Clinical research and pharmacovigilance: Farmaindustria and AEPD's interpretation of data protection regulation
Published on 24th Mar 2022
The novelties introduced in the Code of Conduct Regulating the Processing of Personal Data in the Field of Clinical Trials and other Clinical Research and Pharmacovigilance promoted by Farmaindustria mark the beginning of the journey to provide legal certainty to a sector of activity with divergent legal opinions in the European Union in the field of data protection.
On February 10, 2022, the Spanish Data Protection Agency ("AEPD", for its acronym in Spanish), exercising the functions assigned by law, approved the Code of Conduct for Regulating the Processing of Personal Data in the Field of Clinical Trials and other Clinical Research and Pharmacovigilance (the "Code") promoted by the National Business Association of the Pharmaceutical Industry ("Farmaindustria"), which groups most of the innovative pharmaceutical laboratories established in Spain.
The Code, as the main instrument to comply with the principle of accountability regulated in the General Data Protection Regulation (the "GDPR"), is binding for (a) pharmaceutical companies (marketing authorization holders or their representatives in Spain) or research companies that voluntarily adhere to the Code in their condition of data controllers, and (b) contract research organizations ("CRO") acting as data processors for the companies identified in letter (a) above. Without the need to be a company associated to Farmaindustria, the adherence mechanism is voluntary for the entities listed above and they are required to demonstrate compliance with the obligations imposed by the GDPR and the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights (the "LOPDGDDD", for its acronym in Spanish).
Regarding the material and territorial scope of application, the Code applies to the processing of personal data carried out in Spain by adhered companies in the field of clinical research (in particular, clinical trials) and in compliance with pharmacovigilance obligations.
The following aspects of the Code shall be highlighted in relation to the data processing within the framework of clinical research:
- the establishment of the legal position of the different parties involved in the processing of personal data, providing to the sponsor and the institution or principal investigator the status of independent data controllers of their respective data processing;
- the fulfilment of legal obligations (in particular, those derived from the legislation regulating the guarantees and rational use of medicines and medical devices) as a legal basis to justify the processing of personal data, as well as reasons of public interest in the field of public health and the guarantee of high quality standards and safety of medicines and medical devices and the performance of scientific research for the processing of health data;
- the indication not to provide data protection information following the layered information system, taking into account the special characteristics of the processing and the need for participants to receive clear and detailed information in order to give their informed consent for participation in clinical research;
- the use of personal data obtained from research for secondary use in future investigations without the need, as a general rule, to obtain the consent of the data subjects;
- the incorporation of the concept of a trusted third party, who will support the sponsor in carrying out the procedure of codification of the personal data of the participants in the research, given that the industry practice is that the sponsor does not process personal data without it being codified, constituting precisely the processing of codified data a measure that reinforces the principle of minimization in the processing of personal data, and
- the execution of data protection impact assessments by each independent data controller (institution and sponsor), requiring the sponsor to include the analysis of the coding process and encouraging it to request the collaboration of the monitor, the CRO or the principal investigator's team, among others.
It is precisely in relation to the processing of coded data where the responsibility of the institution or principal investigator, on the one hand, and the sponsor, on the other, differs, in that the former has the possibility of directly identifying the participants in the clinical research. Therefore, the agreement executed by both parties must include technical and organizational measures to prevent access by the sponsor to the aforementioned information that allows the identification of the participants, as well as the responsibility of the institution (through the principal investigator) to comply with the duty to provide information on data protection, among other aspects.
With regard to data processing in the field of pharmacovigilance, it is worth mentioning the following aspects of the Code:
- different protocols for the processing of personal data of potential adverse events depending on whether identifying or coded data are processed, who is reporting and which reporting channel is used (including reference to social media); and
- determines that the legal basis for the processing of personal data is the fulfilment of legal obligations linked, in the processing of health data, to the duty to ensure high quality standards and health care safety, medicines and medical devices.
The Code also provides a variety of annexes that can serve as a reference for adhered companies to provide data protection information to data subjects, to regulate the legal relationship between the parties involved or to respond to requests for the exercise of rights, among others. It should be noted, however, that some of the model pharmacovigilance information clauses do not mention the possibility of approaching the supervisory body in case of dispute (i.e. the Governing Body of the Code of Conduct), which makes the out-of-court dispute resolution procedure more difficult.
The Code also regulates a penalty system applicable to adhered companies in the event of non-compliance with the provisions of the Code, which is independent of the liabilities that may arise from their actions before the AEPD.
Ultimately, although the Code undoubtedly provides real added value and contributes to the proper application of the GDPR and the LOPDGDD in the field of health research, providing legal certainty in an area that is relevant to scientific progress and the welfare of society, such as clinical trials and pharmacovigilance, we must be particularly cautious in clinical research and pharmacovigilance activities that have an impact on other Member States of the European Union, since the interpretation of certain aspects of data protection in this field is not uniform throughout the European Union at the moment.