France has specific local guidances which, in some situations, make it very difficult for Home Trials (also called Decentralised Clinical Trials) to be performed in a compliant manner. These French guidances, MR-01 and MR-03, state that only healthcare professionals working on behalf of the site team can have at the same time the direct identifier of a patient and healthcare data from such patient. 

In other words, in France when the Home Nursing agency has the zip code and the pathology of a patient to find the appropriate nurse, it is NOT compliant.

MR-01 is the guidance for interventional clinical trials.

MR-03 is the guidance for observational studies or interventional studies with a limited impacts on the patient.

MR-01 and MR-03 say the following:

1. Healthcare professionals acting on behalf of sites can have at the same time the PHI and the PII of a patient.
2. Other people (the sponsor, the CRO, the local nursing agency) can have either the PHI or the PII, but not both at the same time.

Typically for a Home Trial, the nursing agency needs to have at least the zip code, and the pathology to book a nurse in the vicinity of the patient, and with the appropriate expertise to do the procedures for such pathology. 

In all cases, the nursing agency needs to have at the same time PHI and PII, as the zip code is a PII, which is non-compliant with MR-01 and MR-03.

So, in theory, the nursing company cannot do their job.

How to be compliant?

• Scenario 1: ask the site to book the nurse.
• Scenario 2: send a special request for a waiver to the CNIL; this process is long and cumbersome, as you will have all stakeholders in the value chain to populate the request template, including the lead investigator in France.

Looking on the horizon:
The French DPA, the CNIL is in discussions with key trade bodies representing pharma, CRO and biotech/medtech companies in France, and PharMarketing is part of these discussions, so hopefully we will get new guidance with more flexibility.

Next month in the June Newsletter, we will talk of another situation in clinical studies which is not compliant in France: Sending Access Codes to Patients: How to comply with GCP and GDPR?

For any question on compliance with French Guidelines, please contact our French team:

• Julia Croizier: j.a.croizier (at) pharmarketing.net
• Karine Renault: k.i.renault (at) pharmarketing.net
• Sandrine Rosso: s.e.rosso (at) pharmarketing.net

On 3 May 2022, the European Commission launched the European Health Data Space (EHDS) and issued legislative proposals for a Regulation.

The EHDS will help the EU to achieve a quantum leap forward in the way healthcare is provided to people across Europe. It will empower people to control and utilise their health data in their home country or in other Member States. It fosters a genuine single market for digital health services and products. And it offers a consistent, trustworthy and efficient framework to use health data for research, innovation, policy-making and regulatory activities, while ensuring full compliance with the EU's high data protection standards.

The EU Commission issued a recommendation for a specific regulation, see here and its annexes here.

See all the contents related to the EHDS here.

The EFPIA, the European Federation of Pharmaceutical Industries and Associations said that "...Removing the barriers to health data for scientific research will mean patients can benefit from the discovery of innovative treatments, medical devices and diagnostics enabled by access to health data.” read opinion of the EFPIA here.

Last month (newsletter #41), we looked at the Irish guidance on Deferred Consent. Now let's look at the Guidance on Pre-Screening.

The Guidance on Pre-Screening is part of 5 amendments that the Minister for Health of Ireland has made (in January 2021) to the
Health Research Regulations 2018.

The amendment sets out identified persons who can carry out pre-screening actions without explicit consent of the data subject or REC approval subject to specified safeguards.

Download amendment here: https://hrcdc.ie/wp-content/up...

The following actions are envisaged as pre-screening actions for the purposes of the amendment:
(a) reviewing the personal data of a data subject in order to assess whether he or she might be suitable or eligible for inclusion in a
health research study.
(b) analysing the pre-screening data and documenting the findings,
(c) sharing the findings (in a non-identifiable way) with others involved in the research team.
(d) approaching an individual found to be eligible or suitable to determine their interest in participation in the study see next
slide.
(e) sharing the identity of the individual with the research team on a confidential basis where the individual has consented to be contacted by the research team.

It is considered best practice that the approach to the prospective research participant to establish their interest - should always be
done only by a health practitioner of the controller or an authorised person who is a health practitioner (e.g a research nurse employed by a University collaborating on the research study).

Persons specified in the Amendment who can carry out pre-screening - without consent
▪ A healthcare practitioner employed by the controller (hospital, primary care centre, GP practice etc) or a person studying to be a health practitioner who is under the direction and control of the controller. That means that there are formal governance arrangements in place that include specifying that the controller rather than the supervising health practitioner is responsible for all data protection matters relevant to the student;
▪ An employee of the controller (for example, a medical records clerk) who in the course of his or her duties for the controller, would ordinarily have access to the personal data of individuals held by the controller (that were obtained for the provision of health care to those individuals);

or
▪ A person referred to an “authorised person” 

Who can be an authorised person?
The amendment specifies certain persons who can be authorised by the controller holding the personal data to carry out the prescreening element of health research without explicit consent.

Those persons can be employees of the following organisations:
(a) an institution of higher education within the meaning of section 1(1) of the Higher Education Authority Act 1971 (No. 22 of 1971),
(b) a body or person that has as its principal activity the provision, management or development of a health practitioner, or
(c) a registered charitable organisation within the meaning of the Charities Act 2009 (No. 6 of 2009), one of whose objects is to support research and education in the health services.

The authorisation process
▪ For a person to become an authorised person, the controller holding the personal data must put in place a formal process for authorising a person as an authorised person for the purposes of undertaking pre-screening action.
▪ That process (rather than individual agreements entered into in accordance with the process) must be publicly available, including on the controller’s website.
▪ Controllers may decide to make individual agreements available too in the interests of transparency.

The authorisation process
The controller can only appoint a named individual as an authorised person when:
(a) an agreement (called an “authorisation agreement” in this presentation) between the controller and the individual’s employer has been entered into (which should include sanctions for breaches of its terms); and
(b) the individual concerned agrees (in writing) to be bound by the conditions in the above agreement and whatever other policies and terms are applied by the controller in relation to the processing as long as those terms are in accordance with data protection law.

Controlled access to personal data
▪ An authorised person must not access or use the personal data held by the controller for any purpose other than pre-screening and cannot disclose that personal data to anyone outside of the controller organisation (including his or her employer organisation) without the explicit consent of the data subject or otherwise as required by law to so do.
▪ That point must be expressly referenced in the authorisation agreement and formally brought to the attention of the authorised
person before he or she signs up to be an authorised person.
▪ The controller should have data security arrangements in place that log physical or electronic access to healthcare records.

Pre-screening outside of the amendment For those who wish to carry out pre-screening outside of the amendment it may be done on the basis of:
(a) explicit consent of the data subject and approval of a research ethics committee,
(b) a successful application to the Health Research Consent Declaration Committee for a declaration in relation to the pre-screening stage and approval of a research ethics committee.

Przemyslaw Chudy, MPharm, MBA has 19 years' experience in Regulatory Affairs and Pharmacovigilance for drugs and medical devices. He is an  ISO 9001 auditor and knows GxP, GDPR, GMP, Data Management, Manufacturing and IT systems.

Przemyslaw has been working for the Poland Office for registration of Medicinal products, medical Devices and Biocides (URPL), for Polfa S.A., for the European Medicines Agency (EMA) and for Alvogen, UCB, Eli Lilly, Ipsen, Pfizer and Science Pharma.

Since 2007 Przemyslaw is the founder and CEO of MediReg Pharmaceutical Consulting, providing advice in regulatory affairs and pharmacovigilance to clients. He is working part-time as a DPO for PharMarketing.

Przemyslaw speaks Polish, English and German and loves to spent time with his family and read criminals.

Feel free to contact Przemyslaw at p.x.chudy ( at ) pharmarketing.net

In the Queen’s Speech on 10 May 2022, a Data Reform Bill was mentioned. The announcement said to “take advantage of the benefits of Brexit to create a world class data rights regime”. But no text is available so far.

On 6 May 2022 Sky News wrote that "There are concerns the move would actually cost the economy more than it brings in by making it more expensive for the UK to exchange data with the EU". Losing adequacy could cost UK business £1.6bn over 10 years according to a report by the a report by the New Economics Foundation.

Industry representatives believe the reforms will benefit the U.K. economy, but should the reforms go too far, they could risk the U.K.'s adequacy status with the EU. 

Shortly after the speech, within weeks Sky News understands, the government will publish its response to a consultation with businesses and civil society on the data protection reforms.

Westminster sources have told Sky News that the draft bill, which is one part of this wider package of data protection reforms, will be published in the summer.

At the same time, the Commissioner John Edwards said in an interview to Civil Service World: "I don’t believe the proposed reform should be seen as radical. The UK has a deep legal and cultural commitment to privacy, which traces its roots not to the GDPR or a European Directive but to common law formulations of fundamental rights that are centuries old."

For any question on the UK and the GDPR, please contact our UK team:

• Dave Edwards: d.p.edwards (at) pharmarketing.net
• Julianne Hull: j.m.hull (at) pharmarketing.net
• Maria Veleva: m.i.veleva (at) pharmarketing.net