Recent guidance from the Coordination of Ethics Committees and EMA on the handling of personal data in clinical trials and investigations

Neither Regulations 745/2017 on Medical Devices and 746/2017 on In Vitro Medical Devices nor Regulation 536/2014 on Clinical Trials of Medicinal Products for Human Use provide a framework for coordination with Regulation 679/2016 on the processing of personal data.

There are no specific regulations regarding the processing of personal data in investigations or clinical trials.

Two recent interventions by EMA and the Ethics Committees Coordination Center provide important operational guidance that complements the already well-known Opinion 3/2019 on Questions and Answers on the Interaction between the Clinical Trials Regulation and the General Data Protection Regulation (Article 70(1)(b)) adopted by EDPB on January 23, 2019 (https://edpb.europa.eu/sites/default/files/files/file1/edpb_opinionctrq_a_final_it.pdf) and the Guidelines for the Processing of Personal Data in the Context of Clinical Trials of Medicinal Products of the Garante of July 24, 2008 (https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/1533155).

Specifically, on 7/4/2022, EMA published its "Guidance document on how to approach the protection of personal data and commercially confidential information in documents uploaded and published in the Clinical Trial Information System (CTIS)," with the aim of giving operational guidance on the management of commercially confidential information (recall here our previous posts on the subject) and personal data to be published in the CTIS.

As is well known, the MDR and IVDR also provide for the inclusion of confidential information and personal data within a European information system (EUDAMED), which is currently partly still being implemented but in relation to which EMA's guidance regarding CTIS may be considered applicable by analogy.

The Ethics Committee Coordination Center published the Model Contracts for the Conduct of Clinical Trials on Medicines and Clinical Investigations on Medical Devices on 5/31/2022.

Let us briefly analyze both documents.

The EMA Guidelines

The purpose of CTIS (as well as EUDAMED) is to facilitate collaboration between the competent authorities of member states and between those same authorities and promoters as well as to allow promoters to refer to previous trials.

Therefore, only personal data necessary for the pursuit of these purposes should be included in the portals, in compliance with the principle of minimization.

Article 81 CTR, which regulates the establishment and operation of the CTIS, stipulates in Paragraph 4 that no personal data of subjects participating in the trial is accessible to the public; a similar provision is contained in Article 73 Paragraph 4 MDR.

To ensure that the data remain confidential, EMA requires that said data be anonymized in the version of publicly accessible documents uploaded to the portals.

The anonymization process must take place before the data are uploaded to the portals.

The Guidance then addresses the concept of anonymization, and anonymization techniques, largely recalling Opinion No. 5/2014 of the Article 29 Working Group (now EDPB - https://ronchilegal.eu/wp-content/uploads/2017/12/Anonimizzazione-secondo-il-WP29-del-2014_it-1.pdf).

The minimum content of contracts

Law No. 3 of January 11, 2018 (Lorenzin) instructed the Coordination Center of Ethics Committees to identify the minimum content of the contract between the sponsor and the trial center; last May, the Coordination Center published draft contracts for human drug trials and medical device investigations.

Circular_n.4_Centre_coordination_30.05.2022.pdf (aifa.gov.it) specifies that "the contractual outlines are to be considered binding, since they constitute minimum content under the Law, with the possibility i) to supplement the contractual clauses in relation to specific cases in addition to what is already provided for or ii) to modify, on an exceptional basis, some provisions."

Those indicated in the contractual clauses are therefore the methods of personal data processing and the minimum measures that the promoter and the Entity, qualified as autonomous data controllers under Article 4 of the GDPR, will have to compulsorily adopt and comply with.

Each party should therefore take care to verify the other party's personal data management system at the pre-contractual stage; if either party fails to meet the minimum requirements set out in the contractual schemes, the other should seriously question the appropriateness of entering into the contract for the performance of the trial or investigation.

Verification, which of course should continue throughout the trial.