8. Data Management

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

Primarily, the GDPR needs to be adhered to.  

Article 93 of the EU CTR 536/2014 reads as under:

“1. Member States shall apply Directive 95/46/EC to the processing of personal data carried out in the Member States pursuant to this Regulation.

 2. Regulation (EC) No 45/2001 shall apply to the processing of personal data carried out by the Commission and the Agency pursuant to this Regulation.”

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) is currently developing guidelines on the processing of personal data for research purposes, which will include statements on research with health data and address the question of the legal basis and the rights of the data subjects.

8.2 What are the data locality rules within each jurisdiction?

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

With respect to any data other than personal data, free movement of data within the European Union is permitted. Please see Article 4.1 of Regulation (EU) 2018/1807 on ‘A Framework For the Free Flow of Non-Personal Data In the European Union’ which states that “Data localization requirements shall be prohibited, unless they are justified on grounds of public security in compliance with the principle of proportionality.”

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

The Data Controller as well as the Data Processor.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

The EMA’s Guideline on Computerized Systems and Electronic Data in Clinical Trials contemplates cloud solutions and recognizes the risks associated with doing so, requiring careful contracting. Section 6.7 states the following:

“Irrespective whether a computerized system is installed at the premises of the sponsor, investigator, another party involved in the trial or whether it is made available by a service provider as a cloud solution, the requirements in this guideline are applicable. There are, however, specific points to be considered as described below. 

Cloud solutions cover a wide variety of services related to the computerized systems used in clinical trials. These can range from Infrastructure as a Service (IaaS) over Platform as a Service (PaaS) to Software as a Service (SaaS). It is common for these services that they provide the responsible party on-demand availability of computerized system resources over the internet, without having the need or even the possibility to directly manage these services. 

If a cloud solution is used, the responsible party should ensure that the service provider providing the cloud is qualified. 

When using cloud computing, the responsible parties are at a certain risk, because many services are managed less visibly by the cloud provider. 

Contractual obligations with the cloud solution provider should be detailed and explicit and refer to all ICH E6 relevant topics and to all relevant legal requirements (see Annex 1). 

Data jurisdiction may be complex given the nature of cloud solutions and services being shared over several sites, countries, and continents; however, any uncertainties should be addressed and solved by contractual obligations prior to the use of a cloud solution. 

If the responsible party chooses to perform their own validation of the computerized system, the cloud provider should make a test environment available that is identical to the production environment.”

• Does data need to be collected in the country? Do the servers need to be in the country? 

Any collection of data during the conduct of the trials by the sponsor will be governed by the provisions of the GDPR (by virtue of Article 3 of the GDPR).  

Assuming that the data does contain personal information, Chapter V of the GDPR (transfer of personal data to third countries or international organizations) provides for certain conditions under which data may be collected or stored (on servers or otherwise) outside of the European Union.  

• Are there data storage and transmission requirements (for data transfer out of the country)?

For any data transfer out of the country (Germany) but within the EU, provisions of Article 9 of the GDPR may apply. 

With respect to data transfer outside of the EU region, the entire Chapter V (Articles 46 – 51) of the GDPR may be applicable. 

• Are there any exceptions made for research to the local privacy regulations?

Not yet; the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) is currently developing guidelines on the processing of personal data for research purposes, which will include statements on research with health data and address the question of the legal basis and the rights of the data subjects.

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

The study team will have access to the study data as well as personal data.

Study participants must be informed (via the Informed Consent) who will have access to their data. This includes third-party vendors (such as a courier/pharmacy) when applicable.

Section 42 a- Data Protection- of the German Medicinal Products Act, indicates the following:

“Personal data shall be pseudonymized by the investigator using the data subject's identification code prior to their transmission in accordance with Article 41(2) and (4) of Regulation (EU) No 536/2014 or by the sponsor in accordance with Article 42 or Article 53(1) of Regulation (EU) No 536/2014.”

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

Section 4.10 (and Annex 2) of the EMA’s Guideline on computerized systems and electronic data in clinical trials provides recommendations for the validation of systems.

“Computerized systems used within a clinical trial should be subject to processes that confirm that the specified requirements of a computerized system are consistently fulfilled and that the system is fit for purpose. Validation should ensure accuracy, reliability, and consistent intended performance, from the design until the decommissioning of the system or transition to a new system. 

The processes used for the validation should be decided upon by the system owner (e.g. sponsors, investigators, technical facilities) and described, as applicable. System owners should ensure adequate oversight of validation activities (and associated records) performed by service providers to ensure suitable procedures are in place and that they are being adhered to. 

Documentation (including information within computerized systems used as process tools for validation activities) should be maintained to demonstrate that the system is maintained in the validated state. Such documentation should be available for both the validation of the computerized system and for the validation of the trial-specific configuration or customization. 

Validation of the trial-specific configuration or customization should ensure that the system is consistent with the requirements of the approved clinical trial protocol and that robust testing of functionality implementing such requirements is undertaken, for example, eligibility criteria questions in an eCRF, randomization strata, and dose calculations in an IRT system.”

The BfArM has published new test criteria for the data protection requirements for digital health applications (DiGA) and digital care applications (DiPA). These criteria will form the basis for new certificates with which manufacturers of health and care applications can prove that their applications comply with data protection regulations. These include both the requirements of the European General Data Protection Regulation and the extended requirements for DiGA and DiPA.