8. Data Management

4 Mins to read

Share
Dark
Light

Article summary

Did you find this summary helpful?

Thank you for your feedback

8.1 What data privacy and/or technology regulations need to be complied with in order to run a trial in the countries of interest?

The Office of the Privacy Commissioner of Canada provides advice and information for individuals about protecting personal information and enforces the two federal privacy laws that set out the rules for how federal government institutions and certain businesses must handle personal information, including health data. The Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c.5) covers the personal information-handling practices of federal government departments and agencies in Canada, and the Privacy Act (R.S.C., 1985, P-21) regulates private businesses’ data protection practices. In addition, some provinces and territories have laws that deal specifically with the protection of personal health information. A list of provincial and territorial privacy laws and webpages is available at Provincial and Territorial Privacy Laws and Oversight.

Both federal and provincial privacy acts require consent for the use of personal data, including health data, except under prescribed conditions, such as for research or during emergencies.

8.2 What are the data locality rules within each jurisdiction?

As described in sections 5.5 and 8.1, Canadian data rules are determined by a combination of federal and provincial laws and regulations, which vary according to the nature of the subject (e.g. private or legal) and the province/territory.

Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

Who is responsible for complying with international regulations if a participant travels between geographies (e.g., for vacation)? Does the CRO have to honor the destination country’s rules?

Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

The Government of Canada has published a 2023 update to its Cloud Adoption Strategy. An extract from the strategy document states the following: “While the government is still in the early stages of its adoption of cloud, it continues to make improvements to policies and tools to support organizations with secure cloud adoption, processes, and best practices.” From the research conducted, no specific regulations regarding the use of the Cloud for data transfer in DCTs could be established. It may be assumed that the use of the Cloud for data routing and the need for secure transfers, as elements of a DCT, will need to be approved by HC/REB/IEC on a case-by-case basis.

https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/cloud-adoption-strategy-2023-update.html

Does data need to be collected in the country? Do the servers need to be in the country?

Are there data storage and transmission requirements (data transfer out of the country)?

Are there any exceptions made for research to the local privacy regulation?

Yes. Please refer to section 8.1 above.

Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

The sponsor may view data and have access to PII. Where remote data monitoring is a feature of a DCT, the ICF should inform the participant that their medical records and study information will be reviewed remotely by the sponsor while maintaining the participant’s privacy and confidentiality.

https://www.ctontario.ca/act-advancing-clinical-trials/ontario-resource-guide-for-decentralized-clinical-trials/remote-data-monitoring/#tab11.

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e. a software platform that runs clinical trials but is not considered a clinical device)

The sponsor must implement and maintain quality control systems that will govern the conduct of CTs, provide medical expertise through qualified medical personnel, and design and manage the CT to keep proper records.

Electronic Data Processing System

In accordance with ICH-GCPs, when using electronic trial data handling processing systems, the sponsor must ensure and document that the electronic data processing system conforms to the sponsor’s established requirements for completeness, accuracy, reliability, and consistency of intended performance. To validate such systems, the sponsor should use a risk assessment approach that takes into consideration the system’s intended use and potential to affect human subject protection and the reliability of trial results.

In addition, the sponsor must maintain SOPs that cover system setup, installation, and use. The SOPs should describe:

System validation and functionality testing
Data collection and handling
System maintenance
System security measures
Change control
Data backup
Recovery
Contingency planning
Decommissioning

With respect to the use of these computerized systems, the responsibilities of the sponsor, investigator, and other parties should be clear, and the users should receive relevant training.

If electronic records are generated during a clinical trial, then the electronic system must be validated to confirm that the system’s specifications meet the goals and requirements for the clinical trial. This evidence of validation should be kept for the required record retention period and available for inspection by Health Canada inspectors.

https://www.canada.ca/en/health-canada/services/drugs-health-products/compliance-enforcement/good-clinical-practices/guidance-documents/guidance-drugs-clinical-trials-human-subjects-gui-0100/document.html

Was this article helpful?

What's Next

9. Subject Considerations

Table of contents

8.1 What data privacy and/or technology regulations need to be complied with in order to run a trial in the countries of interest?
8.2 What are the data locality rules within each jurisdiction?
8.3 Detail the appropriate level of verification and validation of the CRO system (i.e. a software platform that runs clinical trials but is not considered a clinical device)