OR WAIT null SECS
Patient consent is potentially tricky for pharma R&D to navigate as a result of new data protection rules in Europe.
Despite Europe now being over a year on from implementation of the General Data Protection Regulation (GDPR), it remains a tough pill to swallow. Not only because the GDPR is a volatile formula hard to stabilize at the best of times, but also because of its, as yet, untested implications for R&D.
It is hard to undersell the importance of R&D and yet excruciatingly simple to justify. It is the future of pharma and without it, there will be no new drugs, no new treatments, and no new devices-it is innovation. If the United Kingdom is to be the “world’s most innovative economy” and ensure the UK Life Sciences Strategy is a successful roadmap to the country being at the forefront of R&D, we will need to get the details right.
Getting the details right is not just about taking samples, patient data, and collating basic research. It is also about wider collaboration and pursuing innovation through the UK’s network of world-renowned research facilities, educational institutions, and leading industry champions. But where does one start when implementing GDPR in R&D? Why with the patient, of course, and a little thing called ‘consent’.
Consent can be a tricky and somewhat risky business these days, not just for the pharmaceutical sector, but for organizations across the board in all European Union Member States. Is the consent freely given, informed, and specific? Or is this needed at all? Not only this, but what kind of consent are you looking for? Informed consent or explicit consent? Do you know your GDPR from your Clinical Trial Regulation (CTR)?
By way of example, let us take a clinical trial-the interplay between the CTR and the GDPR regarding the issue of consent has been particularly newsworthy lately due to the European Commission Directorate-General for Health and Food Safety Q&A paper (1) and associated opinion by the European Data Protection Board (2). These latest publications make an important and clear distinction between informed consent under the CTR and explicit consent under the GDPR, with the lesson being to not get your forms of consent mixed up.
Warning: ‘Informed consent’ under the CTR is not the same as ‘explicit consent’ under the GDPR as a legal ground for the processing of personal data. The core difference being that consent under the CTR derives from the Helsinki Declaration (3) and the ethical basis under which patients are to be treated in research projects with respect to human health and dignity. The GDPR being slightly more business-like regarding the simple and fundamental protection of individuals with regards to the processing of their personal data.
However, even with the option of explicit consent, it is highly unlikely that the processing of personal data in a clinical trial setting will satisfy this obligation. The reason being that in order to satisfy this requirement, the consent must be “freely given.” How can the consent be freely given, however, if by saying no the patient would be deprived of potentially lifesaving treatment through participation in the trial? It is therefore more likely that a sponsor will rely on another legal ground for processing under the GDPR-no more explicit consent needed here, but herein lies the problem. The CTR wants clinicians to ensure each patient provides informed consent, but it is easy to confuse this with explicit consent under the GDPR. This is especially confusing when many researchers have been comfortable using the term informed consent for the processing of patient personal data for many years now under the old data protection regime.
So, what if we manage to satisfy the grounds for informed consent in the research environment, and even manage to find some lawful grounds for processing under the GDPR-how far does this “consent” go? The bottom line is that you will probably end up with one and not the other-informed consent under the CTR and a different legal ground for processing under the GDPR; for example, where necessary for the performance of a task carried out in the public interest under Article 6(1)(e) GDPR or necessary for the purposes of a legitimate interest under Article 6(1)(f) GDPR (depending on the specific circumstances). But do not think you are clear yet, because as the data is likely to be a special category of data relating to the health of the data subjects, a further obligation is needed regarding satisfying Article 9 of the GDPR. The most common basis being for reasons of public interest in the area of public health (Article 9[i]), or scientific purposes (Article 9[j]), but reliance on these categories would need careful consideration on a case-by-case basis.
But this is not where the story ends. The first round of research is completed and the dual aspects of consent (or not, as the case may now be) established, but what next?
The scientific community is built on publication, collaboration, and the ‘bigger picture’ of sharing resources-the most valuable resource now being, in the main, research data sets. However, while informed consent under the CTR may include scope for research that has been completed being used elsewhere, the GDPR is not so kind. Once the research is completed, it is a grey area as to whether these data sets (unless completely anonymized, which often then significantly devalues the data within them) can be used by other research institutions. The biggest question of all, and often the most important in terms of financing the R&D cycle, is whether the data can be used commercially.
Research data set usage is a fundamental and serious issue for the sector. If we cannot commercialize, we are in danger of losing out on a vast wealth of possibly life-changing products that could derive from such a treasure of data. The UK’s health secretary, Matt Hancock, recently made public his views on the important balance we must strive to establish between ensuring R&D is free to flex and bend using the wealth of research data coming into the sector (4), but within the constraints of protection for those to which the data relates. It is this balance that is going to be the struggle of our time and one of the biggest challenges which the pharmaceutical and life-sciences sector is about to face.
What will happen when we have the ability to screen patients at risk of developing certain cancers, diagnose them early, and possibly put them on a clinical pathway to save their life before it was even at risk, but may not be able to because of data protection rules? We will soon see, because that day is here. So, plan ahead, seek guidance and get advice early to avoid confusion and constraint later when it comes to consent, compromise, and commercialization.
1. EC, “Question and Answers on the Interplay Between the Clinical Trials Regulation and the General Data Protection Regulation,”ec.europa.eu, Q&A paper, 10 April 2019.
2. EDPB, “Opinion 3/2019 Concerning the Questions and Answers on the Interplay Between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR),” edpb.europa.eu, Article 70.1.b, 23 Jan. 2019.
3. WMA, “WMA Declaration of Helsinki-Ethical Principles for Medical Research Involving Human Subjects,” wma.net, Current Policy, 9 July 2018.
4. Matt Hancock, “We Must Tackle the Serious Ethical Challenges of DNA Analysis Speech,” matt-hancock.com, Speech Transcript, 22 March 2019.
About the author