Guidelines for Data Processing within the Framework of Clinical Drug Trials - 24 july 2008 
[doc. web n. 1671330]
Garante per la protezione dei dati personali
Guidelines for Data Processing within the Framework of Clinical Drug Trials - 24 july 2008
As published in the Official Journal of the Italian Republic (no. 190 dated 14 August 2008)
(A public consultation was launched on these guidelines in order to receive suggestions and comments. The deadline for submissions was February 15, 2008.)
Table of Contents
1. Preliminary Remarks
2. Applicable Legislation
3. Processed Data
5. Controllership in Trial-Related Processing Operations
6. Other Entities Involved in Clinical Trials
7. Information Provided to Patients
8. Consent to the Processing of Personal Data
9. Exercising the Rights Under Section 7 of the DP Code
10. Cross-Border Data Flows
11. Retention Period and Processing of the Data for Further Research-Related Purposes
12. Safekeeping of the Data
13. Other Types of Clinical Trial
1. Preliminary Remarks
Clinical trials on humans are aimed at detecting and/or verifying the effects of test drugs, including adverse reactions, in order to establish safety and effectiveness of such drugs. These studies are usually sponsored by pharmaceutical companies (in their capacity as either promoters, customers, or sponsors) at both national and international level – in the latter case, it is often companies belonging to multinational groups that come into play.
After drafting a protocol to lay down the design, objectives and methodology of the trials, the companies in question submit the documents required for implementing such trials to the competent authorities and the relevant ethics committees.
Trial activities are carried out at one or more hospitals, universities and/or public or private authorised research centres (trial centres), which are selected on purpose by the sponsor companies. Several medical/clinical data along with biological samples from the patients accepting to be enrolled are collected in compliance with the protocol, on several occasions in the course of the trial, via medical examinations and/or diagnostic tests performed by trial physicians / medical staff.
This information may be accessed not only by the medical staff working at the individual centres – indeed, the sponsor supervises the progress made by a trial to ensure that it is in line with the respective protocol. To that end, the sponsor may avail itself of own collaborators (clinical study monitors), who visit the trial centres to perform monitoring activities and – where necessary – inspect the patients' original records as made available by the physicians (e.g. health records, clinical files, laboratory reports, investigational findings, etc.)
The medical/clinical information collected at each trial centre is forwarded to the sponsor company; this usually takes place on several occasions during the trial, or else upon conclusion of the trial in the given centre. Thereafter the information is usually entered by the sponsor companies – either directly or via external entities – in a single database that is used to check and validate the data and subsequently perform statistical analyses in order to obtain the results that will be documented in a report.
In the trials sponsored by companies belonging to multinational groups, the recipients of the medical/clinical data collected by trial physicians are usually the holding/parent companies – who may happen to be based outside the national territory. Additionally, the sponsor companies often avail themselves of external entities (clinical study monitors, research organisations working on a contractual basis, analysis labs, etc.) that are established in some cases outside the EU; those entities may carry out any of the tasks related to the trial – e.g., monitoring of the trial; data entry, validation, and statistical analysis; pharmaceutical vigilance; performance of clinical and lab tests as envisaged in the protocol; and so on.
Accordingly, many items of information and/or biological samples are shared by various entities that may happen to be established in third countries providing no adequate data protection level and are enabled to access and/or hold the information in question – namely, the sponsor company; clinical study monitors; external entities co-operating with the sponsor company in entering and analysing the data; clinical labs; etc. .
The information gathered in the course of a trial is retained for a considerable amount of time after completing the trial, in order to prove that the trial was performed appropriately and the data were not tampered with – also in connection with inspections carried out by the competent authorities.
Based on the analysis performed so far, the collection, dissemination and large-scale retention (partly in third countries) of multifarious information items related to the health and, in some cases, the sex life of individuals enrolled in clinical trials are fraught with several criticalities in terms of personal data protection; accordingly, a high standard of protection is required in order to prevent specific risks from affecting data subjects.
In order to determine the said standards, the Italian DPA carried out inspections at pharmaceutical companies; it launched an ad-hoc public consultation on a detailed document laying down the state-of-the-art measures and arrangements that were considered appropriate with a view to data processing in clinical drug trials; and finally, it carried out several in-depth analyses, also technical in nature, jointly with the main bodies involved in the said consultation, so as to address the criticalities that had been highlighted via the contributions received by the DPA.
The measures and arrangements proposed in the public consultation document were confirmed by both the relevant contributions and the specific technical analysis performed thereafter.
All the considerations and comments submitted were taken into account and assessed prior to drafting these "Guidelines", which have been somewhat amended compared to the previous draft in order to accommodate such considerations and comments as were found appropriate.
Therefore, these Guidelines are intended to determine such measures and arrangements as are both necessary and desirable in respect of the processing by trial sponsors of personal data related to clinical trial participants. The measures and arrangements in question shall have to be also taken into account by the controllers of any personal data that is used for the purposes of a clinical trial – e.g. sponsors other than pharmaceutical companies, contract-based research bodies, trial centres.
Prior to laying down the precautions that have been found to be appropriate on the basis of the complex analysis performed by the Garante, it is necessary to dwell briefly on the nature of the processed data, the role played by sponsors and other entities involved in clinical drug trials as for the processing of the said data, and the reference regulatory framework to be taken into account in order to ensure that any data is processed lawfully and fairly.
2. Applicable Legislation
Clinical trials should be managed in compliance with the ethics principles grounded in the Helsinki Declaration (dating back to June 1964 and subsequently amended), the requirements set out in international good clinical practice standards (GCP) as also adopted by the EU (and taken up in Italy's legal system: see legislative decree no. 200 dated 6 November 2007; legislative decree no. 211 dated 24 June 2003; Ministerial decree dated 15 July 1997), and the standard operational procedures (SOP) applied by the sponsor companies. Trial centres should carry out their studies in compliance with the sponsor's protocol and standard operational procedures and may not depart from and/or modify them without the sponsor's prior agreement. This is without prejudice to exceptional situations as related to impending risks for trial patients and/or modifications that only impact on minor elements of the trial (section 10(1)a. of legislative decree no. 211/2003; see also Ministerial Decree dated 15 July 1997, passim).
Under the applicable legislation, there are several cases in which the medical/clinical data collected by the trial centre have to be disclosed to the sponsor. This applies, first and foremost, to the medical/clinical data related to each trial participant, which must be entered by physicians in case report forms (CRF) and forwarded to the trial sponsor (see Ministerial decree dated 15 July 1997). Trial centres are required additionally to notify the sponsor of adverse events and reactions (Ae and Adr) as possibly related to administration of the trial drug or else to trial performance – along with such other follow-up information as may be relevant (see sections 16 to 18 of legislative decree no. 211/2003).
With a view to protecting patients' identity, the legislation at issue requires each trial centre to allocate an identification code to each patient at enrolment and use this code instead of the patient's name as regards any communications of trial-related data addressed to the sponsor (see Ministerial decree dated 15 July 1997, passim; see also section 16(5) of legislative decree no. 211/2003). A list where the codes are matched with patients' identification is only held by each trial centre as a confidential document that is essential for trial performance (see Ministerial decree of 1997, passim).
Case report forms, notifications and reports of adverse events and/or reactions – insofar as they are essential for trial performance – must also be retained under the said legislation both by the sponsor and by the individual trial centres for at least seven years as from trial completion, or for any longer period as may be provided for in the applicable legislation and/or the agreements between the sponsor and the said centres (see section 18 of legislative decree no. 200/2007; legislative decree no. 219/2006, Annex 1, point 5.2 letter c.; Ministerial decree dated 15 July 1997, passim).
3. Processed Data
As a rule, sponsors have developed specific internal procedures to allow trial physicians to encode patients' medical/clinical data. Digital codes are used to unambiguously identify the individual patients in a given trial without relying on their names, address information and/or personal identification numbers.
However, some sponsors require in the relevant protocols that trial physicians enter patients' first and last names and the respective identification codes on case report forms as well as on adverse events/reactions reports – which have to be forwarded to the said sponsors. Additionally, protocols may require physicians to collect additional information on top of the medical/clinical data related to patients depending on the purposes of the trial – e.g. population data (birth date and/or age, sex, ethnic/racial origin, weight, height), medical history, lifestyle and/or sex life information. This information is reported on documents that are essential for trial performance and is retained by both trial centres and the sponsor company for a period that – depending on the applicable legislation – may cover the whole term of the licence issued for the given drug in the individual countries.
Although it is envisaged that the list where patients' names are matched with the corresponding identification codes should only be held by each trial centre, and that the sponsor should in no case become apprised with patients' identities, it is a fact that the sponsor can access, via its own study monitors visiting the trial centres to check compliance with the relevant protocol, the patients' original medical records at the trial centre – under medical supervision – to check whether the data are accurate and complete; additionally, the sponsor can access, via the same mechanism, the list containing patients' names in connection with the checks on the procedures aimed at obtaining their informed consent.
It should be pointed out that the information collected in the course of these trials includes, as a rule, one or more items related to the patients' identity – such as their height or certain diseases. Based on the guidance provided by the Article 29 Working Party in their opinion no. 4/2007 (WP136) on the concept of personal data, combining the items in question can allow identifying the individual data subject – for instance by matching a patient's initials with his/her birth date and/or location as based on the identification data held by the trial centre and/or the trial physicians.
The encoding mechanisms deployed by sponsor companies are a specific security measure that is adopted in pursuance of the legislation in force to protect patients' privacy – however, they are not such as to anonymize the data to be processed in connection with the trial (see section 16(5) of legislative decree no. 211/2003; Ministerial decree dated 15 July 1997, passim; see also the Garante's authorisation no. 2/2008 for the processing of data suitable for disclosing health and sex life, in particular point 1.2 a. thereof – available on the Garante's website as document no. 1429775.) Indeed, the mechanisms in question are aimed at ensuring – pursuant to the specific regulations – that the individual patient can be identified in specific cases – e.g. to allow the trial physician, who is the only entity having direct contacts with the patient, to modify or terminate the trial drug treatment in the presence of adverse reactions and/or events; or to enable study monitors to check, on the sponsor's behalf, that the information gathered in the course of the trial is accurate, complete, and consistent with the patients' original medical records; or else to allow the sponsor to use the information obtained in connection with the trial to establish or defend a judicial claim. Similarly, account should be taken – with a view to identification – of the retention period applying to the identification list, the risks related to failure and/or malfunctioning of the technical and organisational measures adopted to ensure data preservation and security, the dangers arising out of the violation of confidentiality and privacy rules set out in the applicable legislation (section 3(1)c. and section 11(3) of decree no. 211/2003), and the precautions study monitors are required to take in order to keep confidential the data subjects' identity (see Ministerial decree dated 15 July 1997, Annex 1/1A, point 1.21, and Annex 1/2, point 2.11).
Given the amount and type of the information made available to the sponsor company, the processing mechanisms at issue and the various entities that can access trial data, it can be concluded that data subjects can be identified, albeit indirectly, by reference to other data held by the sponsor and/or to any other information that need not be held by the sponsor - as it may be held by third parties. This conclusion can be drawn by having regard, in pursuance of Community legislation, to the means that can be reasonably used by the sponsor company and/or third parties in view of identifying data subjects (see Recital 26 of directive 95/46/EC).
It follows that the information related to each patient's identification code is to be regarded as personal data suitable for disclosing the individual data subject's health and – in some cases – sex life (see Article 2(1) a. and Article 8 of directive 95/46/EC, and section 4(1)b. of the Italian DP Code). Acquisition of this information by the sponsor companies in connection with clinical trials and the subsequent handling of such information give rise to data processing operations that fall under the scope of the provisions set forth in the DP Code regarding sensitive data (Section 26); furthermore, such operations are subject to the precautions intended to safeguard data subjects' rights and privacy in pursuance of the Garante's authorisation no. 2/2008 on the processing of data related to health and sex life (see decision dated 19 June 2008, document no. 1529389) and, where applicable, of the Garante's authorisation on the processing of genetic data (see decision dated 22 February 2007, document no. 1389918).
Some of the processing operations performed in connection with clinical drug trials are to be notified to the Italian DPA. This applies, in particular, to the processing operations mentioned in section 37(1) of the Code, i.e. those relating to genetic data and/or aimed at the performance of epidemiological surveys (section 37(1), a. and b.).
The Italian DPA has exempted some of the above processing operations from notification obligations; more specifically, the DPA has set out the preconditions to be fulfilled in order not to notify processing operations concerning genetic data and/or data intended for epidemiological surveys when carried out by health care professionals – whether partnered or not (decision dated 31 March 2004, doc no. 852561). As for the processing operations in question, it should be pointed out once again that the exemption provided for by the Italian DPA only applies to processing that is carried out by trial physicians for health care purposes linked to the clinical trials – on condition the processing is not performed on a systematic basis and does not rely on databases that can be accessed by third parties via electronic networks. Reference can be made, for instance, to a physician who, in connection with the medical visits and/or examinations scheduled for a given clinical trial, becomes apprised of and processes, on an occasional basis, genetic information on hereditary diseases affecting trial patients, without forwarding such information to the sponsor, in order to provide health care or protect the patients' bodily integrity.
5. Controllership in Trial-Related Processing Operations
It is fundamental to establish the relationships between the sponsors of clinical trials and trial centres as for the processing of personal data. In this connection, it is necessary to clarify what role is actually played by the said sponsors in determining the purposes and mechanisms of the processing – also in light of the guidance provided by the Italian DP Authority as to the concepts of "data controller" and "data processor" (see Opinion dated 18 May 2000, document no. 30935).
It should be recalled that, prior to starting the trial, the sponsor selects the candidate centres by assessing the respective eligibility and interests; it subsequently draws up the trial protocol and provides the necessary guidance to the centres with regard to data processing – including retention and security mechanisms – along with instructions related to use of the IT systems deployed, which in some cases are made available to the individual centres. The sponsor verifies compliance by the centres with both the protocol and the respective internal procedures, via own collaborators; draws up the documents to be used for providing notice to the patients and obtaining their consent as also related to processing of their personal data; finally, the sponsor notifies the centres that it is no longer necessary for them to keep the trial-related documents.
Therefore, the sponsor does not collect any data directly nor may the sponsor interact with trial patients – both tasks being committed to the trial physicians. However, the sponsor does acquire the patients' data as collected by trial centres, on several grounds, and processes those data in different ways. Indeed, the sponsor evaluates the information contained in the original medical documents as well as in the patients' identification lists via own collaborators visiting the centres. Additionally, the sponsor receives the data entered by each centre in the case report forms and the reports of adverse reactions and events; it enters these data in the relevant database – whether directly or via external entities in charge of carrying out all and/or part of trial-related activities; and it verifies, validates and performs statistical analyses on the data in order to achieve the trial results.
On the other hand, it should be pointed out that the individual trial centre is not under the sponsor's control – i.e., it accepts the protocol and agrees on its contents with the sponsor, including the wording to be used for obtaining the patients' informed consent in line with the opinion rendered by the relevant ethics committee. The centre carries out the trial autonomously – albeit in compliance with the applicable protocol, the standard operational procedures, and the sponsor's guidelines; additionally, the centre avails itself of collaborators considered to be suitable in carrying out the trial and is responsible for their work. The centre provides the information notices to patients and obtains their consent as also related to processing of the data concerning them; it allows the sponsor's collaborators to access the patients' original medical documents to perform monitoring activities; and it handles and is responsible for the safekeeping of those documents.
Based on the information gathered also following the inspections performed so far, it appears that the responsibilities vested in the individual trial centres and sponsors are different as regards clinical trials – accordingly, they should be regarded as either separate data controllers or joint data controllers (under section 28 of the DP Code). To lawfully process trial-related data, the entities in question are therefore required to comply with the DP Code and the aforementioned general authorisation by the Garante – with particular regard to processing mechanisms and data quality requirements, notification obligations, appointment of the persons in charge of the processing and data processors, if any, and the need to ensure preservation and security of the information at issue (see sections 11, 29-31 et seq. of the DP Code; see authorisation no. 2/2008, in particular point 1.2 thereof). Furthermore, the fact that trial data are forwarded by the centres to the sponsors entails a veritable "communication" of the data along with their processing by third parties – which have to be detailed in the information notices provided to data subjects as well as in the consent forms, also in view of allowing exercise of access rights and all other rights mentioned in sections 7 and 8 of the DP Code (see section 13, 23, 26 of the DP Code).
6. Other Entities Involved in Clinical Trials
The sponsor company may enter into an agreement with external entities (contract-based research organizations, clinical analysis labs, etc.) to entrust them with part or all of the tasks and functions it is responsible for in connection with the trial, whereby such tasks and functions will have to be specified in writing (Ministerial decree dated 15 July 1997, Annex 1/5A, point 5.2). In that case, the entities in question – which may be natural persons as well as companies, institutions and/or other bodies – may carry out activities in connection with the trial such as to entail (depending on the specific tasks) the processing of personal data related to the individual trial patients. This may be the case, for instance, if they are in charge of monitoring the trial; entering, validating and/or performing statistical analyses on the data; or carrying out pharmaceutical vigilance activities.
In all the situations mentioned above, it is necessary for the sponsor to clearly set out - in the outsourcing contracts and/or in other suitable instruments – what role is played by external collaborators in terms of processing personal data, given that such collaborators have been entrusted with performing, in whole or in part, activities related to the clinical trial (see sections 28-30 of the Code).
The entities in question usually work on the sponsor's behalf - indeed, in the sponsor's name in some cases – by complying with the sponsor's standard operational procedures or else with their own procedures, which will have been evaluated and endorsed by the sponsor, or in pursuance of specific guidelines issued in writing by the sponsor on a case-by-case basis. To that end, the sponsor often organises specific training sessions for collaborators and reserves the right, in some cases, to determine their eligibility. The said entities may only use the information and documents obtained from trial centres in view of discharging the respective tasks; having concluded their collaboration, they deliver all the information and documents in question, as a rule, to the sponsor company.
As regards monitoring, clinical trial sponsors may avail themselves not only of internal staff, but also of external collaborators. In both cases the so-called clinical study monitors are selected, appointed and trained on purpose by the sponsor, who determines scope and type of the monitoring. In discharging their tasks, they are also required to comply with the procedures developed by the sponsor and the specific instructions issued by the latter as well as being subject to the sponsor's supervision – indeed, they have to submit a written report after each visit at a trial centre and/or after each communication related to the trial (Ministerial decree dated 15 July 1997, Annex 1/5, point 5.18).
Hence, the relationship between sponsor companies and the external entities that are entrusted with part or all of the activities related to clinical trials (including clinical study monitors) can be construed as the relationship between the "data controller", on the one hand, and the "persons in charge of the processing" (which may only be natural persons), on the other hand; alternatively, it can be equated to the relationship between data controller and data processors (which may be either natural or legal persons), depending on the discretion left to the external entities in respect of data processing. It is therefore necessary for the data controller to formally appoint the entities in question pursuant to the provisions of the DP Code concerning data processors and/or persons in charge of the processing, and to issue the instructions they are required to abide by in processing trial-related data (see sections 29 and 30).
If the entities in question can access the patients' personal data for the purposes of the trial, acting in their capacity as collaborators of the sponsor companies, they must be mentioned (also as a category) in the information notices to be provided to data subjects. Where several data processors are appointed, at least one of them should be named explicitly along with the mechanisms to retrieve the updated list of data processors, also online (see section 13 of the DP Code).
Conversely, if the sponsor companies hold the view that the external entities in question may not be appointed as "persons in charge of the processing" or else "data processors" because they do not fulfil the relevant conditions as set forth in the DP Code, the information on trial patients obtained by the said collaborating entities would give rise to a communication of personal data that would only be lawful with the data subjects' specific, informed consent or else if any of the other lawfulness preconditions is fulfilled (see section 11(1) a. and sections 13, 23, and 26 of the DP Code).
Similar precautions should be adopted by trial centres if they commit part or all of the activities related to a clinical trial to external entities such as, for instance, medical analysis laboratories (see sections 13 and 29-30 of the Code; see also the Garante's authorisation on processing genetic data of 22 February 2007, doc no. 1389918, in particular points 4.3, 8 and 9 thereof.)
In any case, sponsors should take special care in selecting the entities – whether acting as data processors or persons in charge of the processing – that are entrusted with some or all of the tasks related to clinical drug trials, pursuant to sections 29 and 30 of the DP Code – with particular regard to study monitoring. They should make sure that experience, skills and reliability of the said entities are such as to suitably ensure that they will comply in full with the instructions to be issued as well as with the confidentiality and privacy requirements set out in both data protection legislation and sector-related instruments. Study monitors should be subject to rules of conduct equivalent to professional secrecy requirements. The appointment procedures must be such as to envisage the attendance of specific training sessions to highlight the risks and responsibilities arising out of the processing of the information at issue; the instructions to be complied with in keeping and securing the data; the privacy and confidentiality obligations set out in the applicable legislation (section 3(1)c., and section 11(3) of legislative decree no. 211/2003; sections 11, 29-31 et seq. of legislative decree no. 196/2003); and the specific precautions to be taken in order to safeguard trial patients' identities, also vis-à-vis the sponsor (Ministerial decree dated 15 July 1997, Annex 1/1A, point 1.21, and Annex 1/2, point 2.11).
7. Information Provided to Patients
As a rule, the sponsor companies determine the information to be provided to trial patients and the procedures for obtaining their consent via the trial centres; this also applies to processing of the data concerning trial patients, in view of the assessment to be performed by the relevant ethics committees (see sections 6-8 and 11 of legislative decree no. 211/2003).
However, it is sometimes the case that sponsor companies request trial centres to inform the patients concerned that their data will be made available to the sponsor by the trial physician exclusively in anonymous format – as they mistakenly believe that data protection legislation does not apply to the information related to trial patients. By doing so, they actually prevent the patients concerned from fully comprehending what role is played ultimately by the sponsor company and all the other entities employed by and/or collaborating with the sponsor as for data processing operations.
Therefore, the information intended for trial patients is not in line with the DP Code (section 13) if worded as above; additionally, it does not allow the data subjects to signify their wishes in full recognition of the circumstance that the processing operations performed either by the sponsor or by the sponsor's collaborators (also abroad) concern information that, though encoded, can be traced back to the data subjects in question as described above.
Conversely, the information notices to be provided to data subjects via trial centres – which may also be worded concisely, on condition they are easily understandable – should refer specifically to the following:
a. the nature of the data processed by the sponsor and the fact that this data is transferred abroad;
b. the role actually played by the sponsor as for processing of the data and the purposes and mechanisms of such processing;
c. the entities (or categories) the data may be communicated to, or that may become apprised of the data in their capacity as either persons in charge for the processing or data processors;
d. the mechanisms to exercise access rights and all the other rights related to personal data with regard to the sponsor and all the other data recipients (sections 7 and 8 of the DP Code).
To facilitate the determination of the information items to be included, the attached model form (Annex 1) is proposed by the Italian DPA as a reference model to be used by sponsors, if they so deem, in order to fulfil information obligations via trial centres; this is in line with the simplification, harmonization, and effectiveness principles set forth in the Code in view of affording a high level of protection to data subjects' rights (section 2 of the Code). Where the trial envisages the processing of genetic data (e.g. in connection with pharmacogenetics and/or pharmacogenomics), the said information items must be supplemented by clear-cut specifications as to the use of genetic data and biological samples in pursuance of the Garante's authorisation mentioned above (see point 5 of the authorisation dated 22 February 2007, doc. no. 1389918; see also Ministerial decree dated 21 December 2007, Annex 14).
Additionally, trial centres are responsible for ensuring that the staff involved in clinical trials – including, in particular, the preliminary interviews aimed at obtaining the patients' informed consent – are adequately trained also in relevant data protection issues, so as to be capable to provide accurate, thorough explanations to data subjects concerning the main features of the processing in question. When selecting trial centres, sponsors should assess whether the centre staff are adequately skilled to manage the whole procedure, and should arrange for ad-hoc training activities whenever necessary. Training issues should be also taken into account by ethics committees in evaluating eligibility of trial physicians and their collaborators.
8. Consent to the Processing of Personal Data
The form trial centres are required to submit to data subjects in order to obtain their consent to the processing of their personal data is usually drawn up by the sponsor companies and then submitted for assessment to the relevant ethics committees (sections 6-8 and 11 of legislative decree no. 211/2003).
The wording used as a rule to convey the person's consent merely authorises the physicians to have the patients' original medical records examined by the sponsor's study monitors (or by external staff delegated by the latter), the members of the ethics committee(s), and the competent health care authorities in order to check on trial procedures and/or data accuracy (see Ministerial decree dated 15 July 1997, Annex 1/4B, point 4.8.10). Conversely, the wording in question does not enable data subjects to signify their wishes as to any further processing of their data that may be performed by the sponsor and/or the entities collaborating with the sponsor (also abroad) in connection with the trial.
The sponsor company and its collaborators may not lawfully use the trial patients' data unless they obtain the patients' specific consent beforehand, via trial centres, with regard to the data processing operations they intend to perform (see sections 23 and 26 of the DP Code). In order to facilitate compliance with this requirement by sponsors, Annex 1 also contains a reference wording to obtain the patients' consent; this is to be submitted to data subjects jointly with the model information notice via trial centres. Again, this is done pursuant to the simplification, harmonization, and effectiveness principles mentioned above.
Special attention should also be paid to the mechanisms deployed in obtaining data subjects' consent; this applies especially to individuals that, because of their being highly vulnerable, are liable to be coerced and/or influenced to such an extent as to hinder the free expression of their consent. Reference can be made here to patients with incurable diseases and/or in emergency situations; indigent individuals; inmates of nursing homes; or individuals belonging to "hierarchically structured" groups such as medical students, junior staff in a hospital and/or laboratory, employees of a pharmaceutical company, etc. . As well as taking the specific precautions required by sector-specific legislation (Ministerial decree dated 15 July 1997, Annex 1/1B, point 1.61, and Annex 1/4B, point 4.8), one will have to implement procedures aimed at obtaining the data subjects' informed consent that are not limited to merely formal, one-to-one approaches – for instance, by providing for exchanges of views with the whole set and/or groups of trial patients, or else by involving (local) associations of the patients concerned.
9. Exercising the Rights Under Section 7 of the DP Code
Clinical trial participants may at any time exercise the rights set out in section 7 of the Code, including the right to access the data concerning them and obtain intelligible communication of such data as well as the right to have the data supplemented, updated and/or rectified. To do so, they may apply directly to the trial centre; alternatively, they may apply to the sponsor via the trial physician, who is aware of their identity and can establish the ID code allocated to the individual data subject by accessing the identification list.
The sponsor and/or the trial centre receiving the above applications – which may be lodged without any specific formalities being required – must provide data subjects with a thorough, prompt, and detailed reply, possibly by the agency of the respective data processors (where appointed) (see sections 7 to 10 and section 146 of the Code). In particular, data access requests must be complied with by extracting the relevant information from archives/databases and communicating that information to data subjects so as to make it easily understandable; if so requested, the information will have to be transferred on paper or electronic media, whereby only such grounds for refusal as are expressly set forth in the Code (section 8) may be invoked. Regarding medical, bio-medical, and epidemiological researches, the rationale underlying the applicable legislation is that requests for supplementing, updating and/or rectifying the data may be complied with by taking note of the amendments requested by the given data subjects without modifying the data at issue – if the amendments are such as not to impact significantly on the results of the said researches (section 110(2) of the Code; section 16(2) of the Code of practice applying to the processing of personal data for scientific and statistical purposes, which is attached to the Code as Annex A.4 – doc. No. 1038384.).
Since enrolment is on a voluntary basis, trial patients may at any time terminate their participation without having to account for their decision (section 3(1)b. and c. of legislative decree no. 211/2003; Ministerial decree dated 15 July 1997, passim; Ministerial decree dated 21 December 2007, Annex 1, point 188.8.131.52.; section 7(4)a. of the DP Code). In that case, it will no longer be possible to collect further data concerning the data subjects in question, and such biological samples as may have been collected and kept in a manner allowing personal identification will have to be destroyed (point 6 of the authorisation dated 22 February 2007 on processing of genetic data, doc no. 1389918; see also Ministerial decree dated 21 December 2007, Annex 2, point 184.108.40.206). This is without prejudice to the possibility to use any data that has already been collected in order to achieve non-biased results of the given research (see paragraph 3.3 of Council of Europe's Recommendation R(83)10 of 23 September 1983 on the protection of personal data used for scientific research and statistics; see also paragraph 6.1 of Council of Europe's Recommendation no. R(97)18 of 30 September 1997 on the protection of personal data collected and processed for statistical purposes.)
10. Cross-Border Data Flows
The information and biological samples collected by trial physicians in a given country are often transferred to entities located in other countries, at times outside the EU, or else made available to several categories of entities established in such countries. This is often the case with the trials sponsored by entities belonging to multinational groups – since it may well be that the sponsor, the clinical study monitors, the analysis labs and the sponsor's external collaborators are located in third countries.
The information in question relating to the individual patients/data subjects may be lawfully transferred to non-EU countries affording no adequate protection of personal data, providing the relevant patients were informed beforehand and gave their specific consent in writing (section 43(1)a. of the DP Code) or else equivalent, adequate safeguards are implemented as for the data subjects' rights (section 44(1)b. of the DP Code). In particular, sufficient safeguards for the protection of data subjects' private life and rights are afforded by standard contractual clauses for the transfer of personal data to "data processors" established in third countries (see the Commission's decision dated 27 December 2001, no. 2002/16/EC, and the Garante's decision no. 3 dated 10 April 2002, document no. 1065361) as well as by the standard contractual clauses for the transfer of personal data by a "data controller" in the EU to another "data controller" established outside the EU (see the Commission's decision no. 2001/497/EC dated 15 June 2001, and the Garante's decision dated 10 October 2001, document no. 42156; additionally, see the Commission's decision no. 2004/915/EC dated 27 December 2004 and the Garante's authorisation dated 9 June 2005, document no. 1151949). In order to make use of the said clauses, it is necessary to first clarify and detail the roles played by the various entities involved in transfer and processing of the data pursuant to the standards described above – i.e., the data exporter must be the actual "data controller" whilst the data importer must be the actual "data processor" or else a separate "data controller". Additionally, the main processing operations the transferred data are intended for will have to be specified.
As regards transferring the data to organizations established in the USA, adequate safeguards for data subjects are afforded by the recipients' adhesion to the "Safe Harbor" principles relating to data privacy (see the Commission's decision no. 2000/520/EC dated 26 July 2000 and the Garante's authorisation dated 10 October 2001, document no. 30939).
11. Retention Period and Processing of the Data for Further Research-Related Purposes
The data and biological samples related to trial patients must be kept for no longer than is necessary to achieve the purposes for which the data and samples were collected and processed (see section 11(1)e. of the DP Code, and the Garante's authorisation to process genetic data dated 22 February 2007, document no. 1389918). In this regard, the provisions applicable to clinical trials require the key documents related to the trial (including the individual patients' medical records) to be kept by the sponsor and trial centres for at least seven years as from completion of the trial, or else for a definitely longer period in pursuance of the applicable legislation and/or the agreements made between sponsor companies and trial centres (see section 18 of legislative decree no. 200/2007; legislative decree no. 219/2006, annex 1, point 5.2, letter c.; Ministerial decree dated 15 July 1997, passim).
Generally speaking, the aforementioned section of the DP Code requires data to be kept by the external entities that collaborate with the sponsor in management and statistical analysis activities for no longer than is necessary to draw up the final trial report and/or publish the trial results.
Conversely, the possibility to set a longer retention period compared to the one provided for by the applicable legislation in respect of the data to be kept by the sponsor and/or trial centres may be taken into account by having also regard to the duration of the marketing authorisation for the given trial drug and/or to additional data analysis requirements – e.g. in connection with new marketing applications and/or authorisation extension applications, or else in the presence of significant findings related to the patients' safety.
Trial sponsors may lawfully use the data and biological samples related to individual data subjects in future studies and researches, also by availing themselves of the external collaborators they had employed for performing the trial, providing the patients were informed adequately thereof beforehand and gave their specific, separate consent in writing (see section 11(1)e. and sections 13, 23, 26 and 99 of the DP Code; see also the authorisation dated 22 February 2007, document no. 1389918).
12. Safekeeping of the Data
Further to the assessment, also of a technical nature, performed in connection with the inspections that were carried out at some sponsor companies and other entities participating in clinical trials, as well as in the light of the in-depth analysis performed jointly with the main organisations concerned within the framework of the public consultation, the appropriate arrangements and measures could be determined so as to safeguard data subjects in respect of the data processing operations performed for the purposes of such trials. The highly sensitive nature of the data processed in a trial mandates the adoption of specific technical measures to enhance data security (section 31 of the DP Code), without prejudice to such additional minimum measures as every data controller is required to take in pursuance of the DP Code (see section 33 et seq.). This is especially the case with the operations consisting in the electronic storage of trial patients' data at trial centres, the transfer of such data via IT networks to a centralised database held by the sponsor and/or any other entities that are in charge of validating and analysing the data on the sponsor's behalf, and the handling of the database in question.
As for the said processing operations, clinical trial sponsors, contract-based research organizations, and trial centres are required to take the following measures by having regard to the respective competences as resulting from both the different roles they play in data processing and the responsibilities that are accordingly vested in them for the adoption of security measures:
a. Where data storage and/or archiving systems are implemented, suitable arrangements will have to be made to protect the stored data against unauthorised access, theft or loss, in whole or in part, of storage media and/or portable/fixed processing systems (e.g. via the partial or total application of file-system or database encryption technology, or else by adopting other IT security measures to make the data unintelligible to unauthorised entities);
b. Secure communication protocols based on encryption standards will have to be adopted for the electronic transmission of the data collected by trial centres to the centralised database held by the sponsor and/or any other entities in charge of subsequently validating and performing statistical analyses on the data;
c. As regards specifically the database in question, the following measures will have to be taken:
- suitable authentication and authorisation systems for the persons in charge of the processing as a function of their respective roles and the specific access/processing requirements;
- procedures to ensure regular checks on quality and coherence of the authentication credentials and authorisation profiles allocated to the persons in charge of the processing;
- audit logging to monitor database accesses and detect abnormalities.
Regarding multi-country clinical trials, the Garante reserves the right to take steps at Community and international level in order to foster stricter security standards for the processing of personal data in view of harmonising the data retention and security measures and/or arrangements to be adopted in this context.
13. Other Types of Clinical Trial
The "Guidelines" above are meant to safeguard data subjects and may be taken into account – from a general standpoint – as a unified reference framework to ensure that personal data are processed lawfully and fairly in other clinical trials as well; reference is made here to clinical trials on medical devices (see section 7 of decree no. 507/1992; section 14 of decree no. 46 dated 24 February 1997; Ministerial decree dated 2 August 2005) and the trials that are not sponsored by pharmaceutical companies and/or other private entities with a view to the industrial development of drugs – i.e. the so-called "not-for-profit" trials, see section 1 of decree no. 200/2007 and Ministerial decree dated 17 December 2004. In that case, it will be necessary to assess, in the first place, what role is played by the individual entities participating in the trial (sponsor, trial centre, co-ordination centre, contract-based research organisation, analysis lab, etc.) as for the data processing operations; this is a prerequisite to determine who the data controller(s) is/are and, accordingly, who is required to comply with the requirements set forth in the DP Code regarding notification; appointment of persons in charge of the processing and data processors, if any; obtaining informed consent to the processing of one's personal data; taking suitable measures to ensure safekeeping of the data; exercise of access and other rights in respect of the personal data. Additionally, it will be necessary to establish whether, according to the trial configuration, data flows are envisaged – including by way of making the data available to and/or allowing their consultation (e.g. for monitoring purposes) by external entities, which might be established outside the EU. In this manner it will be possible to determine the need for obtaining the data subjects' specific, informed consent and/or adopting equivalent, adequate safeguards (see section 11(1)a. and sections 13, 23, 26, 43 and 44 of the Code).
Additionally, it is appropriate to clarify a few issues in respect of other types of trial in which drugs are prescribed and administered in accordance with standard clinical practice to the patients accepting to be enrolled – i.e. the so-called "non-interventional" trials (see section 1 of decree no. 200/2007). These so-called "observational" trials – where they are not closely related to health care activities performed by medical doctors and/or health care bodies, or where they may not be regarded as comparable with the said activities in terms of customised effects on the individual data subjects (unlike clinical drug trials) – fall within the scope of application of the Code of practice concerning processing of personal data for scientific and statistical purposes (Annex A.4 to the DP Code, doc. No. 1038384). As well as being an obligation arising from professional ethics, compliance with the said Code of practice is a fundamental precondition for the processing at issue to be lawful and fair (see section 12(3) of the DP Code). Regarding the trials in question, medical/clinical information may be processed, in general, for the purposes of the given research exclusively in respect of the personal data related to the individuals/patients that have consented specifically thereto after receiving appropriate information on the processing (see sections 106, 107, and 110 of the DP Code; point 1.2.a. of authorisation no. 2/2008, above). This limitation applies regardless of whether it is envisaged that the information will be collected directly from data subjects or else from third parties.
If it is impossible to inform data subjects on account of specific, documented circumstances – of an ethical, methodological, and/or organisational nature – the data may be processed without the patients' consent providing the research programme was granted a reasoned favourable opinion by the competent ethics committee and authorised by the Italian DPA; the latter authorisation may also be granted via a general instrument applying to specific categories of data controller and/or processing (see section 110, final part, and section 40 of the DP Code). This may be the case, for instance, of certain retrospective studies in which it is reasonably to be argued that getting in touch with the data subjects and providing them with adequate information is impossible on account of the time elapsed from collection of the relevant data, the size of the sample to be selected, and the criteria used to perform the sampling (e.g. if the study participants are affected by high mortality diseases).
The Italian DPA hereby reserves the right to issue more specific prohibitions and/or instructions as possibly resulting from the controls performed in respect of breaches committed by individual sponsors; furthermore, the Italian DPA reserves the right to amend these "Guidelines" by including provisions on actual data processing mechanisms also in the light of the implementing experiences as well as of such new technologies as may be developed.
Information Notice and Consent to Process Personal Data (1)
Data Controllers and Purposes
The Trial Centre [enter centre name] and Pharmaceutical Company [enter sponsor's name], which has commissioned the trial described to you, will process your personal data, in particular those concerning your health and, only where necessary to achieve the objective(s) of the trial, your lifestyle and sex life [etc.: add the items required depending on the specific trial], exclusively in order to implement the trial and for purposes of pharmaceutical vigilance. In doing so, they will not go beyond the respective competences and will comply with the requirements arising out of good clinical practice (legislative decree no. 211/2003).
To that end, the data specified above will be collected by the Trial Centre and forwarded to the Pharmaceutical Company and such third-parties (individuals and/or companies) as act on their behalf, including … [enter name of at least one of the third-party recipients of the data], which may also be established in non-EU countries that do not afford adequate data protection [include if it is expected that the data will be transferred outside the EU; please specify recipients] (2).
Processing the data relating to … [to be specified depending on the individual trial] is indispensable to carry out the trial; if you refuse to provide such data, you will not be able to take part in the trial [specify which data may be provided optionally, if any].
Nature of the Data
The physician who will take care of you in the trial will identify you by means of a code. The data concerning you that are collected in the course of the trial, except for your name, will be forwarded to the Pharmaceutical Company, stored, processed and kept jointly with the said code, your birth date, sex, weight, and height [all these variables to be specified depending on the individual trial]. Only the physician and authorised entities may link the code to your name.
The data will be processed both electronically and manually; they will only be disseminated in anonymous format, e.g. via scientific publications, statistics, scientific conferences, etc. . Your participation in the trial entails that – in line with the legislation on clinical drug trials – the staff of the Pharmaceutical Company and/or the external companies that perform study monitoring activities on the Pharmaceutical Company's behalf, the Ethics Committee, and Italian and foreign health care authorities may become apprised with the data relating to you – including those contained in your original medical records – in such a manner as to ensure that your identity is kept confidential.
Exercise of Your Rights
You are entitled to exercise the rights mentioned in section 7 of the DP Code (e.g.: accessing, supplementing, updating, rectifying your personal data; objecting to the processing of your personal data on legitimate grounds; etc.) by applying directly to the Trial Centre [enter the name and address of an individual/office in charge]; alternatively, you may apply to the Pharmaceutical Company by the agency of the Trial Centre.
You may at any time terminate participation in the trial without having to provide any reason. In that case, the biological samples related to you will be destroyed. No additional information concerning you will be collected, without prejudice to the use of such data as may have already been collected in order to establish trial results without altering them.
By undersigning this form, I consent to the processing of my personal data as well as to the transfer of such data outside the EU [to be included if appropriate, by also specifying the recipients' names] for the purposes of the trial, in accordance with the terms and mechanisms specified in the information notice provided herewith.
The Data Subject (in block letters):
First and Last Name _____________________________
(1) To be submitted to data subjects jointly with the informed consent form, which describes the scientific features of the trial; it may also be incorporated in the said form.
(2) If the full list of third-party recipients, including those in non-EU countries, is not known at the time the information notice is drawn up, it will have to be specified how and when the full list is expected to be available.