By Jeppe Guilford Manuel, principal R&D data privacy specialist, Novo Nordisk A/S
Behind the clinical data collected and used in the pharmaceutical industry are people — research participants whose data is an invaluable resource for research. Clinical data is personal data and must be treated as such. This implies that data privacy or data protection laws and regulations apply when using clinical data, on top of the other regulations and laws that apply for clinical research (e.g., GCP).
However, the purpose of processing personal data as part of clinical research in the pharmaceutical industry is to increase scientific knowledge that can lead to new discoveries, provide better therapies, and enable availability of medicines and/or devices to patients. Although clinical data, as used in the industry, are not utilized to make decisions that can affect an individual’s rights and freedom, we must still respect the rights, confidentiality, and integrity of the research participants’ data when conducting research.
We have an obligation to maximize the value and utility of this resource. Great value for both patients and sponsors can be derived from the reuse of existing data sets, which is why clinical data reuse is an area of increasing interest across the pharmaceutical industry. For example, tapping into historical clinical data can maximize the value of existing research, potentially reduce the size of the control group, allowing more patients to be on active therapy, and improve the safety of clinical trials. However, there is a high degree of uncertainty when it comes to interpreting privacy regulations surrounding data reuse, which has impeded reuse of clinical data.
Regulatory language around clinical data reuse often uses ambiguous terms like “fairness,” but how do you determine what’s fair?” It can be a very subjective concept. As an example, the General Data Protection Regulation (GDPR) in the European Union (EU), states that data can only be used for secondary uses when compatible. Beyond that, a limited description is offered for how to assess that compatibility and abide by it specifically, so that scientific research should be considered compatible. This ambiguity implies that companies must be able to define when and under what circumstances reuse of clinical data would be considered a legitimate compatible use and must ensure they can demonstrate accountability for that position. The consequence is that companies and research organizations have to make their own individual assessments, resulting in a lack of harmonization across research institutions and making it challenging for researchers to collaborate and share clinical data. For instance, it has taken more than 10 months for one university hospital in Denmark to secure approval by the Data Protection Agency (DPA) to share clinical samples with another university hospital in Denmark. If individual companies were able to align on a position for clinical data reuse, such obstacles could potentially be removed, benefiting patients and research.
Resolving the nuances and ambiguity of privacy rules for research being conducted on a global scale can be overwhelming. But the COVID-19 pandemic demonstrated how necessary and powerful data reuse can be. Industry stakeholders came together to find new ways to share data, collaborate, and, ultimately, accelerate treatments at an unprecedented level. Still, privacy challenges persist. The Organisation for Economic Co-Operation and Development (OECD) highlighted privacy rules as one of the primary challenges surrounding COVID-19 research, stating, “Providing access to personal health record sharing needs to be readily accessible, pending the patient’s consent.” Legislation aimed at fostering interoperability and avoiding information blocking are yet to be passed in many OECD countries. Access across borders is even more difficult under current data protection frameworks in most OECD countries.” However, legislation on its own is not enough, as demonstrated by the U.K.’s NHS data-sharing initiative, “The General Practice Data for Planning and Research” scheme, which was put on hold after more than 1 million people opted out in a single month. Guidance must be developed that fosters trust in how clinical data is used for research activities and ensures the rights, confidentiality, and integrity of the research participants.
Agreeing on a set of common principles for clinical data reuse, would make it easier for research companies to share and leverage historical research data, while respecting the rights and freedom of research participants. To address the challenge of data reuse, members of TransCelerate Biopharma’s GDPR Data Reuse working group recently published “A Privacy Framework For Secondary Research,” which aims to decrease the time companies spend addressing privacy issues by suggesting a more harmonized approach. The framework outlines six core principles that aim to bridge the gap between competing ethical, scientific, and legal considerations regarding how personal data can be reused for other research activities:
A strong governance framework will detail the scope of acceptable secondary research activities, enforce best practice processes, and designate experts to evaluate the scope and risk profile of the research activities.
A two-tiered approach is recommended: 1) a company should define a list of compatible uses of clinical data based on their contextual integrity for collecting and using the data. Companies should use this list to confirm individual research activities are aligned and that the notification to participants does not prohibit the use of data for those purposes; and 2) any legacy data or new reuse purposes not covered on the compatible uses list would require a more comprehensive assessment of compatibility. The best practice is for the data protection lead to establish a cross-competence working group.
The study team should conduct a risk assessment that includes any risks related to processing the clinical data, also from the research participants’ perspective and relevant mitigating actions that should be implemented.
Companies must apply the basic elements of sound scientific research when conducting secondary research to ensure the integrity of the data and its scientific validity, including documentation of how and for what purpose clinical data has been used. When data is shared with external researchers, the company should conduct a basic review to ensure that those receiving the data have a legitimate scientific purpose and are using a sound scientific approach.
Researchers must ensure their use of secondary data is consistent with the individual participants’ reasonable expectations (e.g., as clarified in the informed consent) and implement measures to keep participants’ personal data unknown to others to the extent possible. Researchers must be properly trained on local and global privacy standards and standards for processing personal data.
It must be possible to continuously monitor how clinical data has been processed for a given research activity. Relevant decisions and processing activities must be documented. Companies should also ensure that the way they process clinical data—for instance, what data is used and where it is stored—is traceable.
The TransCelerate framework also details a Best Practice Model for conducting secondary research, detailing relevant steps that research organizations should consider to ensure legitimate compatible use of clinical data for secondary purposes. Moreover, the framework provides a number of tools that can help companies ensure a more harmonized approach to clinical data reuse. While the best practices provided in TransCelerate’s framework aim to provide general guidance, individual companies should decide how best to implement relevant safeguards inside their own organization.
Too often, limitations are imposed on how clinical data can be reused, purely because privacy considerations were not a part of the planning process from the initial planning stage. Even though privacy regulations have been around for more than two decades, it’s still a relatively new concept for researchers to have top of mind. They need to consider using standard operating procedures that enable research to have a continuous, structured approach throughout the life cycle of data and think about how they will address the different privacy regulations around the globe from the onset of the research. It is much easier to establish good privacy (Privacy by Design) before initiating data collection and include considerations around secondary use than trying to backtrack and establish legitimate compatibility for reuse after the data has already been collected and used for its primary purpose.
Above all else, the industry must be willing to work together to address privacy challenges and create clarity around the secondary use of clinical data. Coming together to develop a common approach to the way clinical data is used and collected can help everyone realize greater value from the work that has already been done and potentially also limit the need for interventional studies. Building common principles and processes to facilitate clinical data reuse would not only be a win for the industry but also potentially reduce the burden on research participants and help foster trust in clinical research.