The Legal Office of the Spanish Data Protection Agency (the "SDPA") has issued on 17 June 2021 a legal report addressing various issues related to the processing of data in the context of health research in the form of clinical trials.
Specifically, this report analyzes the legal position of the sponsor, the monitor and the healthcare centers in relation to the processing of trial patient data, and in particular of the clinical history.
Moreover, the report confirms that the monitor has to sign a commissioning contract about the processing of the data with the promoter, but not with the healthcare center. For this second scenario, it is sufficient to sign a mere authorization for access to patient data.
The Spanish Data Protection Agency (the "SDPA") has issued on 17 June 2021 a legal report with relevance in the field of clinical trials. The SDPA prepares those reports to provide answers to queries raised by individuals, on issues related to the Organic Law 3/2018, on Data Protection and Guarantee of Digital Rights. The purpose of said reports is to provide legal certainty when interpreting and applying such regulation in the cases raised.
In this case, the query, related to the performance of clinical trials, requested clarification on the legitimizing basis for the monitor to access the medical records contained in the databases of the healthcare centers participating in clinical trials, from the perspective of personal data protection regulations (articles 6 and 9 of the GDPR). It should not be forgotten that health-related personal data (including medical records of patients in clinical trials) are specifically protected under data protection regulations.
In order to answer said consultation, the SDPA analyzes the legal position corresponding to monitors, sponsors and healthcare centers with regard to the processing of such data in the context of healthcare research in the firm of clinical trials, and establishes the following distinctions:
- Health centers are responsible for the processing of the data from medical records, except when such data are use in the context in question. In this scenario, the use of the data is not subject to the Patient Autonomy Law, but to Royal Decree Law 1090/2105, of 4 December 2015, which regulates clinical trials with medicines, the Ethics Committees for Research with medicines and the Spanish Clinical Studies Registry.
- When data (including medical records) are used to perform clinical trials with medicines, sponsors are responsible for its processing. This is regardless of whether sponsors have access to the data or not, since they are in charge of deciding the purposes and means of such processing. In addition, regulations require sponsors to monitor clinical trials, even though they can entrust such activity to a third party, the monitor. The AEPD clarifies that, in this case, compliance with legal obligations constitutes the appropriate legal basis for monitoring, since this is an obligation imposed by Regulation (EU) 536/2014.
- As for monitors, the SDPA qualifies them as data processors who carry out monitoring activities and process the personal data of trial patients on behalf of sponsors. The SDPA states that monitors are not data processors of health centers, with which they have no legal relationship and from which they do not follow any instructions.
In light of these considerations, the report concludes that the data processing carried out by the monitor should be regulated by a data processing agreement entered into with the sponsor, and not with each health center. Monitoring is a legally required activity, and therefore the segregation of duties on clinical research cannot be constrained by instructions from said health center to the monitor. The foregoing is without prejudice to the precautions that each health center may adopt regarding access to and use of its facilities by third parties, including authorization for access to identification data and the medical records of the trial subjects. For this reason, health centers and monitors are only required to sign a simple authorization for access to the medical records of trial patients, without having to sign a data processing agreement. Basically, the SDPA confirms the position expressed by the Spanish Agency for Medicines and Medical Devices in an instruction issued recently.