8. Data Management

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

In the USA, the “HIPAA Privacy Rule” established the conditions under which protected health information may be used or disclosed by covered entities for research purposes.

The Privacy Rule also defines the means by which individuals will be informed of uses and disclosures of their medical information for research purposes, and their rights to access information about them held by covered entities. Where research is concerned, the Privacy Rule protects the privacy of individually identifiable health information, while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research. 

Currently, most research involving human subjects operates under the Common Rule (45 CFR Part 46, Subpart A) and/or the Food and Drug Administration’s (FDA) human subject protection regulations (21 CFR Parts 50 and 56) which have some provisions that are similar to, but separate from, the Privacy Rule’s provisions for research. These human subject protection regulations, which apply to most Federally funded and to some privately funded research, include protections to help ensure the privacy of subjects and the confidentiality of information. The Privacy Rule builds upon these existing Federal protections. More importantly, the Privacy Rule creates equal standards of privacy protection for research governed by the existing Federal human subject regulations and research that is not. 

The USA - National Institutes of Health - provides a “HIPAA Privacy Rule Booklet for Research” (note that this page is currently being updated).

Although the FDA’s final guidance on “Digital Health Technologies for Remote Data Acquisition in Clinical Investigations” (Dec 2023) primarily addresses Digital Health Technologies (defined in the guidance as: “[d]igital health technology is a system that uses computing platforms, connectivity, software, and/or sensors, for healthcare and related uses…”), it provides some limited guidance on data management, including privacy and cyber-security risks, as follows: 

Cyber-security:

“Sponsors should consider cybersecurity threats that could potentially impact the functionality of the DHT, resulting in a clinical risk to participants (e.g. corrupting the output of a continuous glucose monitor).. Accordingly, sponsors should consider FDA information on cybersecurity to ensure that data can be securely stored and transmitted.”

Privacy-Related Risks: 

“Sponsors, investigators, and IRBs should be aware that unique privacy risks may arise when DHTs are used in a clinical investigation. The following should be considered, as applicable: 

• The risk of potential disclosure of personally identifiable information or participant locations via a breach of the DHT or associated data storage, such as a durable electronic data repository. 
• DHTs or other technologies may have end-user licensing agreements or terms of service that allow sharing of data with other parties, such as the manufacturer of a general purpose computing platform used by a DHT. See section IV.F.3 of this guidance for considerations related to informing potential trial participants about who will have access to their trial data if they decide to participate.
  •  To protect data privacy for trial participants, it may be appropriate for sponsors to proactively work with manufacturers to modify the end-user license agreement or terms of service for the purposes of the study, as applicable. 
• Sponsors should ensure that appropriate security safeguards are in place to secure data at rest and in transit to prevent access by intervening or malicious parties (e.g., cybersecurity threats).”

In July 2018, the FDA published the “Use of Electronic Health Record Data in Clinical Investigations”. The intent of this guidance is to assist sponsors, clinical investigators, contract research organizations, institutional review boards (IRBs), and other interested parties on the use of electronic health record data in FDA-regulated clinical investigations. This guidance provides clarification and expectations on data standards, structured and unstructured data, validation, data from multiple EHR systems, as well as best practices and eSource principles for EHRs.

8.2 What are the data locality rules within each jurisdiction?

The United States has various federal and state laws that cover different aspects of data privacy, like health data, financial information, or data collected from children.

• Privacy Act of 1974 governs how federal agencies collect and use data about individuals in its system of records. The act prohibits agencies from disclosing personal information without written consent from the individual, subject to limited exceptions including to the Census Bureau for statistical purposes. Individuals reserve the right to request their records, request a change to their records if they are inaccurate or incomplete, and to be protected against unwarranted invasion of their privacy.
• Health Insurance Portability and Accountability Act (HIPAA) (1996)  creates standards for how healthcare providers can use a patient’s personal health data. HIPAA regulations only apply to “covered entities” which encompasses providers (like doctors, nurses, psychologists, and dentists), a health plan (including healthcare insurance companies and government plans like Medicare), and healthcare clearinghouses, which process medical information. Under HIPAA guidelines, covered entities must comply with an individual’s right to see their health information, and correct their health information. Covered entities cannot use or share health information without the individual’s written consent.
• Children’s Online Privacy Protection Act (COPPA) 1998 whose primary goal is to place parents' control over what information is collected from their young children online. This rule applies to operations of commercial websites and online services (including mobile apps).
• California Privacy Rights Act (2023)- this law secures privacy rights for California consumers, including:
  • The right to know about the personal information a business collects about them and how it is used and shared.
  • The right to delete personal information collected from them (with some exceptions).
  • The right to opt-out of the sale or sharing of their personal information.
  • The right to non-discrimination for exercising their CCPA rights.
  • The right to correct inaccurate personal information that a business has about them.
  • The right to limit the use and disclosure of sensitive personal information collected about them.

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

It will depend on what type of data will be transmitted, whether the data contains personal information, and in which countries the data will be displayed.

The U.S. released on the 28^th Feb 2024 an Executive Order which will limit the transfer of sensitive personal data outside the US to “countries of concern”.  

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

Ultimately, it will be the sponsor and its delegated vendors.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

No, not that we could determine, although the FDA has written (see its draft guidance entitled “Guidance Document - Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers” (March 2023)) that:

“There are various ways to retain electronic records, including in durable electronic storage devices and using cloud computing services. Sponsors, clinical investigators, and regulated entities must ensure the authenticity, integrity, and confidentiality of the data from the point of creation and also ensure that the meaning of the record is preserved. The relationship between records, source data, and all associated metadata should be preserved in a secure and traceable manner. FDA’s expectation is that sponsors, clinical investigators, and other regulated entities will ensure that records are maintained throughout the records’ retention period per applicable regulations and, as applicable, made available to FDA during an inspection. When electronic formats are the only formats used to create, preserve, and archive electronic records, sufficient backup and recovery procedures should be in place to protect against data loss. For example, records should be backed up regularly to prevent loss. Backup records should be stored in a secure electronic location independent from the original records as specified in an SOP. Backup and recovery logs should be maintained to facilitate an assessment of the nature and scope of data loss resulting from a system failure.”

“As part of an inspection, sponsors, clinical investigators, and other regulated entities may be requested to provide all records and data needed to reconstruct a clinical investigation, including associated metadata and audit trails. FDA may request copies of these records and data in a human-readable form. Screenshots or paper printouts of electronic records should include metadata and audit trail information recorded in the electronic system. When systems are decommissioned and cannot be recommissioned, sponsors should ensure that files containing the metadata are retained before decommissioning and can be linked to each corresponding data element.”

Further:

"Sponsors and other regulated entities can contract with vendors to provide IT services for a clinical investigation (e.g., data hosting, cloud computing software, platform and infrastructure services). Sponsors and other regulated entities are responsible for ensuring that electronic records meet applicable Part 11 regulatory requirements. […]”

• Does data need to be collected in the country? Do the servers need to be in the country?

No, not that we could determine.

• Are there data storage and transmission requirements (for data transfer out of the country)?

The U.S. generally does not restrict data transfers to other jurisdictions. However, recently on the 28^th of Feb 2024, the White House released an Executive Order which will limit the transfer of sensitive personal data outside the US to “countries of concern”.

• Are there any exceptions made for research to the local privacy regulations?

No, not that we could determine.

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

The participant should be informed (via informed consent) who will be having access to their data.

Section 5 - Confidentiality - of the FDA’s “Informed Consent”- Guidance for IRBs, Clinical Investigators, and Sponsors (Aug 2023) states the following:

“Confidentiality 

A statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained and that notes the possibility that the Food and Drug Administration may inspect the records. (21 CFR 50.25(a)(5)).

The consent process must describe the extent to which confidentiality of records identifying subjects will be maintained (21 CFR 50.25(a)(5)) and should identify all entities, for example, the study sponsor, the research team, regulatory agencies, and/or ethics committee members, who may gain access to the records relating to the clinical investigation. The consent process must also note the possibility that FDA may inspect records (21 CFR 50.25(a)(5)) and should not state or imply that FDA needs permission from the subject for access to the records. Under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, FDA does not need permission to inspect records containing protected health information (45 CFR 164.512). FDA may inspect study records to assess investigator compliance with the study protocol and the validity of the data reported by the sponsor.”

21 CFR 56.111 (a) (7) requires IRBs to determine, where appropriate, that there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of the data.

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

Section C - Verification, Validation, and Usability Evaluations of Digital Health Technologies - of the FDA’s guidance entitled “Digital Health Technologies for Remote Data Acquisition in Clinical Investigations” (Dec2023), uses the terms verification and validation to describe steps that help ensure that the DHT is fit-for-purpose for remote data collection in a clinical investigation. Verification and validation should be addressed regardless of whether the DHT meets the definition of a device under section 201(h) of the FD&C Act. For the purposes of this guidance, verification is confirmation by examination and provision of objective evidence that the parameter that the DHT measures (e.g., acceleration, temperature, pressure) is measured accurately and precisely.

Validation is confirmation by examination and provision of objective evidence that the selected DHT appropriately assesses the clinical event or characteristic in the proposed participant population (e.g., step count or heart rate). Verification is often viewed as part of the validation process since validation is highly dependent upon comprehensive testing and other verification tasks previously completed at each stage of the development life cycle. Verification and validation activities should consider all relevant functions of DHT in the context of use in the clinical investigation.