8. Data Management

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

The Office of the Privacy Commissioner of Canada provides advice and information for individuals about protecting personal information and enforces the two federal privacy laws that set out the rules for how federal government institutions and certain businesses must handle personal information, including health data. The Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c.5) covers the personal information-handling practices of federal government departments and agencies in Canada, and the Privacy Act (R.S.C., 1985, P-21) regulates private businesses’ data protection practices.

In addition, some provinces and territories have laws that deal specifically with protection of personal health information. A list of provincial and territorial privacy laws and webpages is available at Provincial and Territorial Privacy Laws and Oversight.

Both federal and provincial privacy acts require consent for the use of personal data, including health data, except under prescribed conditions, such as for research or during emergencies. 

Additionally, in Sept 2005, the Canadian Institutes of Health Research (CIHR) issued “Best Practices for Protecting Privacy in Health Research”. Those include:

1. Determining the research objectives and justifying the data needed to fulfil these objectives
2. Limiting the collection of personal data
3. Determining if consent from individuals is required
4. Managing and documenting consent
5. Informing prospective research participants about the research
6. Recruiting prospective research participants
7. Safeguarding personal data
8. Controlling access and disclosure of personal data
9. Setting reasonable limits and retention of personal data
10. Ensuring accountability and transparency in the management of personal data

It is important to highlight that treatment of how the participant’s data will be handled needs to be clearly indicated within the ICF. REBs tend to provide ICF templates with recommended content and considerations. For example:

If data is being transferred out of Canada, include the following information:

• The participant information that will be sent outside of Canada.
• A description of the coding of the data, if different from the coding described elsewhere in the consent form.
• To whom the information will be sent (e.g. individuals, organizations, regulatory agencies).
• Where the information will be sent (e.g. USA, UK, Australia).

When using websites and/or third-party applications:

If your study is collecting participant email addresses or other personally identifiable information, this needs to be disclosed. For example, if the participant is required to log in to a study website to create an account, clarify whether the website will be tracking the participant’s IP address, and ensure this is explicitly stated in the consent form.

The access to, or collection of, third party personal information without consent, and from a location outside of Canada, can be a concern. When using applications that have an option to access third party data (for example, Fitbit), please confirm whether the access to third party data by Fitbit can be disabled or turned off.

Participants should also be made aware of the privacy policies for the application or website in question. If data will be retained indefinitely by these organizations, or the study sponsor, this must be clearly outlined in the consent form.

8.2 What are the data locality rules within each jurisdiction?

As described in Sections 5.5 and 8.1, Canadian data rules are determined by a combination of federal and provincial laws and regulations, which vary according to the nature of the subject (e.g. private or legal) and the province/territory.

A list of provincial and territorial privacy laws and webpages is available at Provincial and Territorial Privacy Laws and Oversight.

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

This will depend on the type of data and how the trial participant has been informed on how their personal data will be treated during the study.

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

This responsibility will be under the Sponsor. For more information, please refer to the “Guidelines for processing personal data across borders” available on the Office of the Privacy Commissioner of Canada's website.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

The Office of the Privacy Commissioner in Canada indicates the following:

The Personal Information Protection and Electronic Documents Act (PIPEDA) does not prohibit cloud computing, even when the cloud provider is in another country. Under PIPEDA, organizations must ensure that they collect personal information for appropriate purposes and that these purposes be made clear to individuals; they obtain consent; they limit collection of personal information to those purposes; they protect the information; and that they be transparent about their privacy practices.

PIPEDA also requires that when an organization transfers personal information to a third party for processing, it remains accountable for that information. It must use contractual or other means to ensure that the personal information transferred to the third-party is appropriately protected. Therefore, an organization that is considering using a cloud service remains accountable for the personal information that it transfers to the cloud service, and it must ensure that the personal information remain protected in the hands of that cloud service provider. Organizations need to carefully review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA. For more information on transferring of personal information to third parties, please see our Guidelines for Processing Personal Data Across Borders .

• Does data need to be collected in the country? Do the servers need to be in the country? 

No, PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing.

However, under PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement. The OPC can investigate complaints and audit the personal information handling practices of organizations.

The key is Principle 1 of the CSA Model Code for the Protection of Personal Information, which forms Schedule 1 of PIPEDA. Principle 1 addresses the balance between the protection of personal information of individuals and the business necessity of transferring personal information for various reasons, including the availability of service providers, efficiency, and economy.

Principle 1 places responsibility on an organization for protecting personal information under its control. Principle 4.1.3 of Schedule 1 of PIPEDA specifically recognizes that personal information may be transferred to third parties for processing. It also requires organizations to use contractual or other means to "provide a comparable level of protection while the information is being processed by the third party."

Principle 1 states:

"An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party."

For more information, please refer to the “Guidelines for processing personal data across borders” available on the Office of the Privacy Commissioner of Canada's website.

• Are there data storage and transmission requirements (for data transfer out of the country)?

Yes, please refer to the section above. 

• Are there any exceptions made for research to the local privacy regulations?

Yes. Section 8.1 above details this information.

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

The sponsor may view data and have access to PII. Where remote data monitoring is a feature of a DCT, the ICF should inform the participant that their medical records and study information will be reviewed remotely by the sponsor while maintaining participant’s privacy and confidentiality.

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

The sponsor must implement and maintain quality control systems that will govern the conduct of CTs, provide medical expertise through qualified medical personnel, and design and manage the CT to keep proper records.

Electronic Data Processing System

In accordance with ICH-GCPs, when using electronic trial data handling processing systems, the sponsor must ensure and document that the electronic data processing system conforms to the sponsor’s established requirements for completeness, accuracy, reliability, and consistency of intended performance. To validate such systems, the sponsor should use a risk assessment approach that takes into consideration the system’s intended use and potential to affect human subject protection and the reliability of trial results.

In addition, the sponsor must maintain SOPs that cover system setup, installation, and use. The SOPs should describe:

• System validation and functionality testing
• Data collection and handling
• System maintenance
• System security measures
• Change control
• Data backup
• Recovery
• Contingency planning
• Decommissioning

With respect to the use of these computerized systems, the responsibilities of the sponsor, investigator, and other parties should be clear, and the users should receive relevant training.

If electronic records are generated during a clinical trial, then the electronic system must be validated to confirm that the system’s specifications meet the goals and requirements for the clinical trial. This evidence of validation should be kept for the required record retention period and available for inspection by Health Canada inspectors.