The Impact of Data Privacy Regulations on Clinical Data Management
Clinical Data Management (CDM) is a discipline within the field of clinical research that focuses on the collection, integration, and management of clinical trial data. CDM ensures that the data collected during clinical trials is statistically sound data, reliable, and of high quality. It involves various processes and activities to effectively handle and organize the data generated during the course of a clinical trial.
Data Privacy Regulations are laws and regulations that govern the collection, use, storage and sharing of personal data to protect individuals’ privacy rights. These regulations aim to ensure that organizations handle personal data responsibly, securely, and in compliance with specified principles and requirements (Explainer, 2017).
Laws Related to Personal Data
As per the UN’s Universal Declaration of Human Rights Act, 1948 Art. 12 – ‘No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks” (United Nations).
According to the Indian Constitution Part III Fundamental Rights, Art. 21 – “Protection of Life and Personal Liberty: No person shall be deprived of his life or personal liberty except according to procedure established by law.” This fundamental right is obtainable to every person, citizen, and foreigner too. That makes ensure that No individual shall be bared of life & liberty except to the procedure established by law.
As per the European Convention for the Protection of Human Rights and Fundamental Freedoms, 1950 Art. 8 – Right to respect private and family life. In this Art. –
Everyone has the right to respect his private and family life, his home, and his correspondence.
There shall be no interference by a public authority with the exercise of this except such as is in accordance with the law and is necessary for a democratic society in the interests of national security, public safety, or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or moral, or for the protection of the rights and freedoms of others (Amar Ali, 2020).
Clinical Data
Clinical Data refer to information collected during clinical trials that involve human subjects. It encompasses various types of data, including demographic information, medical history, laboratory results, treatment interventions, and outcomes. Clinical Data plays a crucial role in evaluating the safety and efficacy of medical interventions, assessing the impact of diseases, and understanding patient populations.
Why Personal Data Protection Important
There are several scenario why Personal Data Protection important. Some of them with examples are:
There is high possibility of possible damage to the business and the image of the company. The best example to this Novartis Italy where the Data Protection Authority end of 2006. In September 2008 conclusion was published of the Italian DPA in which Novartis processing of Clinical Trial Data Subjects is not compliant with the new Italian Guidelines for Clinical Trials and must stop collecting patient data if not compliant before the end of the year. All these articles were published in all leading newspaper (Marit Hansen et. al. 2014).
The important financial and individual risks for non-compliance which includes Inability to perform research, important fine and legal consequences. Non-compliance risk are Data Protection Commissioners can impose important fines to non-complying companies and Individuals. Individuals (employees, subjects, client or other stakeholders) can apply for compensation from data controller for damage caused. Individuals can also obtain court orders to enforce their rights. Breaches of certain rules are criminal offences and Directors of companies which have committed offences may be liable to prosecution.
Lastly Important risks for data subjects which includes Identity theft and fraud along with discrimination. The example Google Italy vs Associazione Vivi Down, in September 2006 Illicit Personal & Sensitive Data processing with damage to the Data Subject for which Google’s CEO & Data Privacy Counsel were found guilty. The news was published in all leading newspapers for which the accused a 6 month of jail. Other example is of US regarding Re-Use of Biological samples where a case between Arizona State University and the Havasupai tribe to limit research of its DNA in which Indian Tribe wins battle to limit research of its DNA.
In Identity theft the use of personal identifying information of another person such as: name, mother’s maiden name, ID number, etc. to commit fraud. This is one of the fastest growing crime all over the world already millions of victims and the number is growing.
Discrepancy can be defined as a data that may be inaccurate, illogical, incomplete, missing and in violation of protocol- specific rules and convention. The source of discrepancy is at the site and at the date centre (Human Rights Law Centre 2016).
Overview of Worldwide Events on Regulation:
1970: First Data Protection Code in Hesse, Germany.
1978: Federal Data Protection Act in Germany “Loi Informatique Et Liberte” in France
1980: OECD guidelines concerning the protection of privacy and transborder flows of personal data
1981: European Council Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
1995: Directive 95/46 EC on Personal Data Protection. Remains the only international and universal legally binding instrument pen to accession by any country, including non-member states
1996: Health Insurance Portability and Accountability Act (HIPAA)
2000: Safe Harbor Privacy Principles of the U.S. Department of Commerce in consultation with the European Commission
2003: Japanese Privacy Act
2016: EU law on data protection and privacy in the EU and the European Economic Area. The General Data Protection Regulation (GDPR) particularly in Article 8 and its 7 Principles.
The Eight OECD Basic Principles:
Collection Limitation Principle: Personal data should be collected only for specified, explicit, and legitimate purposes.
Data Quality Principle: Personal data should be accurate, complete, and up-to-date, as necessary for the purposes for which it is collected.
Purpose Limitation Principle: Personal data should not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
Use Limitation Principle: Personal data should be used only for the purposes specified at the time of collection or compatible with those purposes.
Security Safeguards Principle: Personal data should be protected by reasonable security measures against unauthorized access, disclosure, alteration, or destruction.
Openness Principle: There should be transparency and openness about the policies and practices relating to the management of personal data
Individual Participation Principle: Individuals should have the right to access their personal data, request its correction, and have it deleted or blocked if it is inaccurate or unlawfully processed.
Accountability Principle: Data controllers should be accountable for complying with data protection principles (Equality and Human Rights Commission, 2021)
European Union & countries with similar laws:
The European Union countries has developed the OECD guidelines and further developed the strictest set of rules for protection data (Directive 95/46/EC). Also several Non-EU countries provide similar guidelines level of protection like Canada, Argentina, Switzerland etc.
Indian rules and regulations:
A personal data protection bill is in preparation to avert the usage of data by any other company and giving rights to subjects. The bill is to embrace the standards required by the EU directive the eight principles. Amendments to the “Information Technology Act, 2000” are projected to legalise breaches of electronic data rooms and penalise the negligent handling of sensitive personal data. No Directive Principle Authority exists yet and India is not current involved in any international Directive Principle working group (Marit Hansen et. Al.2014).
USA rules and regulations:
White House Proposal of a Privacy Bill of Rights
Due to above Privacy regulations of Data privacy have a significant impact on clinical data management (CDM) practices and processes. These regulations impose specific requirements and obligations on organizations involved in clinical research and data handling (Jay Cline, 2007).
Some key impacts of data privacy regulations on CDM:
Consent and Privacy Protection: Data privacy regulations, such as the General Data Protection Regulation (GDPR), emphasize obtaining informed consent from individuals for the collection and processing of their personal data. In clinical trials, this means ensuring that participants are fully informed about how their data will be used and obtaining their explicit consent.
Data Security and Confidentiality: Data privacy regulations impose strict requirements for data security measures. CDM processes are designed to implement appropriate security controls, such as encryption, access controls, and data anonymization, to protect personal data from unauthorized access, breaches, and misuse. These measures help safeguard the confidentiality and integrity of clinical data.
Improved Data Quality: Privacy regulations often require organizations to implement data quality measures and ensure the accuracy, completeness, and relevance of personal data. CDM practices are aligned with these requirements, leading to improved data quality and reliability. Accurate and high-quality data supports robust analyses, reliable results, and sound decision-making.
Data Subject Rights: Data privacy regulations grant individuals certain rights over their personal data, such as the right to access, rectify, restrict processing, and request deletion. CDM establish mechanisms to facilitate the exercise of these rights and respond to individuals' requests in a timely and compliant manner.
Ethical and Responsible Data Handling: Data privacy regulations promote ethical and responsible data handling practices. CDM processes ensure compliance with these regulations by obtaining informed consent, minimizing data collection, and using data only for specified purposes. This ensures that personal data is processed in a fair and transparent manner, aligning with ethical principles in research.
Data Minimization: Data privacy regulations advocate for the principle of data minimization, which means that organizations should only collect and process personal data that is necessary for the specified purposes. CDM practices ensure that only relevant and essential data is collected and processed, minimizing the risk of unauthorized access or use.
Data Transfer and International Considerations: Data privacy regulations impose restrictions on the transfer of personal data across borders. When conducting multi-country clinical trials, CDM practices adhere to applicable regulations regarding data transfers. Adequate safeguards, such as standard contractual clauses or data transfer agreements, may be required to ensure the lawful transfer of data between jurisdictions.
Data Breach Notification: Many data privacy regulations require organizations to promptly notify individuals and authorities in the event of a data breach that poses a risk to individuals' rights and freedoms. CDM processes include procedures for detecting and responding to data breaches and promptly notifying the relevant parties as required by the regulations.
Increased Data Transparency: Privacy regulations emphasize transparency in data handling practices. CDM processes include provisions to inform individuals about how their data will be used, their rights over the data, and the purposes of data collection. This promotes transparency and empowers individuals to make informed decisions about participating in clinical trials.
Compliance and Risk Mitigation: Adhering to data privacy regulations in CDM helps organizations mitigate legal and reputational risks. Compliance with regulations reduces the likelihood of data breaches, unauthorized access, and non-compliance penalties. It demonstrates a commitment to ethical data practices and ensures that organizations are aligned with evolving regulatory requirements (Pieter Kubben, 2018).
Although data privacy regulation made things fall as per rules and regulation which had important benefits but it had some challenges impact on CDM. Some are them are:
Increased Compliance Burden: Data privacy regulations often impose additional administrative and operational requirements on organizations involved in clinical research. The increased compliance burden can pose challenges for organizations, particularly smaller ones with limited resources, leading to potential delays or increased costs in CDM activities.
Impact on Data Sharing and Collaboration: Data privacy regulations may introduce limitations on data sharing and collaboration among researchers and institutions. Strict privacy requirements and restrictions on data transfer may impede the free flow of data, hindering collaborative efforts, and slowing down research advancements. Researchers may need to navigate complex data sharing agreements or obtain additional consents and approvals to share data across borders.
Impacts on Research Innovation: Stricter data privacy regulations may impose limitations on the use of certain data types or introduce consent requirements that can impede innovative research approaches. Some types of research, such as retrospective studies or secondary data analyses, may face challenges in obtaining explicit consent or complying with data privacy regulations, potentially limiting the ability to leverage existing data sources for research purposes.
Increased Costs: Adhering to data privacy regulations often requires investments in technology, infrastructure, and expertise to ensure data security and compliance. Organizations may need to allocate resources for implementing secure data storage systems, encryption mechanisms, access controls, and other technical measures. Compliance-related activities, such as conducting data protection impact assessments or hiring data protection officers, can also contribute to increased costs.
Interpretation and Compliance Challenges: Data privacy regulations are open to interpretation, and compliance requirements can be subject to different perspectives and evolving legal interpretations. This can introduce ambiguity and uncertainty in implementing CDM practices that align with the regulations. Organizations may need to consult legal experts or seek guidance to ensure proper interpretation and compliance (Pieter Kubben, 2018).
Conclusion
Data privacy regulations ultimately aim to protect individuals’ rights and enhance data security and integrity. It provide a key framework that aligns with ethical principles and ensures the responsible handling of personal data in clinical research. By implementing these regulations within CDM processes not only protects individuals' privacy rights but also enhances data security, quality, and transparency, fostering trust between researchers and study participants. Overall, data privacy regulations have a deep impact on CDM, necessitating organizations to adopt privacy-centric practices, implement robust security measures, respect individual rights, and ensure compliance with applicable regulations. CDM professionals and organizations involved in clinical research must stay updated with the applicable data privacy regulations and adapt their processes and systems accordingly to ensure compliance throughout the data management lifecycle. To conclude all, effective CDM practices are crucial for ensuring the integrity and reliability of clinical trial data. CDM plays a vital role in supporting evidence-based decision-making in clinical research and drug development.
References:
Book:
Pieter Kubben, Michel Dumontier, Andre Dekker, 2018. Fundamentals of Clinical Data Science
Websites:
Amar Ali, (2020). Theresa May: Britain Must Leave the European Convention on Human Rights. https://immigrationlawyers-london.com/blog/theresa-may-britain-must-leave-european-convention-human-rights.php
Beata Struhárová (1999). DISPARATE IMPACT: REMOVING ROMA FROM THE CZECH REPUBLIC. http://www.errc.org/roma-rights-journal/disparate-impact-removing-roma-from-theczech-republic
Cemalettin Karadas, A COMPARATIVE EVALUATION OF CIVILIAN OVERSIGHT OF THE INTERNAL SECURITY SECTOR. https://www.academia.edu/16967393/A_COMPARATIVE_EVALUATION_OF_CIVILIAN_OVERSIGHT_OF_THE_INTERNAL_SECURITY_SECTOR
Cloudian, (2021). Data Protection Principles: 7 Core Principles of the GDPR. https://www.computerworld.com/article/2541015/data-quality----the-forgotten-privacy-principle.html
Department of Agriculture, Trade and Consumer Protection, International Privacy Laws - "Safe Harbor" Privacy Framework. https://datcp.wi.gov/Pages/Programs_Services/IntlPrivacyLawsSafeHarbor.aspx
Equality and Human Rights Commission, (2021) Article 9: Freedom of thought, belief and religion https://www.equalityhumanrights.com/en/human-rights-act/article-9-freedom-thought-belief-and-religion.
Explainer, (2017). What Is Privacy? https://privacyinternational.org/explainer/56/what-privacy
Human Rights Law Centre (2016). Scotland's Named Persons Scheme: balancing children's welfare against privacy rights. https://www.hrlc.org.au/human-rights-case-summaries/scotlands-named-persons-scheme-balancing-childrens-welfare-against-privacy-rights
Jay Cline (2007), Data quality -- the forgotten privacy principle. https://www.computerworld.com/article/2541015/data-quality----the-forgotten-privacy-principle.html
Marit Hansen et. al. (2014) Privacy and Identity Management for Emerging Services and Technologies. https://books.google.com/books?id=3im5BQAAQBAJ
United Nations, Universal Declaration of Human Rights. https://www.un.org/en/about-us/universal-declaration-of-human-rights/
Student Name: Sameer S
Student ID: 061/042023
Qualification: BSc, MSW, MBA
e-Mail ID: officeofsameer@gmail.com
Comments