Ten months since sweeping data privacy laws came into force in Europe, pharma companies are wrestling with the new ‘right to be forgotten’
Data protection has been an important issue across numerous sectors this past year and perhaps none more sensitive than the healthcare industry. Patients entrust healthcare organisations with their most delicate and intimate of personal details: their health information.
So, when assessing the General Data Protection Regulation (GDPR), which came into force in May 2018 and includes the infamous ‘right to be forgotten’ provision, the management of personal data in the context of conducting clinical trials has become an even more significant issue.
GDPR introduced the right to be forgotten, giving individuals the right to request the erasure of their personal data if they withdraw consent to processing and where there are no legal grounds to keep the data. In the context of many clinical trials, the participant’s consent is the lawful ground which has been adopted for processing his or her personal data.
As the extraction of patient data from clinical trials has a considerable impact on the validity of the trial, the concept of ‘the right to be forgotten’ raises the question of how a participant’s withdrawal of consent can influence the use of information obtained from a clinical trial.
The European Data Protection Board (EDPB) recently gave its view that it is not permissible to swap from consent to another lawful basis for data processing or to attempt to retrospectively utilise the legitimate interests basis to justify processing where consent has been withdrawn. The EDPB’s position and the currently diverging views between member states as to what is the ‘proper’ legal basis for processing personal data in the context of clinical trials means that sponsors, clinical research organisations (CRO) and study sites must closely evaluate the appropriate legal basis to choose for each individual clinical trial.
Guidance from the European Commission on the interplay between the existing Clinical Trial Regulations and GDPR is promised and is anticipated to address various complex issues, including how the stringent consent requirements under GDPR work in the context of giving consent to participate in a clinical trial, how to identify the correct lawful basis for processing sensitive personal data in the context of a clinical trial and the interplay between the right to be forgotten under GDPR and other legislation which is relevant for the conduct of a clinical trial.
In light of the discussions around the right to be forgotten (otherwise known as the right of erasure) in the context of clinical trials, some bodies take the view that consent is not the appropriate legal basis to rely upon for processing data for health research, but rather that commercial companies and research organisations should rely upon the ground that the processing is necessary for scientific research.
Adopting a different ground for processing may have benefits. Consent is difficult and prescriptive to obtain and withdrawal of consent has multiple implications, including that any personal data processed on the basis of the former consent must be deleted without undue delay and to the extent that it is no longer possible for anyone to use that data without disproportionate effort.
Furthermore, a request for data to be forgotten or erased can be triggered by an individual following his or her withdrawal of consent to processing personal data. In the context of a clinical trial, the implications can be significant. The extraction of patient data from clinical trials carries multiple risks, including reducing the impact of the data collected by the trial and potentially also the validity of the trial. The right to be forgotten is, however, not an absolute right, and there are a number of defences that can be employed to refuse to comply with a request for personal data to be erased.
A request for data to be erased can be defended in the context of a clinical trial if deleting the data would conflict with a legal obligation on the sponsor or CRO. An example would be a regulatory requirement to retain personal data about the participants in a clinical trial for a specified period after the trial ends. Where there are EU rules applicable to the sponsor and each site investigator to retain personal data gathered from the trial participants these can be relied upon to defeat the right to be forgotten, but in doing so this will throw up another conflict between applicable law and GDPR on what is the appropriate period to retain personal data, another area in which where clarification from the EDPB is eagerly awaited.
Another exemption is that personal data must not be erased (and further processing is lawful) where it is collected for scientific research purposes, if erasing the data “would render impossible or seriously impair the achievement of the objectives of the processing”. In the context of conducting a clinical trial, this ground to refuse a request for data to be erased is likely to be relied upon frequently to avoid issues of invalidity and reporting quality.
If one of the defences is adopted and a request for personal data to be erased is refused, additional GDPR obligations will apply to the data controller if the personal data is processed further. These include that the processing must be subject to appropriate safeguards for the rights and freedoms of patients, including safeguards to ensure that technical and organisational measures are in place to protect the data, and that the more general principle under GDPR of data minimisation – essentially not to collect or retain more data than is required for the purposes for which the personal data was originally collected – is observed. Measures such as pseudonymising personal data must be employed by the data controller to ensure compliance with these additional safeguards.
Evidently there are ways to manage a request for data to be erased from a recipient in a clinical trial. However, reliance on a different ground for processing personal data may also present a solution, as the individual’s right to be forgotten only applies if consent is the legal basis for processing. GDPR sets out other potential lawful processing grounds which can be adopted in the context of conducting clinical trials, including that health data can be processed because it is necessary to do so for scientific research purposes. This ground for processing is broadly interpreted and includes fundamental research, applied research and privately funded research, as well as studies conducted in the public interest in the area of public health. When relying on this processing ground, processing of health data must be proportionate to the aim pursued, respect data protection rights, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Lack of clarity
Views across the EU on the appropriate processing ground to rely upon in the context of conducting a clinical trial are divergent. For example, in the UK, the regulator’s view is that processing on scientific research grounds is the appropriate processing basis, rather than consent. In Germany, however, consent is the applicable basis for processing health data. The choice of processing ground affects the rights that individuals have in respect of their data and carefully considering the appropriate processing ground may be beneficial, especially as conflicting domestic laws and practices across the EU may also come into play. A case-by-case analysis of the territories in which participants in the trial reside to determine both the appropriate processing ground and its impact on individuals’ other rights under GDPR should be carried out.
As with many areas under GDPR, the full impact of the right to be forgotten and how it affects the conduct of clinical trials remains to be interpreted. Much hope rests on receiving clarity in new guidance, for which a publication date is eagerly awaited.
Kim Roberts is counsel and Elisabeth Kohoutek associate at law firm King & Spalding