How GDPR (General Data Protection Regulation) affects Ethical as Endpoint Adjudication Data Management Software Providers? How Ethical fulfils its Role and Complies with the GDPR Rules and Obligations?
INTRODUCTION
New technologies are offering a wealth of opportunities to collect, use and share health data more efficiently, but they also pose new challenges for privacy and data security. On the 25th of May, 2018 the EU regulation known as GDPR came into effect replacing Directive 95/46/EC on “the protection of individuals with regard to the processing of personal data and on the free movement of such data”. The new Regulation is a binding legislative act, which applies in its entirety across the EU. It is directly applicable and enforceable by law by each Member State.
HOW WE ARE AFFECTED?
Clinical studies are governed by stringent regulations that apply on a global scale (ICH E6 GCP) and clinical research professionals, whether in the Sponsor’s area or in the service or technical providers, are familiar with the need to protect and respect confidentiality of patient’s data. Tools and processes (SOP, WI) are set to comply with GCP and thus cover a large part of the GDPR requirements. However, GDPR is adding a set of rules and obligations that may require additional actions from actors in clinical research.
OBLIGATIONS FOR ETHICAL AS ENDPOINT ADJUDICATION SOFTWARE PROVIDER
Ethical GmbH may process personal data in two distinct situations: when reaching out to customers and when participating in clinical trials. In this article we focus on the second instance. However, Ethical has taken all the appropriate measures to comply with GDPR in all circumstances.
According to the GDPR definition, in the framework of a clinical trial, Ethical is a “Processor”. Some of the responsibilities and obligations defined for a processor by GDPR are also detailed in ICH E6 GCP and required by Clinical Research authorities. Ethical fulfils these in the framework of GCP compliance.
However, in the context of endpoint adjudication, a cloud-based software platform such as eAdjudication collects and processes a variety of patient data. In addition, unlike Electronic Data Capture (EDC) platforms that collect data from health facilities and transmit it only to the study sponsor, e-adjudication platforms need to provide access to a variety of actors such as the adjudication committee members, translators, CRO etc. Therefore, Ethical has reviewed all responsibilities and obligations in the GDPR regulation that are not covered by present clinical trial regulations and has acted to comply with these as well.
HOW ETHICAL FULFILS ITS ROLE AND COMPLIES WITH GDPR
Ethical GmbH is committed to ensuring the security and protection of the personal information that we process and to provide a compliant and consistent approach to data protection.
- Implement appropriate technical and organizational measures
Ethical ensures that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information. Where Ethical GmbH stores or transfers personal information outside of the EU, we have robust procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of the data. Our procedures include a continuous review of the countries with sufficient adequacy decisions, as well as provisions for binding corporate rules; standard data protection clauses or approved codes of conduct. - Maintain records of processing activities
Ethical reviews all processing activities to identify the legal basis for processing and ensure that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met. - Notify a personal data breach
Ethical commits to identifying, assessing, investigating and reporting to the sponsor any personal data breach at the earliest possible time and in all cases within 72 hours of becoming aware of such breach. Ethical commits to: - describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Setup a processor contract compliant with GDPR requirements
All Ethical contracts have been reviewed and are adjusted to comply with GDPR by the addition of a specific addendum that includes all the clauses of GDPR. - Delete or return data to sponsor at the end of contract
The commitment to delete or return all data is part of the standard contract for Ethical. In addition, we have updated our retention policy and schedule to ensure that personal information is stored, archived and destroyed compliantly and ethically. We have dedicated erasure procedures in place and carefully monitor when this and other data subject’s rights apply; along with any exemptions, response timeframes and notification responsibilities.
DOWNLOAD NOW THE ENDPOINT ADJUDICATION HANDBOOK
The Complete Manual / Reference Book with all the topics related to the Independent Endpoint Adjudication Committees Management