The Data Protection Authority recently adopted certain “Guidelines for the processing of personal data in clinical trials of drugs”, one of the first official documents in Europe focused on the protection of the privacy of patients who are subject to clinical trials. The previously existing legal framework has been thus enriched by the Authority’s Resolution no. 52 of July 24, 2008, which has provided practical guidance in this field and has clarified the applicable provisions (in particular, Ministerial Decree of the 15th of July, 1997).
The Guidelines include an information standard form for patients that can be adopted by the sponsors and submitted by the investigator to the patient, which covers all the elements that are necessary in order to render the information complete and compliant with the law.
Further, certain language that can be adopted for the acquisition of the patient’s consent has been suggested by the Authority. In fact, absent the patient’s consent, the data processing is illegal.
The clinical trials of drugs involve a considerable stream of sensitive data among the various individuals or entities involved in the clinical trial operations, such as:
· the pharmaceutical companies, or sponsors, who act as “data controllers” pursuant to the Italian Privacy Code;
· the investigators and/or trial sites, in their capacity of “data processors” pursuant to the Italian Privacy Code;
· any other entity or individual cooperating with hospitals or trial sites, who are typically appointed as “persons in charge of the processing” pursuant to the Italian Privacy Code.
The Authority clarified that patients’ data, even if codified, can easily be connected to the patients’ identity, thus rendering their processing as not anonymous.
The information to be submitted to the concerned patients shall specify: (a) the kind of data processed and the circumstances under which such data are transmitted abroad; (b) the role effectively played by the sponsor concerning the data processing, its purposes and modalities; (c) the parties to whom the data can be communicated or who may come to know them in their capacity of data processors or persons in charge of the processing; (d) the exercise of the right of access and of other rights concerning personal data granted to the patient vis-à-vis the sponsor and other individuals or entities who may be receiving the data.
As to the data transfer to non-EU countries that do not guarantee an adequate level of protection of personal data, any extra-EU data transfer is lawful insofar as: (i) the patient has expressed a specific written consent to the transfer, or (ii) equivalent and adequate warranties have been adopted (for example, general agreement clauses that exactly define the roles played within the data transfer and treatment and specify the types of treatment).
Lastly, the Guidelines recommend the adoption of specific technical security measures aimed at increasing the level of security of the processed data and guaranteeing their protection from risks of unauthorized access (e.g., cryptographic technologies).