The General Data Protection Regulation (GDPR) entered into force on 25 May 2018 and, in the absence of any transition period, companies are now expected to be in full compliance with the new requirements. However, with key guidance from regulators only recently released or still in progress, and national implementing legislation enacted at the eleventh hour, developing a GDPR-compliant approach to consent in the context of clinical trials remains an ongoing project. This post reviews the guidance available to date.
Before processing personal data, a lawful basis for processing (Article 6) must be established. In addition, “special categories of data”, such as health data, may only be processed if one of certain conditions is applicable (Article 9). While patient consent provides both a lawful basis and a permitted condition for processing personal data collected in the context of a clinical trial, it is one only of the available options, and others may be more appropriate.
The EU’s data protection advisory body, the Article 29 Working Party (WP29, now the European Data Protection Board), issued its finalised guidelines on the concept of consent under the GDPR in mid-April 2018 (the EU Guidelines). The EU Guidelines explain that:
- under the GDPR, consent is not always required to process data for the purpose of scientific research—for example, processing may be lawful on the basis that it is necessary for the performance of a task carried out in the public interest, for compliance with a legal obligation, or for the legitimate interests of the data controller or a third party, as long as appropriate safeguards are in place and the processing is fair, lawful, transparent and accords with data minimisation standards and individual rights, and that similar considerations also apply to the processing of special category data under the scientific research condition; and
- consent as a legal basis for processing under the GDPR is distinct from any other consent requirements under ethical standards or procedural obligations, such as those created by the Clinical Trials Directive (CTD) or Regulation (CTR).
The EU Guidelines state that data processing carried out for the purpose of gathering reliable and robust data in line with a clinical trial protocol as approved by the competent regulatory authorities under the CTD or CTR may be considered “necessary for compliance with a legal obligation”, and so lawful under the GDPR without the need to obtain consent from patients.
While the clarification that consent is not always required to process data in the context of clinical trials is welcome, the WP29 guidance leaves it to individual companies to determine whether an alternative lawful basis (e.g., legal obligation, public task or legitimate interest) is available in a particular case, and also leaves room for differences of approach between national regulators.
National implementing legislation
Although the GDPR is intended to reduce inconsistencies in the implementation of data protection across the EU, it does allow Member States to lay down their own exemptions and derogations, including in the area of scientific research and public health.
The UK implementing legislation, the Data Protection Act 2018 (DPA 2018), was passed on 23 May 2018, just days before the GDPR entered into force. In relation to the scientific research condition, the DPA 2018 sets out an additional condition: any such research must be in the public interest. There is as yet no guidance on this additional requirement, but it seems unlikely that a duly authorised and ethically approved clinical trial would ever not be in the public interest.
UK Information Commissioner’s Office (ICO) guidance
The UK data protection authority, the ICO, released its final guidance on consent on 9 May 2018 (the UK Guidance). The UK Guidance includes a section on scientific research that largely mirrors the WP29 guidance: the requirement to have a lawful basis under the GDPR in order to process personal data is entirely separate from any other legal or ethical obligation to obtain consent and, even though individuals have consented to participate in research, a different lawful basis may be more appropriate under the GDPR.
The ICO has also published guidance on the other lawful bases for processing personal data, but these do not cover scientific research or clinical trials specifically. It is also working on more detailed guidance in relation to processing special categories of data, which include health data.
UK HRA and MRC guidance
Guidance on conducting health research in line with the GDPR has been released by two UK bodies, the NHS Health Research Authority (HRA) and the Medical Research Council (MRC), which oversee and fund, respectively, health research in England. Both state that, for the purposes of the GDPR, consent is not the appropriate legal basis for processing data for health and social care research; the appropriate legal basis for processing data will be either that it is necessary for the performance of a task carried out in the public interest (in the case of universities, NHS organisations, Research Council institutes and other public authorities) or legitimate interests (in the case of commercial companies and charitable research organisations), and the applicable condition for processing special category data will be scientific research.
The HRA and MRC’s guidance, therefore, goes further than the WP29 and ICO guidelines, which merely provide that alternative bases to consent “may” be available. Although the HRA and MRC’s guidance is not binding, it has been prepared with the involvement of the ICO, and so presumably accords with the ICO’s own view. However, the guidance does not seem to envisage that a company may wish to rely on other legal bases, for example, because clinical trials are also on-going in other countries.
So where are we?
It is clear that consent is not necessarily required under the GDPR to process data in the context of a clinical trial, and that any consent obtained under the GDPR will be independent from other legal or ethical obligations to obtain consent. The current position of the relevant UK authorities (the ICO and NHS HRA) appears to be that another lawful basis—necessity for the performance of tasks carried out in the public interest or legitimate interests—is generally more appropriate in the context of clinical trials.
However, despite the intention that the Regulation should lead to harmonisation across the EU, industry bodies and regulators in other Member States appear to be taking different views on the lawful basis of processing. The Dutch Central Committee on Research Involving Human Subjects has published guidance on the impact of the GDPR, and states that the requirement for consent under the GDPR is satisfied by the existing requirement under Dutch medical research legislation to obtain explicit consent to the processing of personal data. We also understand that in Germany, consent is considered to be the correct legal basis. While there is a mechanism in the GDPR to resolve inconsistencies between national data protection authorities as to their application of the GDPR, this has not (as yet) been triggered. In any event, in light of the possibility for national legislation to include derogations in relation to the scientific research condition for processing health and other sensitive data, designing EU-wide clinical trials will still require companies to consider the national data protection regimes in each country from which patients are recruited.