Clinical trial data-sharing is seen as an imperative for research integrity and is becoming increasingly encouraged or even required by funders, journals, and other stakeholders.
However, early experiences with data-sharing have been disappointing because they are not always conducted properly.
Health data is indeed sensitive and not always easy to share in a responsible way. The authors propose 10 rules for researchers wishing to share their data.
These rules cover the majority of elements to be considered in order to start the commendable process of clinical trial data-sharing:
• Rule 1: Abide by local legal and regulatory data protection requirements
• Rule 2: Anticipate the possibility of clinical trial data-sharing before obtaining funding
• Rule 3: Declare your intent to share data in the registration step
• Rule 4: Involve research participants
• Rule 5: Determine the method of data access
• Rule 6: Remember there are several other elements to share
• Rule 7: Do not proceed alone
• Rule 8: Deploy optimal data management to ensure that the data shared is useful
• Rule 9: Minimize risks
• Rule 10: Strive for excellence.
Download the article from Plos here.
On 13 April 2023, EU Members of Parliament rejected the proposed EU-U.S. Data Privacy Framework. MEPs said that such framework is an improvement, but not enough to justify an adequacy decision on personal data transfers.
MEPs said that:
- EU citizens need legal certainty and a future-proof regime.
- Rights to redress and access to information must be respected.
- Current proposal likely to be invalidated by a court ruling.
Read the press release from the European Parliament here.
Bu there is also alarm over leaked EU-US plans to weaken encryption
Leaked notes from a meeting between senior EU and US officials in Stockholm in March reveal alarming plans to undermine encryption and create a de facto “access by design” for law enforcement agencies.
Beginning April, nine civil society organisations, including Statewatch and EDRi wrote to the European Commission to urge caution and resist the “clear and deliberate plans to disregard international human rights standards” in particular with regard to end-to-end-encryption.
The leak, published by Statewatch reveals that authorities want to influence public opinion around “law enforcement’s legitimacy to investigate” encrypted communications.
“The leak confirms our fears: the attack on encryption and privacy are also a clear goal of the European Commission’s proposal on Child Sexual Abuse (CSAR). This is extremely worrying and will impact the life and activity of everyone relying on encryption: human rights activists, journalists, young people, marginalised communities and pretty much everyone using WhatsApp or Signal,” said Diego Naranjo, EDRi Head of Policy.
“The leaked conversations between EU and US also show that Europol could become a data-laundering service for sensitive biometric data which could not be lawfully collected under EU law,” he continued.
International transfers of personal data are probably the most complex to pic for data privacy at this time: if you have questions on this topic, contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net
In the UK the so-called Data Protection and Digital Information Bill had its second reading on 17 April.
Digital rights group ORG, has been campaigning against what it calls “the Data Discrimination Bill.”
ORG says the that bill will weaken regulations and protections for data that were gained under GDPR, in particular restricting the ways businesses can be held to account as well as expanding government powers
“The reforms are being done in the name of helping British business, with our personal data being worryingly referred to as ‘’the new oil”.
However many businesses are stating that diverging from EU standards of data protection, and having another costly change in regulations (after people have just learnt GDPR) will be bad for business.
To learn more on UK Data Privacy and how you can prepare, contact our UK consultant Dave Edwards at d.pedwards ( at ) pharmarketing.net
On April 2nd, 2023, The Italian DPA, the Garante, held that, under national law implementing Article 9 GDPR, the processing of health data for scientific purposes can be carried out without explicit consent when its collection entails a disproportionate effort or impairs the research purposes. In such cases, suitable safeguards to protect privacy and security of the data must be provided.
The controller, an Italian hospital, opened a prior consultation procedure under Article 36 GDPR.
The controller aimed at studying the correlation between covid-19 restrictions and the increase in mental diseases in children. For this purpose, it needed to collect health data of several thousand patients. Before starting the processing, the hospital performed aData Protection Impact Assessment (DPIA) pursuant to Article 35 GDPR and reported to the DPA that it was not possible to collect consent of the people involved in the study.
The controller claimed that the collection of consent by the children and their family would entail a disproportionate effort by the hospital. Even more importantly, this operation would compromise the validity of the scientific research. According to the hospital, collection of consent would inevitably introduce a selection bias in the study. As a matter of fact, only families with a higher socio-economic background would give consent, as they can dedicate some hours to go to the hospital and sign documents. The study aimed instead to analyse the impact of the restrictions on mental health of all children.
The DPA pointed out that special categories of data, including health data, can be processed without consent for scientific research purposes pursuant to Article 9(2)(j) GDPR, provided that appropriate safeguards under Article 89(1) GDPR are in place. These safeguards (e.g. pseudonymisation) shall guarantee the principle of data minimisation. Article 9(4) GDPR also enables Member States to adopt or maintain more restrictive rules for the processing of health data.
The Italian Law (Art. 110 of the Privacy Code) implements Article 9(4) GDPR to the extent that consent in the processing of health data for scientific purposes can be derogated only insofar as collection of consent entails a disproportionate effort for by the controller or would impair scientific quality of the research. Moreover, such processing shall obtain prior approval from an ethical committee and from the DPA itself in the context of Article 36 GDPR.
In the present case, the DPA upheld the argument based on the existence of a disproportionate effort for the hospital. On the other hand, the fact that the collection of consent could alter the results of the study was considered irrelevant. According to the DPA, consent always introduces a selection bias in scientific research. The existence of such a selection bias is not mentioned by the Italian law as a valid exception to the general rule of consent.
The DPA also found that the hospital implemented suitable safeguards to protect privacy and security of data collected during the study. Therefore, it gave positive answer to the prior consultation procedure and authorised the processing.
Read more or edit on GDPRhub here.
Read the Press release from the Italian Garante here.
If you have any questions on this article, contact our Italian consultant Mary Wieder at m.e.wieder ( at ) pharmarketing.net
- I sent an email to a wrong recipient; this email contained the salary amounts and the names of the persons I'm managing: should I notify the local Data Protection Authority of this Personal Data Breach?
No: it is a minor personal data breach, and there will be no impact on the private life of the people in my team, because I just need to contact the wrong recipient and ask him/her to delete the email and confirm deletion in writing; because there is no impact for the people, there is no need to notify them nor the local Data Protection Authority. That said, we must record this data breach in our data breach log.
- The EU GDPR prevents companies from conducting their business as they want:
No: the EU GDPR doesn't prevent you to do business, as long as 1) you inform people before collecting or processing their personal data 2) you protect such personal data with appropriate security measures 3) you comply with local laws and guidelines.