Clinical Trials In Italy: Privacy Law Considerations

The Regulatory Scenario Applicable to Clinical Trials

Clinical drug trials are performed to verify the safety and effects of drugs, and are highly regulated by a complex set of regulations, among others the ethics rules laid down by the Declaration of Helsinki¹ and the International Good Clinical Practice Standards² (GCP). This regulatory framework is supplemented by the Standard Operational Procedures (SOP), notably guidelines and procedures adopted by the sponsors of clinical trials, which usually are represented by pharmaceutical companies, and the study protocol, which is the document that lays down in detail the features and conditions of the clinical trial.

The main actors in clinical trials are the sponsor of the trial, usually a pharmaceutical company that intends to test the drug, and the study centre, which is the hospital or health care facility where patients are treated. The principal investigator is the medical doctor, who generally works in the study centre and is primarily in charge of the trial within the study centre, while study monitors are professionals working for the sponsor who have to verify the accuracy and consistency of the data communicated by the study centre to the sponsor. It may happen that a sponsor reverts to specialised third parties for performance of part or all of the trial activities, for example, Contract Research Organisations (CROs), clinical laboratories, or other providers for processing and analysis of trial information.

On top of this multifaceted regulatory scenario, data protection regulations play an important role to discipline the conditions and limitations applying to the data of the participants in clinical trials, notably patients. The key role of privacy legislation is due to the circumstance that clinical trials are based upon the collection and further processing of patients’ data in terms of their reactions to the tested drug.

From a privacy standpoint, the main concerns raised by clinical trials reside in:

• the kind of data processed, notably health-related information and biological samples, which are sensitive data requiring stricter requirements to be fulfilled;

• the number of data gathered, since often trials are multi-centre studies, involving different study centres usually distributed on a multi-country basis. In addition, studies require follow-up visits to the patients to monitor their health conditions over an extended period of time;

• the length of data storage, as under applicable laws a minimum period of seven years is envisioned³, and it is provided by the law itself that the sponsor and the study centre may agree to extend this time period. A significant length of data retention poses privacy risks, since it increases the exposure of data to risks, such as unauthorised access, misuses and abuses;

• the number of subjects involved in clinical trials that access and share patients’ information among them, including the sponsor, the study centre, the principal investigator and the medical staff, the monitors, and national, European Union and international regulatory authorities, such as the U.S. Food and Drug Administration (FDA); and

• the international feature of clinical trials, as the fact that sponsors are often multinational groups and that regulatory authorities involved may be located outside the European Union trigger the need to transfer patients’ personal information to third countries not providing an adequate level of data protection as intended under EU data protection standards.

Application of Data Protection Legislation to Clinical Trials

Patients’ health information, representing the focus of clinical trials, is collected at study centres through Case Report Forms (CRFs), then transmitted to the sponsor and made available to study monitors for a review of its accuracy. Applicable regulations require that, in order to protect patients’ confidentiality, each patient has to be assigned a code by the study centre and thereafter should be identified through said code, whose main aim is disguising patients’ identities. Study centres hold the key to translating the identities of patients from codes; this is usually not disclosed to the sponsor, save for specific and limited circumstances, for example, in cases of drug adverse reactions, legal proceedings, or during the monitoring activities when study monitors have access to Case Report Forms as well as original medical files of patients. On Case Report Forms, the identification code is associated with the initials of the patients as well as other information, such as demographics, relevant to the trial.

The fact that the names and surnames of patients are not reported on Case Report Forms has led to the idea that sponsors receive only anonymous information not subject to the application of privacy laws; in this context, study centres have been regarded as the only data controller subject to privacy requirements, while trial information reported on Case Report Forms was not considered to be “personal data” and therefore not bound by privacy constraints.

Key Coded Data as Personal Data

In order to assess whether key coded data are subject to the application of privacy laws, it is necessary to define the boundaries of the terms “processing” and “personal data”, since, according to Article 3 of the EU Data Protection Directive (95/46/EC)⁴, the scope of the same is defined as follows: “This Directive shall apply to the processing of personal data ….”⁵

The term “processing” is broadly defined by the Data Protection Directive⁶ as basically any kind of operation that may be performed on personal data, for example, storage, recording, association and even mere reading. Article 2 (Definitions) letter (a) of the Data Protection Directive defines “personal data” as “… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.

The category of personal data is further specified in two sub-categories: data directly identifying the data subject, so-called identification data, and data allowing an indirect identification of the same. Identification data act as identifying factors, as they are able to directly distinguish a data subject from all others. In contrast, indirect identification data are pieces of information that do not directly identify the data subject, yet they may allow identification if associated with other available information, thus in an indirect way. The definition of indirectly identifying data is further expanded by the circumstance that the association that makes available the identification may be performed by the controller making use of all reasonable means, and that the “other” information needed for identification does not necessarily have to be in the possession of the controller, as it may be retained by any third party, and the controller itself may not be even aware of its existence⁷.

Indirect identification information is sometimes referred to as “quasi-anonymous” in light of the fact that it falls between directly identifying and anonymous data. The EU Article 29 Data Protection Working Party⁸, in a Document issued in June 2007⁹, expressly states that: “It needs to be noted that this definition reflects the intention of the European lawmaker for a wide notion of ‘personal data’, maintained throughout the legislative process”.

Also of relevance is a Decision of the Italian data protection authority, the Garante per la protezione dei dati personali (Garante), of January 9, 1999, in relation to the publication in a scientific journal of the radiography of a woman with reference only to her first name and age. The Garante considered this information to be an indirect identifier, since the peculiar name of the woman, her age, the small town where she lived, where basically anyone might have known her, and the means of spreading of the information — through publication in a scientific journal — have been considered factors that could lead to the woman’s identification, especially by other people from the same town¹⁰.

The only information that falls outside the definition of personal data, and therefore outside the application of privacy laws, is anonymous information, notably information that does not allow the identification of a data subject, not even indirectly¹¹.

The Italian Experience

The foregoing leads to the conclusion that health information reported on Case Report Forms is personal data, with the consequence that study centres would not be the only controllers in clinical trials, as sponsors likewise would be processing personal data.

In 2008 the Garante issued Guidelines for the processing of personal data within clinical drug trials (“Guidelines”)¹² providing for specific requirements to be fulfilled by study centres and sponsors, which were issued after a period of public consultation with interested stakeholders and in-depth analysis performed by the Garante. The Guidelines provoked an uproar in the pharmaceutical sector, especially on the part of sponsors. Indeed, prior to the issuance of the Guidelines, the general approach was that all applicable privacy requirements were to be addressed by study centres, as they were the ones to access personal information of patients in identifiable format; sponsors were considered to receive trial information in anonymous form, and as such were deemed outside the scope of the privacy regulatory framework.

The Guidelines were issued as a sort of formal interpretation of the Italian privacy law, as indeed they do not provide for new legislative provisions, but rather simply identify the requirements that must be fulfilled when conducting trials by the various subjects involved (e.g. study centres, sponsors, and other third party service providers) under the current legislative scenario.

In order to explain the position taken, the Garante underlines the following indicative elements:

• The types of information reported on Case Report Forms are quite numerous, and therefore it is possible to indirectly identify patients’ identity. Apart from the fact that, in some cases, Case Report Forms and adverse effects and reaction reports contain patients’ full names, they usually include additional information that varies depending on the specific scope of the trial, for example, medial history, demographical information, birth date or age, sex, weight, height, or details on lifestyle. All this information is an integral part of the trial, and, as such, is to be kept by operation of law not only by study centres but also by sponsors;

• Study centres are in charge of keeping the documentation that associates each patient with a specific code, but sponsors have access to patients’ personal information during the trial, for example, on the occasion of monitoring visits carried out at study centres to verify the accuracy of the data collected through the Case Report Forms and adherence to the protocol;

• Sponsors need and have the right to process patients’ information in an identifiable form upon the occurrence of specific circumstances in the course of trials, for example, during the checks performed by study monitors, to manage adverse reactions or events, or if a sponsor needs to enforce or defend its rights in case of claims triggered by the trial; and

• The long data retention period raises issues in terms of risks to which data are exposed, including those stemming from failure of the security precautions implemented to preserve data confidentiality.

The Garante concludes that: “Given the amount and type of the information made available to the sponsor company, the processing mechanisms at issue and the various entities that can access trial data, it can be concluded that data subjects can be identified, albeit indirectly, by reference to other data held by the sponsor and/or … by third parties. This conclusion can be drawn by having regard, in pursuance of Community legislation, to the means that can be reasonably used by the sponsor company and/or third parties in view of identifying data subjects”.

Clinical Trials within the Framework of Italian Privacy Law

As for any data processing for which it is necessary to identify the requirements to be met, the first step is determining who the controller is. In the case of clinical trials, the scenario is fairly complex, as there are two different and interrelated points of authority: the study centre and the sponsor. The sponsor is responsible for drafting the study protocol, which determines the scope and features of the trial, and for monitoring compliance with the same by study centres; selects the study centres; provides the Standard Operational Procedures for management of the trials; and is responsible for drug-related incidents that may occur. However, the sponsor does not have direct contact with patients, save for limited purposes (i.e., data verification, management of adverse events and reactions, etc.), and receives the patients’ information that is collected by the study centre. By contrast, the study centre interacts with patients; performs the trial autonomously; and is not under the control of the sponsor.

Given that the main features of a controller are the authority to determine the purposes and conditions of the processing, including security issues, it appears that both the study centre and the sponsor act as controllers, more specifically as autonomous controllers.

With regard to other third parties that may be involved in clinical trials for the performance of part or all of the processing activities, for example, Contract Research Organisations, laboratories, study monitors, etc., it is necessary to apply the general rules provided for any processing operations. Indeed, since third parties act on behalf of the sponsor or the study centre, they should be appointed as either the processor to construe the relationship among them as that between controller and processor, or as the controller person in charge of processing (the last circumstance in case the third party is a natural person instead of a legal person).

The Guidelines have determined the privacy requirements that bind study centres, sponsors and other third parties involved in clinical trials as follows:

• Notification — to be filed with the Garante in case of processing of genetic data or in case of performance of epidemiological surveys;

• Distribution of privacy tasks — appointment of third parties involved by the study centre and the sponsor in the trial as processors or persons charged with processing operations. For study monitors, the need for specific training on security measures and confidentiality precautions is envisaged, which should be taken care of by the sponsor even for the benefit of monitors of the study centre when a need to supplement the training already provided is envisaged. This task is of the essence, because, in case third parties acting as service providers are not appointed as processors or persons charged with processing operations, the sharing of information by the study centre or by the sponsor with these parties would entail a data communication outside the structure of the controller. Such a data communication would need to be legitimised by the data subjects’ consent;

• Information notice to patients — the study centre and the sponsor, each for its respective role in the clinical trial, have to properly inform patients of the purposes and features of the processing of their personal data in the course of the trial. For this purpose, the Garante has provided a sample information notice form;

• Consent of patients — the consent form should be approved by the competent ethical committee and should be in written form. In case the sponsor wishes to use data from a trial in future studies, it should provide for a separate specific consent, in addition to the consent necessary to take part to the relevant trial. Patients may at any time withdraw from the trial and revoke their consent;

• Privacy rights of patients — both the study centre and the sponsor should have in place appropriate procedures to guarantee prompt enforcement of the patients’ privacy rights. Patients may revoke consent to the processing at their discretion. When this happens, data on a patient who revoked consent may no longer be gathered, and biological samples that might have been collected should be destroyed if allowing personal identification. However, they may be used in the trial data already collected that are necessary to achieve non-biased results;

• International transfer of data — as any trans-border data flow, the transfer of patients’ information to entities and regulatory authorities based in the European Union and especially outside the safe boundaries of the European Union must comply with the specific precautions set forth for a legitimate transfer;

• Data security measures — the Garante identifies specific precautions to be adopted when data are stored in databanks and when data are transmitted over electronic networks. In particular, mention is made to secure communication protocols based on encryption standards, appropriate authentication and authorisation systems and audit log functionalities; and

• Retention period — even if, under applicable law, clinical trial data may be kept for long periods of time, the sponsor and the study centre should ensure that they are deleted or made anonymous in a timely fashion after the lapse of the lawful period.

Other Types of Trials

The Guidelines apply to clinical drug trials, while other kind of trials, such as observational and non-interventional trials, remain outside the scope of their application, and are ruled under Italian privacy law and the specific code of practice for the processing of personal data for scientific and statistical purposes¹³. Observational studies are studies not having a significant impact on the patients, and they are usually performed based on data previously collected to provide health care and treatment or to conduct other research studies. The existing medical documentation, therefore, relates to patients who are no longer under treatment at study centres or other health care treatment facilities, which poses the problem of contacting patients to inform them of the study and to obtain their consent.

Given the difficulties of contacting patients, the Garante on March 1, 2012, issued a specific authorisation that, under specific conditions, allows performance of the same without the need to obtain patients’ consent (“Authorisation”)¹⁴. Before enactment of the Authorisation, when it was impossible to collect the patients’ consent, controllers had to ask the Garante for a specific and ad hoc authorisation describing in detail the factual and objective circumstances that impeded contacting patients and the measures intended to be adopted by controllers to secure the data processing. The Garante decided to issue the Authorisation after a public consultation with interested stakeholders and in consideration of the numbers of individual authorisations received. The purpose of the Authorisation is indeed to provide a uniform and harmonised solution applicable to all observational studies having the eligibility criteria set forth by the Authorisation.

The Authorisation defines the perimeter of application, providing the following definition of observational studies: studies in which “drugs are prescribed in accordance with the guidance contained in the respective marketing authorisation. Allocation of a patient to a specific treatment policy is not determined beforehand via a testing protocol, being rather part of standard clinical practice, and the decision to prescribe the given drug is totally independent of the decision to enroll the patient into the study. No additional diagnosis or monitoring procedure is implemented in these patients”.

Universities, research bodies or institutions, health care practitioners and bodies, associations, natural and legal persons as well as private organisations and third parties that access and process health data as processors or persons charged with specific processing tasks by the relevant controllers, such as Contract Research Organisations, monitors, analysis labs, etc., are among the subjects that may benefit from the Authorisation.

Among others, one of the main criteria to be fulfilled is the impossibility, for ethical reasons or for organisational reasons, to contact patients.

Ethical reasons are considered as material or psychological detriment that may affect patients in connection with the disclosure of information related to the study, for example, because patients were not aware of their health conditions.

Organisational obstacles mean the practical impossibility to contact patients, for example, because the research is focused on pathology with a high mortality rate or makes use of personal data gathered many years before, thus making it impossible to retrieve contact details of patients. The Garante underlines that, if the impossibility is linked to organisational issues, controllers should in any case do whatever reasonably possible to contact traceable patients and obtain their consent.

The Authorisation also specifies some data security measures to be implemented in order to guarantee the security and confidentiality of personal health information, including measures related to data retention periods and international data flows.

Conclusions

Clinical trials collect and process patients’ information that falls within the meaning of personal data, and, as such, is subject to the application of privacy law requirements, even if patients’ names are usually disguised through key coded data. Since clinical trials have regard to sensitive personal data (e.g., data disclosing the health conditions of patients), tighter security measures have to be implemented.

The Garante has clarified the measures and requirements to be fulfilled by the various subjects involved in clinical trials, underlining that study centres and sponsors both act as controllers. The Garante has also issued a specific Authorisation, applicable only to observational and non-interventional studies, that allows such studies to be carried out even without patients’ consent, provided they meet specific criteria set forth by the Garante.

Francesca Gaudino is Counsel at Baker & McKenzie, Milan. She may be contacted at francesca.gaudino@bakermckenzie.com.