8. Data management

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

The following data privacy regulations apply in Sweden:

• Regulation (EU) 2016/679 - General Data Protection Regulation - (GDPR).
• Swedish Data Protection Act (2018:218) which supplements the provisions of the EU GDPR.
• The Swedish Act with Supplementary Provisions to the GDPR (SFS 2018:218) (“the Act”) supplements the EU GDPR and governs the processing of personal data in Sweden.

8.2 What are the data locality rules within each jurisdiction?

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

It will depend on the type of data and how the trial participant has been informed on how their personal data will be treated during the study.

With respect to any data, other than personal data, free movement of data within the European Union is permitted. Please see Article 4.1 of Regulation (EU) 2018/1807 on ‘A Framework For the Free Flow of Non-Personal Data In the European Union’ which states that “Data localization requirements shall be prohibited unless they are justified on grounds of public security in compliance with the principle of proportionality.”

If remote access to source data and documents is foreseen, additional measures with respect to the confidentiality of data access and security of the systems should be in place. Further guidance on this topic can be found within the EMA Q&A: Good Clinical Practice (GCP). Within the Q&A, Section D provides some responses regarding Records of Study Subject Data relating to Clinical trials. 

National provisions on direct remote access by authorized personnel of the trial sponsor (i.e. monitor or auditor) to identifiable personal and health data may differ between Member States and should be considered.

The considerations given by the EMA GCP Inspector Working Group (GCP IWG) when direct remote access of identifiable personal and health data required in clinical trials are as follows:

Informed consent of the trial participant 

For the trial participants to give informed consent to participate in a clinical trial, they should be fully informed about all aspects of the trial that may influence their decision to participate. This also applies to direct remote access to confidential health records. Therefore, it should be explained in the informed consent documentation that in addition to the trial team (healthcare personnel) certain authorized personnel of the trial sponsor, (i.e. monitor, auditor) as well as regulatory authorities (i.e. inspector) may require direct remote access to their confidential health documents. 

Any information addressed to the trial participants should be concise, easily accessible, and easy to understand. Clear and plain language and, additionally where appropriate, visualisation should be used. 

The participants' consent to participate in the clinical trial does not relieve the investigator or the sponsor of their responsibility to ensure compliance with the legal provisions on data protection.

The level of detail of information required when identifiable personal health data is accessed remotely may be determined by national regulations, if any.

Clinical trial protocol according to Regulation (EU) No. 536/2014

Remote access to confidential health documents should be considered together with the requirements of Regulation (EU) No. 536/2014, Annex 1 on the content of the protocol, in particular on what the protocol shall contain at least: 

• a description of the arrangements to comply with the applicable rules on the protection of personal data; in particular organizational and technical arrangements that will be implemented to avoid unauthorized access, disclosure, dissemination, alteration, or loss of information and personal data processed; 
• a description of measures that will be implemented to ensure the confidentiality of records and personal data of trial participants; 
• a description of measures that will be implemented in case of a data security breach in order to mitigate the possible adverse effects.

Similar considerations are required for clinical trials under Directive 2001/20/EC.

Technical considerations 

A data protection impact assessment is strongly recommended, prior to remotely accessing confidential health documents, in particular to identify and mitigate risks associated with remote access.

The sponsor should consult with their data protection officer (DPO) and with the Institution/investigator and, if applicable, their DPO, to establish whether (direct) remote access is feasible and manageable. The sponsor and the institution/investigator should confirm their agreement in writing.

Due to the design of different systems, a distinction is made in the following between direct remote access to and remote viewing of records. Remote viewing means providing access by other means, such as sharing a screen or filming a document in real time.

The following aspects (not an exhaustive list) should be taken into account when accessing or viewing health documents remotely.

At the place, where access is granted, it should be ensured that

• Appropriate measures are in place to unambiguously authenticate the identity of the accessing party (i.e. 2-factor authentication or at least equal strength). Each access should remain attributable to a natural person; 
• appropriate measures limit viewing or restrict access only to the documents necessary for the task;
• the access provided to original documents (e.g. health records, doctors’ letters) is read-only; 
• facilities and resources are appropriate to support remote viewing or remote access to the extent necessary. Any additional burden to the trial site should be justifiable and remain proportionate; 
• access to the documents remains traceable (e.g. log file);
• records are kept of which person was given remote access or allowed to view documents remotely and when. Remote access or opportunities to remotely view should only be granted for the duration needed to complete the task.

During transmission, the following should be ensured:

• the integrity of the data is maintained; 
• the communication tool offers sufficient resolution for the task considered;
• the confidentiality during transfer is maintained by adequate security functions, typically end-to-end encryption; the provider of the service for transfer or communication tool for viewing should not be capable of accessing the content of the communication;
• any intermediate storage is avoided and, if needed, is limited to the shortest possible duration; confidential information should not be accessible during intermediate storage;
• the responsible party for the security of transmission is identified by written agreement.

At the place where the access is made, it should be ensured that 

• no recording or documentation of confidential information is made; only data required by the protocol or legislation should be documented off-site;
• any automatically created temporary data files are securely deleted after each session;
• no unwarranted access or viewing may take place by another person or technical device;
• personnel is appropriately trained in the use of the system containing confidential data;
• a confidentiality obligation is imposed on personnel handling confidential data. If necessary, personnel should also make this commitment in a written agreement with the institution/investigator;
• records showing the time, duration, and content of the remote viewing or access are kept (e.g. monitor report).

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

Data Controller as well as Data Processor.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

The EMA’s Guideline on Computerized Systems and Electronic Data in Clinical Trials contemplates cloud solutions and recognizes the risks associated with doing so, requiring careful contracting. Section 6.7 states the following:

“Irrespective whether a computerized system is installed at the premises of the sponsor, investigator, another party involved in the trial or whether it is made available by a service provider as a cloud solution, the requirements in this guideline are applicable. There are, however, specific points to be considered as described below. 

Cloud solutions cover a wide variety of services related to the computerized systems used in clinical trials. These can range from Infrastructure as a Service (IaaS) over Platform as a Service (PaaS) to Software as a Service (SaaS). It is common for these services that they provide the responsible party on-demand availability of computerized system resources over the internet, without having the need or even the possibility to directly manage these services. 

If a cloud solution is used, the responsible party should ensure that the service provider providing the cloud is qualified. 

When using cloud computing, the responsible parties are at a certain risk, because many services are managed less visibly by the cloud provider. 

Contractual obligations with the cloud solution provider should be detailed and explicit and refer to all ICH E6 relevant topics and to all relevant legal requirements (see Annex 1). 

Data jurisdiction may be complex given the nature of cloud solutions and services being shared over several sites, countries, and continents; however, any uncertainties should be addressed and solved by contractual obligations prior to the use of a cloud solution. 

If the responsible party chooses to perform their own validation of the computerized system, the cloud provider should make a test environment available that is identical to the production environment.”

• Does data need to be collected in the country? Do the servers need to be in the country?

Any collection of data during the conduct of the trials by the sponsor will be governed by the provisions of the GDPR (by virtue of Article 3 of the GDPR).  

Assuming that the data does contain personal information, Chapter V of the GDPR (transfer of personal data to third countries or international organizations) provides for certain conditions under which data may be collected or stored (on servers or otherwise) outside of the European Union.

Data may be captured in the EU/EEA and then transferred to a third country where such transfers are in accordance with the EU’s data protection. See Section 4.9 of the EMA’s Guideline on computerized systems and electronic data in clinical trials which states that:

“[i]n accordance with EU data protection legislation, if personal data of trial participants from an EU Member State are processed (at rest or in transit) or transferred to a third country or international organization, such data transfer must comply with applicable Union data protection. In summary, this means that the transfer must be either carried out on the basis of an adequacy decision (Article 45 of GDPR, Article 47 of Regulation (EU) No 2018/1727 - EUDPR), otherwise the transfer must be subject to appropriate safeguards (as listed in Article 46 of GDPR or Article 48 of EUDPR) or the transfer may take place only if a derogation for specific situations apply (under Article 49 of GDPR or Article 50 of EUDPR)”. 

For transfers to a third country outside of the EU/EEA, either the EU’s adequacy requirements must be met (such as for transfers to the UK, whose laws have been determined to offer an adequate level of protection) or the EU’s Standard Contractual Clauses must be entered into by the receiving/processing party. 

On the 10^th of July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. On the basis of the adequacy decision, personal data can flow freely from the EU to companies in the US that participate in the Data Privacy Framework.

The safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanisms used. These safeguards therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules.

• Are there data storage and transmission requirements (for data transfer out of the country)?

For any data transfer out of the country (Sweden) but within the EU, provisions of Article 9 of the GDPR may apply. 

With respect to data transfer outside of the EU region, the entire Chapter V (Articles 46 – 51) of the GDPR may be applicable.

For transfers to a third country outside of the EU/EEA, either the EU’s adequacy requirements must be met (such as for transfers to the UK, whose laws have been determined to offer an adequate level of protection) or the EU’s Standard Contractual Clauses must be entered into by the receiving/processing party. 

On the 10^th of July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. On the basis of the adequacy decision, personal data can flow freely from the EU to companies in the US that participate in the Data Privacy Framework.

The safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanism used. These safeguards therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules.

The Swedish Data Protection Agency (IMY) provides information on the cross-border processing of personal data, and provides additional “Guidelines on transfers to third countries”.

• Are there any exceptions made for research to the local privacy regulations?

Chapter 3, Section 5 of the Act (2018:218) indicates the following: 

“Sensitive personal data may be processed on the basis of Article 9(2)(h) of the EU's General Data Protection Regulation if the processing is necessary for

1. preventive health and medical care measures and occupational medicine;
2. the assessment of a worker's capacity for work;
3. medical diagnoses;
4. provision of health care or treatment;
5. social care; or
6. management of health services, social care, and their systems."

Processing in accordance with the first paragraph may take place provided that the requirement of confidentiality in Article 9(3) of the EU's General Data Protection Regulation is met.

However, it is required that the processing is subject to confidentiality.

Special categories of personal data may also be processed for archiving purposes, as required under provisions on archives, or other provisions issued by governmental authorities allowing data controllers to process special categories of personal data of public interest (Chapter 3, Section 6 of the Act (2018:218)). Special categories of personal data may also in some cases be processed for statistical purposes if the interest to do so clearly outweighs the risk of improper violation of privacy (Chapter 3, Section 7 of the Act (2018:218)).

The Swedish Data Protection Authority (IMY) has published information and guidance on the processing of personal data in research:

1. Processing of personal data – for researchers (imy.se)
2. Processing of personal data – for controllers (inmy.se)

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

In accordance with the Swedish Patient Data Act (2008:355), only staff who play an active role in the subject’s treatment have access to the relevant medical record. The person responsible for medical records at the respective clinics is responsible for ensuring that the monitor's access to medical records complies with relevant laws and internal procedures.

A secrecy agreement must be signed by those who have access to the patient's medical records and by the person responsible for them at the clinic, which often is the head of the clinic/institution at the clinical trial site.

The Ethical Review Authority provides an indication of what information should be included in the participant information and consent in relation to the processing of personal data according to GDPR:

“The information should describe what data will be collected and recorded about the people who will participate in the research.

If personal data is to be processed, they must also receive information about the processing of personal data in accordance with the GDPR. Among other things, data subjects have the right to know:

• the purposes for which personal data will be processed;
• the legal basis for the processing;
• how long personal data will be stored;
• who will receive personal data,
• data subjects' rights under the General Data Protection Regulation (right of access, rectification, erasure, restriction, objection);
• whether personal data will be transferred to a so-called third country (country outside the EU/EEA),
• on the possibility of submitting complaints to the Swedish Data Protection Authority (IMY),
• that the data subject may withdraw his or her consent if it has been given;
• the contact details of the controller and any data protection officer thereof.

This information is included in the agency's support template. Choose the templates that are relevant to your research.

Consent and Legal Basis

The agency's support template only addresses the research ethical requirements for information and consent to participate in research. The agency provides a support template for consent to participate in the research and also a support template for consent to save samples and biological material for future research.

There are no provisions in the support templates about consent to personal data processing, as consent rarely constitutes the legal basis for processing personal data in research.

All processing of personal data must have a legal basis under the GDPR in order to be permitted. The legal basis that can be applied needs to be assessed prior to each processing of personal data. Within a research project, several processing of personal data may be relevant, and then there must be a legal basis for each processing.

Responsibility for personal data lies with the research principal, who is responsible for informing and instructing researchers and other employees on how the processing of personal data in research should and may be carried out. Therefore, consult experts at your research principal about how personal data that will be collected in your project will be processed and on what legal basis.”

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

Section 4.10 (and Annex 2) of the EMA’s Guideline on computerized systems and electronic data in clinical trials provides recommendations for the validation of systems.

“Computerized systems used within a clinical trial should be subject to processes that confirm that the specified requirements of a computerized system are consistently fulfilled and that the system is fit for purpose. Validation should ensure accuracy, reliability, and consistent intended performance, from the design until the decommissioning of the system or transition to a new system. 

The processes used for the validation should be decided upon by the system owner (e.g. sponsors, investigators, technical facilities) and described, as applicable. System owners should ensure adequate oversight of validation activities (and associated records) performed by service providers to ensure suitable procedures are in place and that they are being adhered to. 

Documentation (including information within computerized systems used as process tools for validation activities) should be maintained to demonstrate that the system is maintained in the validated state. Such documentation should be available for both the validation of the computerized system and for the validation of the trial-specific configuration or customization. 

Validation of the trial-specific configuration or customization should ensure that the system is consistent with the requirements of the approved clinical trial protocol and that robust testing of functionality implementing such requirements is undertaken, for example, eligibility criteria questions in an eCRF, randomization strata, and dose calculations in an IRT system.”