As the amount of data used in clinical trials increases and the security of that data comes under greater threat, it’s more important than ever for clinical research organizations (CROs) to consider employing a data protection officer (DPO) in-house or work with a third-party expert.
It’s important to understand, then, what a DPO is and why they are so important in clinical trial management.
Simply put, a DPO is the person responsible for ensuring a company complies with laws that protect an individual’s personal data. The role has become significantly more common with the passing of the General Data Protection Regulation, but it is an important one outside the EU, too.
From a GDPR perspective, the data protection officer needs to understand how the regulations apply to clinical trials, how it is implemented and any issues specific to trials that can occur, write Tamsyn Frost and Xavier Gobert at Idea Regulatory.
What this means is DPOs must stay current on data best practices. What works today likely will not work in the future, as new laws, new technologies and new ideas emerge. DPOs must stay on top of this evolving landscape so their organizations can remain compliant.
In a clinical trial situation, a data protection officer ensures:
“The best DPOs will have expertise in data protection law and a complete understanding of their company’s IT infrastructure, technology, and technical and organizational structure,” writes Nate Lord, a senior sales manager at data protection provider Digital Guardian. That doesn’t mean they have to be a current or former employee, however. Impartiality is key and the right data protection officer should remain independent enough to report non-compliance to the appropriate authorities.
Sound knowledge of HIPAA, GDPR and other data regulations are obviously essential. But data protection officers should also have broad experience in the industry they work in, writes attorney Thomas J. Shaw at IAPP.
When it comes to European-based clinical trials, complying with GDPR is the responsibility of the controller and processor organizations, write Richard Dickinson, Jackie Mulryne and Zoe Walkinshaw of the law firm Arnold & Porter Kaye Scholer. The data protection officer is responsible for informing the organization of its duties, monitoring compliance and acting as a “point of contact for the relevant regulator,” they explain. The DPO will also need to maintain documentation evidencing compliance, which is usually contained in the trial master file.
GDPR governs all clinical trial activity that takes place within EU member states and applies to both local and foreign sponsors and CROs, explains Norton Rose Fulbright’s Véronique Barry and Olga Farman. “Under the GDPR, processing personal data is lawful only if made for one of the limitative purposes set forth in that regulation,” they write. “On that note, the GDPR expressly provides that processing specific categories of information – such as genetic data and health data – is prohibited. This prohibition is not, however, ironclad; the GDPR confirms such interdiction shall not apply if such processing is, inter alia, necessary for research and complies with the rules detailed in the GDPR in this regard.”
The concept of consent when it comes to GDPR is different from the consent to participate in a study that CROs will be familiar with, notes Victoria Watts, vice president of privacy and global data protection officer at Premier Research. “The GDPR strengthens the conditions for consent, most notably by mandating that any request for consent be given in a clear, intelligible, and easily accessible form, written in plain language,” she writes. “In addition, the process of withdrawing consent must be as easy as the process of giving it.”
Nor does compliance with HIPAA automatically mean a CRO is GDPR compliant, write Esther Daemen and Tine Wouters at Trium Clinical Consulting. “In a nutshell, GDPR has a broader scope than HIPAA, and does not deal exclusively with health information.” The metrics that determine protection are also different. HIPAA only extends to demographic information, while GDPR also includes race, religious beliefs and biometric data.
Data protection officers can also act as HIPAA privacy officers and make sure CROs remain HIPAA compliant for the duration of the trial.
HIPAA guarantees the protection of patients’ sensitive and personal information, writes Steve Alder Editor-in-Chief at HIPAA Journal. “While no healthcare organization wants to expose sensitive data or have health information stolen, without HIPAA there would be no requirement for healthcare organizations to safeguard data – and no repercussions if they failed to do so.”
Perhaps most importantly, a data protection officer can get the HIPAA authorization required to publish findings compliantly. “Physicians whose publications or presentations will contain patient-level data should determine whether the eighteen HIPAA identifiers have been removed, and also whether the remaining information could be combined with other publicly-available information to reveal the identity of a participant,” writes Jennifer Kulynych, J.D., Ph.D. in the Journal of Oncology Practice.
With so many identifiers to remove, it’s easy to get it wrong. Therefore, the most optimal solution is to have someone already familiar with data privacy handle the matter.
Finally, data protection officers play a vital role in safeguarding patient and trial data from malicious actors.
There is a lot of work for the data protection officer to do in this regard. The technologically advanced nature of most trials make for multiple vulnerabilities, says Peter Sullivan, principal at insurance and risk management service provider Sullivan Group. Wearables, servers and medical devices can all be used by hackers to gain the private information of trial participants and the CRO.
The CRO’s network will also need to be protected against unauthorized access, writes Juliana De Groot, senior marketing operations specialist at Digital Guardian. Instigating a disaster recovery plan and ensuring offsite backup are also essential tasks to keep data intact should an attack or a natural disaster occur.
Sequestering data and limiting access also helps. That’s what IQVIA does, as the company’s head of eCOA technologies customer experience, Michael Radford, writes. Data from each study is stored in a separate digital environment, and access to the various levels of that data is restricted according to the user’s role.
“This limits the number of people who can interact with the data, minimizing the risk of losses due to human error, such as clicking on a phishing scam or using a weak password,” he says. “And if there is an attack, losses are limited to isolated data sets.”
The costs of failing to stop such an attack can be severe. “Sponsors, investigators and CROs can … be held liable for the heavy financial and reputational damages that may result from a large-scale breach of patients’ personally identifiable information,” writes Daniel S. Brettler, managing director at insurance brokerage, employee benefits and risk management consulting firm Conner, Strong & Buckelew. Breaches can cost companies as much as $3.8 million per incident, he notes.
A data protection officer is a small price to pay for avoiding that kind of financial and reputational damage.