8. Data management

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

In Switzerland, the processing of personal and health-related data is subject to the Federal Data Protection Act (FDPA). The relevant regulations are defined in Switzerland:

• Human Research Act (HRA)
• The Clinical Trials Ordinance (ClinO)*
• The Human Research Ordinance (HRO)*
• ICH-E6 – Good Clinical Practice
• As well as all the cantonal data protection legislation

*Note that, currently, the HRA ordinances are being revised and are expected to be finalized by the 4^th quarter of 2024.

8.2 What are the data locality rules within each jurisdiction?

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

Transferring sensitive data within Switzerland and/or abroad is only permitted if the research project’s participants have been informed and have given their consent. In general, data may not be transferred outside the EEA unless it is transferred to a country or territory that provides an adequate level of protection for personal data. However, exceptions can be made if participants have been informed and have given their consent. 

Arts. 16 and 17 of the Federal Data Protection Act sets forth:

“Art. 16 - Principles

¹ Personal data may be disclosed abroad if the Federal Council has decided that the legislation of the State concerned or the international body guarantees an adequate level of protection.

² In the absence of a decision by the Federal Council under paragraph 1, personal data may be disclosed abroad only if an adequate level of data protection is guaranteed by:

1. treaty under international law;
2. data protection clauses in an agreement between the controller or the processor and its contractual partner, notice of which has been given to the FDPIC beforehand;
3. specific guarantees drawn up by the competent federal body, notice of which has been given to the FDPIC beforehand;
4. standard data protection clauses that the FDPIC has approved, issued, or recognized beforehand; or
5. binding corporate rules that have been approved in advance by the FDPIC or by the authority responsible for data protection in a State that guarantees an adequate level of protection.

³ The Federal Council may provide for other suitable guarantees in line with paragraph 2.

Art. 17 - Exceptions

¹ In derogation from Article 16 paragraphs 1 and 2, personal data may be disclosed abroad in the following cases:

1. The data subject has explicitly consented to disclosure.
2. Disclosure is directly connected with the conclusion or performance of a contract:
   1. between the controller and the data subject; or
   2. between the controller and its contractual partner in the interests of the data subject.
3. Disclosure is necessary in order to:
   1. safeguard an overriding public interest; or
   2. establish, exercise, or enforce legal rights before a court or another competent foreign authority.
4. Disclosure is necessary to protect the life or the physical integrity of the data subject or a third party, and it is not possible to obtain the consent of the data subject within a reasonable time.
5. The data subject has made the data generally accessible and has not explicitly prohibited processing.
6. The data originate from a statutory register that is public or accessible to persons with a legitimate interest, provided the statutory requirements for access are met in the case concerned.

² The controller or the processor shall inform the FDPIC on request about the disclosure of personal data under paragraph 1 letters b number 2, c and d."

The Federal Data Protection and Information Commissioner has issued a “Guide to checking the admissibility of direct and indirect data transfers to foreign countries” which provides more information on the permissibility of transfers of personal data.

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

Data Controller as well as the Data Processor.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

According to the Federal Data Protection and Information Commissioner, “[if] data is stored in a cloud, this is in principle a specific form of outsourced processing which must meet the relevant requirements. Further information on this is in our Information on data processing in a cloud”.

• Does data need to be collected in the country? Do the servers need to be in the country?

No.

• Are there data storage and transmission requirements (for data transfer out of the country)?

Yes – Data may be disclosed abroad if the legislation of the destination country guarantees an appropriate level of protection (Art. 16 para. 1 FADP). The Federal Council decides which countries meet this requirement and publishes a list in the annex to the Ordinance to the Federal Act on Data Protection (Annex 1 DPO). The Ordinance also says what criteria the Federal Council uses in its assessment (Art. 8 DPO). If an appropriate level of protection is guaranteed, personal data can be freely transmitted from Switzerland to a country on the list, both by private companies and by federal bodies. 

Source: Cross-border transfer of personal data

• Are there any exceptions made for research to the local privacy regulations?

No, not that we have been able to determine.

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

The study team will have access to the study data as well as personal data.

Study participants must be informed (via the Informed Consent) who will have access to their data. This includes third-party vendors (such as a courier/pharmacy) when applicable.

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

Section 2.4 of the Swiss position paper on DCTs covers “Data capture outside the trial site using mobile technologies” and indicates the following:

“Where the intention is to use mobile technologies to record data outside the trial site, it must be ensured that the trial subjects have been informed and agreed (consented) to data being recorded by the device (e.g. wearables) or entered by the trial subjects, e.g. electronic patient-reported outcome (ePRO). This information is included in the written study informed consent form, i.e. a separate specific informed consent form is not required. The trial subjects must also be trained in the correct use of the mobile technologies. If source data are recorded directly in Page 7 of 8 of the CRF, this must be identified as such in the protocol. If data are recorded automatically, e.g. by wearables, it should be ensured that only trial-specific data are recorded by the mobile technology being used. The data which are considered to be source data must be stated in writing before the clinical trial begins, e.g. if data are only stored for a short time on the mobile technology. 

The mobile technologies must be demonstrably validated and comply with the relevant standards for accuracy, precision, reproducibility, reliability, and responsiveness (sensitivity to technological changes over time, ICH GCP E6 (R2) 5.5.3). Furthermore, the equivalence of the mobile technology used across various data-collection platforms or methods must be ensured. It must be possible to trace data entry and data changes by means of an audit trail. If the data generated this way are source data, the sponsor must ensure that they are documented in compliance with the legislation and that the statutory archiving obligation is observed. Continued access to this documentation must be guaranteed (ICH GCP E6 (R2) 8.1 Addendum). 

The sponsor must define measures in order to ensure that the recorded data actually originate from the trial subjects or were generated by the trial subjects (and not, for example, by a third person). Here it must be ensured that the sponsor has no access to personal or identifiable information relating to the trial subjects.

To ensure the protection of personal data from unauthorised or accidental disclosure, the sponsor must protect these data from any form of intervention from outside, whether accidental or intentional. This protection applies to all personal, identifiable information, to all personal health-related data, and to devices and mobile technologies used to collect, store, or transmit data. Compliance with the Swiss Data Protection Act must be guaranteed.”