8. Data Management

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

Applicable data privacy legislation in the UK is as follows:

• UK GDPR
• Data Protection Act (2018)
• Health Service (Control of Patient Information) Regulations

8.2 What are the data locality rules within each jurisdiction?

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

In order to transfer personal data to receivers located outside the UK, a risk assessment must be conducted, as required by Article 46 of the Data Protection Act 2018, and appropriate safeguards put in place in order to comply with the requirements of a restricted transfer.

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

From the research conducted, this scenario does not appear to be directly addressed by the relevant regulations. It may be assumed that UK data laws apply to a participant who is domiciled (i.e. has a permanent residence) in the UK.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

The HRA and MHRA, in consultation with the ICO (Information Commissioner’s Office), have issued guidance regarding “Access to Electronic Health Records by Sponsor Representatives in clinical trials”. The provisions in relation to the use of Internet Document Sharing Portals to share trial participant source documents are as follows:

“Where the portal is provided by the sponsor (or delegate), there must be redaction by the investigator/institution of any data that may directly or indirectly identify the participant. To protect the privacy of the trial participant only the participant's trial identification number must be used. These records should be deleted after the Monitor (or Auditor) has completed the review. The details of who will perform the deletion and when, should be prearranged between the sponsor and the investigator (for example, the deletion could be after all data queries for the participant have been resolved and the case report form locked or when an audit, if conducted, has completed).

For portals provided by the investigator site/institution, unredacted scanned or electronic source documents may be uploaded. The investigator/institution should consider the applicable requirements for direct Log-in Access to the EHR system set out below when using such a portal.

The provision of source documents via Upload Access should be risk-based and proportional focusing on the review and/or verification of critical data to ensure the reliability of results and the protection of the trial participants.

The process for the provision of the documentation should not put an excessive and unreasonable time burden on the investigator site/institution personnel or excessive and additional costs on the investigator site/institution that have not been agreed beforehand. There should be an acceptance that in some cases, the investigator/institution may not be able to support Upload Access, particularly when on-site direct access is available. The sponsor should also accept that on-site visit limitations may be necessary by the investigator site/institution due to resource requirements where the sponsor requests extensive on-site visits to compensate for any previous restriction of remote access to the medical/health records that prevented complete SDV/SDR using the full EHR.”

The storage limitation principle of the Data Protection Act must be observed, which limits the retention of personal data.

A principle of "The Plan" is to conduct research enabled by data and digital tools, “to ensure the UK has the most advanced and data-enabled clinical research environment in the world, which capitalizes on our unique data assets to improve the health and care of patients across the UK and beyond”. As this regulatory aspect of clinical research is being developed, the use of the Cloud in DCTs will be approved by the MRHA during the application process, if permitted.

There is a requirement for “Relevant Digital Service Providers” (RDSP) to register with the ICO. RDSP are digital service providers, which are not considered a small or micro business, and have either a head office in the UK or have a nominated UK representative for the purpose of NIS (Network and Information Systems)”.

• Does data need to be collected in the country? Do the servers need to be in the country?

The ICO guidance on the “Use of Cloud Computing” indicates the following:

• “The computing resources managed by a cloud provider may be located outside the UK. A large cloud provider may have a number of data centres, each of which could be located in a different country. This distributed architecture can improve reliability of the cloud service but also means that it can be difficult to know where data is being processed.
• The DPA requires that personal data “shall not be transferred to any country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
• Cloud customers should ask a potential cloud provider for a list of countries where data is likely to be processed and for information relating to the safeguards in place there. The cloud provider should be able to explain when data will be transferred to these locations. In the case of layered cloud services, information relating to the location of each sub-processor involved in the processing of the data should also be available from the cloud provider, with details of the security arrangements in place. 
• The ICO has already prepared detailed guidance on how to determine the adequacy of protection in relation to international transfers of data”.

• Are there data storage and transmission requirements (for data transfer out of the country)?

In order to transfer personal data to receivers located outside the UK, a risk assessment must be conducted, as required by Article 46 of the Data Protection Act 2018, and appropriate safeguards must be put in place in order to comply with the requirements of a restricted transfer.

• Are there any exceptions made for research to the local privacy regulations?

Yes. The Health Service (Control of Patient Information) Regulations 2002 permit the processing of confidential patient information for medical purposes subject to certain conditions.

In February 2022, the ICO launched a public consultation on the draft detailed guidance on the research provisions in the UK GDPR and the DPA 2018.

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

Section 7(2) of The Health Service (Control of Patient Information) Regulations 2002 restricts access to confidential patient information to “a health professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional”.

However, the HRA and MHRA, in consultation with the ICO, have issued guidance regarding “Access to Electronic Health Records by Sponsor Representatives in clinical trials”. The provisions in relation to remote direct access to Electronic Health Records by Sponsor Monitors (or Auditors) in clinical trials are as follows:

“ICH GCP requires, and GCP principles expect, direct access to trial participant medical/health records for the sponsor’s representatives, who are Monitors and Auditors, employed by the sponsor or delegated/contracted third party. Remote direct access to the medical/health records of clinical trial participants allows source data review (SDR) and source data verification (SDV) to occur without the Monitor (or Auditor) having to visit the investigator site/institution.

Remote direct access to the health records of clinical trial participants may be undertaken by the Monitor (or Auditor) logging into the EHR system (‘Log-in Access’) remotely rather than onsite or via video calls, where investigator site/institution personnel use screen sharing of EHR systems (‘Guided Access’) or to display original paper records. Log-in Access requires far less investigator site/institution personnel involvement during the review so it is preferable and should be fully considered and discounted prior to using Guided Access.”

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

The HRA and MHRA, in consultation with the ICO, have issued guidance regarding “Access to Electronic Health Records by Sponsor Representatives in Clinical Trials”. The provisions in relation to EHR System Functionality and System Security are applicable. 

The MHRA “Guidance on GxP Data Integrity” provides guidance on the data integrity expectations. Section 6.19. Validation provides the following: 

“Computerized systems should comply with regulatory requirements and associated guidance. These should be validated for their intended purpose which requires an understanding of the computerized system’s function within a process. For this reason, the acceptance of vendor-supplied validation data in isolation of system configuration and users intended use is not acceptable. In isolation from the intended process or end-user IT infrastructure, vendor testing is likely to be limited to functional verification only and may not fulfill the requirements for performance qualification. 

Functional verification demonstrates that the required information is consistently and completely presented. Validation for intended purpose ensures that the steps for generating the custom report accurately reflect those described in the data checking SOP and that the report output is consistent with the procedural steps for performing the subsequent review.”