement/Appendix If there is only the monitoring Agreement, these issues needs to be included there as DPA or Appendix
Transfering of the Personal Data outside of the EU-Area is generally forbidden.
Transferring can be done using EU Model Clauseshttps://ec.europa.eu/info/law/law- topic/data-protection/data-transfers-outside-eu/model- contracts-transfer-personal-data-third-countries_en 2. EU-US Privacy Shield –List Company https://www.privacyshield.gov/participant_search 3. If EU has decided that the Country is safe:
The Personal Data processed in a Study is the most sensitive personal data there is. Chat with the person next to you You’ll have 5 minutes produce and present us one method which can increase the Data Protection in a Study
Thank You for your Time! Questions, thoughts?