Blurred line separating CTR informed and GDPR explicit consents during clinical trials.When running a clinical trial, investigators are confronted with two kinds of “consent”. First, the consent they need from the participants for the trial itself – as required by the Clinical Trials Regulation (CTR). Second, the consent they need to collect and process participants’ personal data – as required by the General Data Protection Regulation (GDPR).
But because personal data collection is an inevitable part of the clinical trial itself, CTR consent is often seen as “enough”. Yet, it is not, and it should always be a clear line separating the two.
Interplay between CTR informed consent and GDPR explicit consent.
According to CTR, a trial can only be lawfully executed following an “informed consent” from its participants. However, usually, the trial involves a lot of personal health data collection. Within the EU, these data are protected under the GDPR, which requires an “explicit consent” from the data subject before any collection or processing of the data.
A consent is informed when the participant is provided with all relevant information as regards to the trial and can therefore rightfully choose to participate or not knowing all the facts. Regarding its personal health data, a consent is explicit when the participant knows exactly which data will be collected, for whom it will be available and for what purposes.
However, some argue that, because personal data collection is inherently part of the trial, an informed consent is sufficient and doesn’t require additional explicit consent from the participant.
So which is it? In January 2019, the European Data Protection Board answered this question by adopting an Opinion that officially explains the interplay between CTR and GDPR.
According to the Board: “both legislations apply simultaneously […] the CTR constitutes a sectoral law containing specific provisions relevant from a data protection viewpoint but no derogations to the GDPR”. Thus, any consent should be informed and explicit.
Participants should always be aware of which data about them is collected, for which purposes and how long, and what are their rights as regards to this data.
This is particularly important because collecting personal health data within the context of a clinical trial poses a lot of challenges as regards to the rights of the participants.
Under GDPR, a participant could normally withdraw consent and apply its right to be forgotten if changing its mind as regards to its previously shared data. But personal data collected during a clinical trial usually needs to be kept for several years before it can be deleted.
On the other hand, it is also common that some personal data are collected during a trial but for external purposes, like some other research that has nothing to do with the current clinical trial. Which means that privacy-rights as regards to this data will not be affected by CTR obligations.
So how to manage these consents, related data accesses and retention time, and how to ensure that you comply with both CTR and GDPR consent requirements?
Solution: use Pryv.io to rightfully manage consents, data accesses and privacy rights during your clinical trial.
Pryv.io is a platform specifically engineered to empower CRO and Pharma organizations to design and run decentralized, remote and multi-centric clinical trials.
Once deployed onto your system, it will provide you with a virtual manager for consent, so you can efficiently manage access permissions of multiple accounts. For each consent that a participant gives you, you will have the related accesses stored, and be able to easily retrieve them so you have a clear picture of who can access which data.
With our embedded audit system, you will also know the exact time when a participant gave you his consent. This will allow you to calculate the right retention time for the data so you can provide your participants with the accurate information about their rights to privacy.
When the time is right, you can also use Pryv’s capability for data deletion to execute your participants rights and ensure that all no-more-necessary data has been deleted.
Stephanie @ Pryv
CTR informed consent and GDPR explicit consent during a Clinical Trial, done rightly.