8. Data management

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

Primarily, the GDPR and the Italian Data Protection Code (DPC) (Legislative Decree no.101 of 10 Aug 2018) need to be adhered to.

According to ICH E6 (R2), the data recorded during the clinical trial should be credible, reliable, and verifiable. In addition, the data protection requirements according to the GDPR should be adhered to (see also Chapter 1, general considerations). 

Utilizing multiple systems and parties adds complexity and requires adequate oversight and implementation of adequate measures by the sponsor. To this end, the sponsor should: 

• Ensure that all parties involved in the clinical trial have an overview of the data flow; a data flow diagram with additional explanations in the protocol is highly recommended. 
• Ensure that the used data acquisition tools are configured and validated in accordance with their intended use. 
• Determine the type and scope of the trial participants’ personal data to be collected and ensure adequate protection in compliance with the GDPR of such personal data at any step of the process. 
• Ensure that when source data captured by a data acquisition tool is transferred to another location and subsequently irreversibly deleted from the data acquisition tool, both the data and the metadata are transferred (see ICH E6 1.63 Certified Copy). 
• Implement measures such as encryption to minimize the risk of unauthorized access when transferring data from a data acquisition tool to a server. 
• Ensure access to trial data is controlled by defined user rights and methods of access for all relevant parties involved. Unauthorized access should be prevented using appropriate security measures (e.g. firewalls). 
• Ensure control of and continuous and complete access by the investigator to both source data generated either on-site or off-site as well as source data reported to the sponsor (e.g. central lab data). 

The risk of erroneous data entry for data measured and entered directly by trial participants, especially on primary, key-secondary, or safety endpoints should be minimized by appropriate measures. 

Further, Art 36 of the Act of March 2023 provides that:

“Art36 

 (1) The sponsor shall:

1) implement the obligations under Regulation 536/2014;

2) obtain in writing the consent of the principal investigator and the researcher for access to source documents.

(2) Where methods based on computer data storage systems are used to process data obtained in connection with a clinical trial, for scientific purposes to the extent necessary for the implementation of the clinical trial, the sponsor, before starting to process such data, shall be obliged to:

1) provide written instructions for the use of the electronic data storage system;

2) document that the electronic data storage system has been implemented after assessing the safety of its use and functionality;

3) provide access to the computerized data storage system and data changes in such a way that it is possible to verify retroactively the changes made to the data, by which is meant a way of maintaining the clinical trial documentation that allows tracing back the course of the trial and any related events and decisions made;

4) the identification of persons authorized to process personal data in the computer systems for storing data obtained in connection with the clinical trial.

(3) In the event that the collected data undergoes processing, the sponsor shall ensure that the processed data can be compared with the original data.

(4) The sponsor shall allow only persons with written authorization issued by the data controller to process personal data. Persons authorized to process personal data undertake in writing to keep the data confidential.”

8.2 What are the data locality rules within each jurisdiction?

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

It will depend on the type of data and how the trial participant has been informed on how their personal data will be treated during the study.

With respect to any data, other than personal data, free movement of data within the European Union is permitted. Please see Article 4.1 of Regulation (EU) 2018/1807 on ‘A Framework For the Free Flow of Non-Personal Data In the European Union’ which states that “Data localization requirements shall be prohibited unless they are justified on grounds of public security in compliance with the principle of proportionality.”

If remote access to source data and documents is foreseen, additional measures with respect to the confidentiality of data access and security of the systems should be in place. Further guidance on this topic can be found within the EMA Q&A: Good Clinical Practice (GCP). Within the Q&A, Section D provides some responses regarding Records of Study Subject Data relating to Clinical trials. 

National provisions on direct remote access by authorized personnel of the trial sponsor (i.e. monitor or auditor) to identifiable personal and health data may differ between Member States and should be considered.

The considerations given by the EMA GCP Inspector Working Group (GCP IWG) when direct remote access of identifiable personal and health data required in clinical trials are as follows:

Informed consent of the trial participant 

For the trial participants to give informed consent to participate in a clinical trial, they should be fully informed about all aspects of the trial that may influence their decision to participate. This also applies to direct remote access to confidential health records. Therefore, it should be explained in the informed consent documentation that in addition to the trial team (healthcare personnel) certain authorized personnel of the trial sponsor, (i.e. monitor, auditor) as well as regulatory authorities (i.e. inspector) may require direct remote access to their confidential health documents. 

Any information addressed to the trial participants should be concise, easily accessible, and easy to understand. Clear and plain language and, additionally where appropriate, visualisation should be used. 

The participants' consent to participate in the clinical trial does not relieve the investigator or the sponsor of their responsibility to ensure compliance with the legal provisions on data protection.

The level of detail of information required when identifiable personal health data is accessed remotely may be determined by national regulations, if any.

Clinical trial protocol according to Regulation (EU) No. 536/2014

Remote access to confidential health documents should be considered together with the requirements of Regulation (EU) No. 536/2014, Annex 1 on the content of the protocol, in particular on what the protocol shall contain at least: 

• a description of the arrangements to comply with the applicable rules on the protection of personal data; in particular organizational and technical arrangements that will be implemented to avoid unauthorized access, disclosure, dissemination, alteration, or loss of information and personal data processed; 
• a description of measures that will be implemented to ensure confidentiality of records and personal data of trial participants; 
• a description of measures that will be implemented in case of data security breach in order to mitigate the possible adverse effects.

Similar considerations are required for clinical trials under Directive 2001/20/EC.

Technical considerations 

A data protection impact assessment is strongly recommended, prior to remotely accessing confidential health documents, in particular to identify and mitigate risks associated with remote access.

The sponsor should consult with their data protection officer (DPO) and with the Institution/investigator and, if applicable, their DPO, to establish whether (direct) remote access is feasible and manageable. The sponsor and the institution/investigator should confirm their agreement in writing.

Due to the design of different systems, a distinction is made in the following between direct remote access to and remote viewing of records. Remote viewing means providing access by other means, such as sharing a screen or filming a document in real time.

The following aspects (not an exhaustive list) should be taken into account when accessing or viewing health documents remotely.

At the place, where access is granted, it should be ensured that

• Appropriate measures are in place to unambiguously authenticate the identity of the accessing party (i.e. 2-factor authentication or at least equal strength). Each access should remain attributable to a natural person; 
• appropriate measures limit viewing or restrict access only to the documents necessary for the task;
• the access provided to original documents (e.g. health records, doctors’ letters) is read-only; 
• facilities and resources are appropriate to support remote viewing or remote access to the extent necessary. Any additional burden to the trial site should be justifiable and remain proportionate; 
• access to the documents remains traceable (e.g. log file);
• records are kept of which person was given remote access or allowed to view documents remotely and when. Remote access or opportunities to remotely view should only be granted for the duration needed to complete the task.

During transmission, the following should be ensured:

• the integrity of the data is maintained; 
• the communication tool offers sufficient resolution for the task considered;
• the confidentiality during transfer is maintained by adequate security functions, typically end-to-end encryption; the provider of the service for transfer or communication tool for viewing should not be capable of accessing the content of the communication;
• any intermediate storage is avoided and, if needed, is limited to the shortest possible duration; confidential information should not be accessible during intermediate storage;
• the responsible party for the security of transmission is identified by written agreement.

At the place where the access is made, it should be ensured that 

• no recording or documentation of confidential information is made; only data required by the protocol or legislation should be documented off-site;
• any automatically created temporary data files are securely deleted after each session;
• no unwarranted access or viewing may take place by another person or technical device;
• personnel is appropriately trained in the use of the system containing confidential data;
• a confidentiality obligation is imposed on personnel handling confidential data. If necessary, personnel should also make this commitment in a written agreement with the institution/investigator;
• records showing the time, duration, and content of the remote viewing or access are kept (e.g. monitor report).

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

The Data Controller as well as the Data Processor.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

The EMA’s Guideline on Computerized Systems and Electronic Data in Clinical Trials contemplates cloud solutions and recognizes the risks associated with doing so, requiring careful contracting. Section 6.7 states the following:

“Irrespective whether a computerized system is installed at the premises of the sponsor, investigator, another party involved in the trial or whether it is made available by a service provider as a cloud solution, the requirements in this guideline are applicable. There are, however, specific points to be considered as described below. 

Cloud solutions cover a wide variety of services related to the computerized systems used in clinical trials. These can range from Infrastructure as a Service (IaaS) over Platform as a Service (PaaS) to Software as a Service (SaaS). It is common for these services that they provide the responsible party on-demand availability of computerized system resources over the internet, without having the need or even the possibility to directly manage these services. 

If a cloud solution is used, the responsible party should ensure that the service provider providing the cloud is qualified. 

When using cloud computing, the responsible parties are at a certain risk, because many services are managed less visibly by the cloud provider. 

Contractual obligations with the cloud solution provider should be detailed and explicit and refer to all ICH E6 relevant topics and to all relevant legal requirements (see Annex 1). 

Data jurisdiction may be complex given the nature of cloud solutions and services being shared over several sites, countries, and continents; however, any uncertainties should be addressed and solved by contractual obligations prior to the use of a cloud solution. 

If the responsible party chooses to perform their own validation of the computerized system, the cloud provider should make a test environment available that is identical to the production environment.”

• Does data need to be collected in the country? Do the servers need to be in the country?

Any collection of data during the conduct of the trials by the sponsor will be governed by the provisions of the GDPR (by virtue of Article 3 of the GDPR).  

Assuming that the data does contain personal information, Chapter V of the GDPR (transfer of personal data to third countries or international organizations) provides for certain conditions under which data may be collected or stored (on servers or otherwise) outside of the European Union.

Data may be captured in the EU/EEA and then transferred to a third country where such transfers are in accordance with the EU’s data protection. See Section 4.9 of the EMA’s Guideline on computerized systems and electronic data in clinical trials which states that:

“[i]n accordance with EU data protection legislation, if personal data of trial participants from an EU Member State are processed (at rest or in transit) or transferred to a third country or international organization, such data transfer must comply with applicable Union data protection. In summary, this means that the transfer must be either carried out on the basis of an adequacy decision (Article 45 of GDPR, Article 47 of Regulation (EU) No 2018/1727 - EUDPR), otherwise the transfer must be subject to appropriate safeguards (as listed in Article 46 of GDPR or Article 48 of EUDPR) or the transfer may take place only if a derogation for specific situations apply (under Article 49 of GDPR or Article 50 of EUDPR)”. 

For transfers to a third country outside of the EU/EEA, either the EU’s adequacy requirements must be met (such as for transfers to the UK, whose laws have been determined to offer an adequate level of protection) or the EU’s Standard Contractual Clauses must be entered into by the receiving/processing party. 

On the 10^th of July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. On the basis of the adequacy decision, personal data can flow freely from the EU to companies in the US that participate in the Data Privacy Framework.

The safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanisms used. These safeguards therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules.

• Are there data storage and transmission requirements (for data transfer out of the country)?

For any data transfer out of the country (Italy) but within the EU, provisions of Article 9 of the GDPR may apply. 

With respect to data transfer outside of the EU region, the entire Chapter V (Articles 46 – 51) of the GDPR may be applicable. 

• Are there any exceptions made for research to the local privacy regulations?

The processing of health data is required to comply with the GDPR and the Personal Data Protection Code requirements. 

Health data, genetic and biometric data are considered as special categories of personal data and should not be processed. Nonetheless, there are some exceptions provided by the GDPR:

1. where the data subject has given explicit consent to the processing of personal data for one or more specified purposes;
2. where processing is necessary for reasons of public interest in the area of public health; and
3. where processing is necessary for the purposes of preventive medicine, for the assessment of the working capacity of the employee, medical diagnosis, social care or treatment, or the management of health or social care systems and services.

Personal data should be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

Consequences of breach of GDPR by applicant

The Italian Personal Data Protection Code (“the Code”) has been amended to implement the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). 

Under the amended Code, a person or entity in breach of the Code may be subjected to the penalty of an administrative sanction and/or a criminal offense. A summary of the sanctions and crimes is as follows: 

Administrative sanctions

Article 166 of the Code refers to the following administrative sanctions established by the GDPR, specifically: 

- Article 83(4) of the GDPR for violations of specific provisions of the Code, e.g.: 

- Article 2-quinquies(2) on children's consent for information society services, namely in cases where the information notice does not meet the relevant requirements; 

- Article 123(4) on traffic data, namely in cases where the information notice given by providers of a public communication network or publicly available electronic communications service does not comply with the relevant GDPR provisions; and 

- Article 110(1), namely in cases of failing to carry out the DPIA in the context of medical, biomedical, and epidemiological research; and 

- Article 83(5) of the GDPR, imposing administrative fines up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year if higher, for most serious violations of the Code, e.g.: 

- Article 2-ter on the legal basis for personal data processing pursuant to a public interest; 

- Article 2-quinquies(1) on children's consent for information society services, where the child's consent is not properly collected;

- Article 2-septies(8) on safeguards for processing of biometric, genetic, and health-related data; or 

- Article 2-octies on the processing of judicial data. 

Criminal offenses

New crimes included in the updated Code are: 

- unlawful communication and dissemination of personal data where large-scale processing takes place with the aim of making a profit or causing damage in violation of specific provisions of the Code (Article 167-bis of the Code), for which the sanction is imprisonment from one to six years (but it may be lowered in case administrative sanctions also apply); and 

- fraudulent acquisition of personal data where large-scale processing takes place with the aim of making a profit or causing damage (Article 167-ter of the Code), which is sanctioned with imprisonment from one to four years. 

Changes have been made to existing criminal offenses: 

- misrepresentation/false statements given to the Garante and intentional interruption of the Garante's exercise of powers (Article 168 of the Code), for example, the performance of proceedings or investigations;

- non-compliance with the Garante's decisions (Article 170 of the Code); and 

- violation of provisions on employees' remote monitoring and the prohibition of opinion surveys, making reference to the sanctions established by the Workers' Statute, Law no. 300/1970. 

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

The study team will have access to the study data as well as personal data.

Study participants must be informed (via the Informed Consent) who may have access to their personal data. This includes third-party vendors (such as a courier/pharmacy) when applicable.

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

Section 4.10 (and Annex 2) of the EMA’s Guideline on computerized systems and electronic data in clinical trials provides recommendations for the validation of systems.

“Computerized systems used within a clinical trial should be subject to processes that confirm that the specified requirements of a computerized system are consistently fulfilled and that the system is fit for purpose. Validation should ensure accuracy, reliability, and consistent intended performance, from the design until the decommissioning of the system or transition to a new system. 

The processes used for the validation should be decided upon by the system owner (e.g. sponsors, investigators, technical facilities) and described, as applicable. System owners should ensure adequate oversight of validation activities (and associated records) performed by service providers to ensure suitable procedures are in place and that they are being adhered to. 

Documentation (including information within computerized systems used as process tools for validation activities) should be maintained to demonstrate that the system is maintained in the validated state. Such documentation should be available for both the validation of the computerized system and for the validation of the trial-specific configuration or customization. 

Validation of the trial-specific configuration or customization should ensure that the system is consistent with the requirements of the approved clinical trial protocol and that robust testing of functionality implementing such requirements is undertaken, for example, eligibility criteria questions in an eCRF, randomization strata, and dose calculations in an IRT system.”