Is the US no longer a safe harbor?
Opinions are polarised over the actions taken by US NSA whistleblower/criminal Edward Snowden. Should he be hailed as a hero or branded a traitor? But how do his revelations affect the data security so necessary for clinical trials? Is the concept of “Safe Harbor” dead in the water? Do the actions of Government agencies put US clinical trials outside the GCP guidelines set by the FDA and ICH?
For readers who have not been following the news, Edward Snowden is an ex-NSA (US National Security Agency) IT security specialist who revealed the presence and extent of at least three US surveillance programmes. The most relevant here is called “Prism” and is designed to monitor what non-US citizens are saying (written and audio) on platforms such as Facebook, Gmail, Hotmail, and Skype.
The details of Prism remain sketchy at best, but should what little we know concern those running clinical trials containing personal and sensitive data?
Data security is arguably the bedrock of all clinical trials. Let’s begin by making sure we understand the terms “personal data” and “sensitive personal data”.
In a nutshell, “personal data” is anything that can be used to identify an individual – name, address, email, phone number etc. Data is considered to be “sensitive” where its misuse could actually harm the individual in question – passport number, religious beliefs, sexuality etc.
Sensitive data also includes medical history, physical and mental health, plus any genetic profile – in other words, precisely the information needed when recruiting patients for clinical studies.
The EU’s 1988 Data Protection Act contains several over-arching principles to protect the security of personal and sensitive data. The last two are particularly relevant here:
• Principle 7 = Personal information must be secure
• Principle 8 = Personal information must not be transferred to other countries without adequate protection
Under principle 7, data processors must implement “adequate” physical and technological safeguards to prevent data being used for purposes for which the owner has not given consent. They must also obey certain rules governing fair use, such as ensuring data is updated and is only held for as long as it is required.
The US is actually not included in the EU’s list of countries to which data can automatically be safely transferred. However, the US operates a voluntary data protection framework, called “Safe Harbor,” that does meet EU requirements.
The rules governing Safe Harbor were actually agreed between Washington and Brussels, and include an annual self-certification, which must be submitted to the US Department of Commerce. Interestingly, the scheme does not apply to the telecoms sector.
The US has no single data protection law comparable to the EU's Data Protection Directive. Instead, it relies on a combination of legislation, Federal regulation, and self-regulation.
US privacy legislation tends to be adopted on an ad hoc basis, with legislation being produced when certain sectors and circumstances demand it. Therefore, while certain sectors may already satisfy the EU rules, at least in part, most do not.
Doctor-Patient confidentiality…
The right of patients to have their medical data protected is enshrined in doctor-patient relationships throughout the world. In many cases, it is also protected by law.
The US has laws governing the privacy of sensitive health data via - the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
HIPAA bestows the right to privacy to individuals from age 12 to 18. The provider must have a signed disclosure from the affected before giving out any information.
HITECH is intended to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, partly through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Of course the relationship between a trial participant and the staff running the trial is miles away from that between a patient and their general practitioner. This is one of the reasons that informed consent is so vital. Without a full, accurate and verifiable flow of data, trials become meaningless.
So where does this all leave sponsors wishing to transfer data to US companies or carry out clinical trials there?
The FDA already has strict rules on the publication and retention of data relating to efficacy etc. but what about personal data directly relating to participants?
The FDA and ICH guidelines both require that investigators prepare and maintain adequate and accurate case histories that record all observations and other data pertinent to the investigation on each participant (whether or not they were given the IMP being tested).
The FDA requires retention of trials documentation for 2 years – following the date a marketing application is approved for the drug and indication in question or after the investigation is discontinued and FDA notified (if no MA is being sought).
The purpose of the Case Record Form (CRF) is to transmit source data such as that held in hospital reports, X-rays, clinical notes, patient questionnaires etc. to the sponsor. The sponsor has responsibility for designing the CRF, the investigator completes it and the sponsor’s monitor (CRA) must verify that the information is complete, accurate and supported by source documents. By its very nature, the CRF is full of sensitive data and so systems must be in place to ensure its security.
The Study Site File should contain either certified copies of the source documents or contain information on where the originals are kept. All source documents should be clearly marked so that they refer to subjects in a trial, which trial the subjects are in and that the documents are to be kept.
ICH puts trial management and data handling firmly under the remit of the sponsor. From the sponsor’s perspective, staff contracted to supervise the conduct of the trial, handle or verify data, conduct analyses or prepare reports should be suitably qualified.
Of course, there are exceptions to pretty much every rule – data security being no exception. Data can be transferred to countries outside the “protected” list if the owner gives permission. Even European privacy directives contain explicit exemptions for many governmental organizations, including the EU itself, national security, taxation, and policing. Defenders of Prism would clearly categorise its results as in the interests of national security.
Clearly there is nothing preventing files such as CRFs being encrypted, and in fact this is advisable under current GCP guidelines. However, whether or not such encryption would be adequate to protect the sensitive data they contain is unknown to those without intimate knowledge of Prism.
We should certainly not forget that Prism’s aim is to protect national security, not to spy on clinical trials. However, it is already hard to attract participants for many trials – anything that could affect trust in the system is a concern.
We appreciate your interest in this blog and would really like to know your views. Is this entry bang on the nail or widely off topic? Do you have any concerns over data security? Please leave any of your questions or comments below. We’ll review and comment regularly.
Blog Author: Dr. G.C. Practice
Whitehall Training provides online training courses developed to meet the learning needs of both the clinical and pharmaceutical sectors. Clients range from clinical research doctors and nurses to international Pharma companies and CROs.
Students develop their skills and earn CPD points with industry-recognised compliance training. Trainers and administrators save time by assigning and managing licences with our easy-to-use admin system.
To date we have trained over 21,000 students across 40 plus countries.
