Confusion in personal data protection obligations in clinical trials | In Principle

Go to content
Find what you need in over 1,000 articles
Search form
Subscribe to newsletter
In principle newsletter subscription form

Confusion in personal data protection obligations in clinical trials

13.01.2011 life sciences | data protection

Even though a specific code of conduct and a structured process apply to clinical trials, there are lacking dedicated, specific regulations on protecting the personal data obtained in such trials.

As a result, the processing of patient personal data is subject to general regulation in Poland, which is the Personal Data Protection Act of 29 August 1997, “PDPA”, which Act implemented Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995.
The PDPA implies that a sponsor of clinical trials be a data controller, as the sponsor decides on, cumulatively, (i) purposes of personal data processing, and (ii) techniques/mode of personal data processing. The requirement is confirmed in ongoing legislative work.
A sponsor, however, usually does not actually have the personal data of participants in trials, which is caused by how trials are in practice organized. Firstly, sponsors outsource trials to investigators who coordinate them. An investigator has the task of selecting participants for trials and collects and processes the personal data of those persons, including data on health. Sponsors usually only eventually receive reports on trials that contain statistical information, unless they request access to source documents, which does not happen often.
In consequence, a sponsor is made primarily responsible for assuring protection of the personal data that the sponsor does not in fact have. Furthermore, a sponsor has a number of obligations that are imposed by PDPA on a data controller, but it is not possible in practice to comply with the obligations for the time that the sponsor does not obtain the data from an investigator. A sponsor, however, is usually only interested in obtaining the results of the trials, not the data.
The current legislation has not resolved the problem.
Three solutions can be considered, de lege ferenda:
  • to define an investigator to be a data controller, which  would mean that the investigator would have to organize and finance structures and facilities to protect data;
  • to compel  sponsors to obtain personal data from an investigator immediately after the data is collected, so that the sponsor can perform the duties of a controller;
  • to exclude clinical trials from the PDPA completely and establish specific regulations to protect the  data obtained in clinical trials.
I am of the opinion the latter option would be the most efficient, as tailored to the trails nature and specificity.
Sylwia Paszek
The text was first published on January 14th, 2011 on datonomy, the data protection blog
Recommended articles
EU law on medical devices: New transition periods and other changes
Uncork the QR codes!
Pseudonymisation of data in clinical trials and its implications for sponsors
Administrative permits and corporate transformations: How to ensure business continuity?
The EU pharmaceutical package: Can access to drugs be reconciled with innovation?