SMART SENSING insights
Data Protection in Clinical Trials

Data Protection in Clinical Trials: Privacy and Compliance

In the world of clinical trials, obtaining ethical approval is essential. While the specific requirements may vary, one aspect always remains of great importance: the data protection policy. In this article, we aim to give you a comprehensive overview of the requirements for developing a robust concept. Discover the necessary steps to safeguard sensitive data of study participants and to meet the legal requirements.

Privacy by design: Crucial importance of choosing a suitable end device

In order to avoid potential data protection problems in a clinical trial, thorough planning is of crucial importance. The concept of “privacy by design” plays a central role. One aspect that influences the conduct of the study is the selection of a suitable end device. Most trials will probably use a normal PC as a terminal device and run as a (web) application. Many trials are currently underway that use mobile devices to simplify data collection in everyday clinical practice. These trials may also collect data on the move, possibly even at the patient’s home (read more on this topic in our blog article on wearables). Choosing the right device and operating system is, therefore, critical to secure data collection. The device and operating system must be sufficiently up-to-date and regularly provided with security updates. This must also be ensured during the course of a clinical trial.

Assessing manufacturer’s use of third-party libraries for app integration

When selecting a suitable manufacturer for a device in a clinical trial, it is important to check whether the manufacturer has integrated his own third-party libraries into its app. These libraries are commonly used for crash reports or logging. They may pass on meta-information, such as the frequency of use, location, or time of medication intake, to third parties, even though the actual data remains on the device. The risk also applies to in-house developments if external packages are added. For this reason, we recommend avoiding external libraries whenever possible. However, if this is not feasible, it is essential to carry out a comprehensive review (audit) before integration in order to identify and minimize potential data protection risks.

Prioritizing necessary data and anonymization for enhanced privacy

Prior to data collection, it is crucial to determine the necessary data. Data collection based on the principle of “collect first and then see what data will be used” is not permitted. When dealing with sensitive data, it is recommended to assess the possibility of reducing its size and anonymizing it. For example, it may be sufficient for a study to have a record of the year of birth within a certain time period rather than the exact date. That’s an example of data minimization.

Securing data repositories: Implementing effective access controls for enhanced data protection

A data protection concept also includes access control to data repositories. There are two levels to consider when it comes to data access: the logical level, which determines who is authorized to view which (partial) data and what rights they have to process it. The physical level determines who has access to the data in the first place. Access controls are implemented using both analogue and digital security measures. Analogue measures include access controls, locking, and identification, while digital measures include encryption, distributed systems, and authentication. It is important to regularly review the effectiveness of the measures taken and to adjust them if necessary.

Data protection policy essentials: Retention periods and compliance with GDPR Rights

In addition to the aforementioned items, a data protection policy also includes defining the retention period. This period specifies how long the data will be kept and when it will be deleted or anonymised. The General Data Protection Regulation (GDPR) also grants additional rights to data subjects that must be incorporated into the policy.

Overall, a comprehensive data protection concept is of great importance to ensure the protection of sensitive data. A combination of analogue and digital security measures can guarantee access rights and physical security.

With our study management system DPM.research, we have created a system that ensures the handling of study data in accordance with the GDPR. The system can also be flexibly adapted to the respective study setting.

Image copyright: ©sdecoret – fotolia.de

 

Avatar photo

Yvonne Neß

Yvonne is a marketing and business development specialist. In her role as a business developer, she contributed content on digital health topics.

Add comment

Get started now

Click here for a free demo version of our study management system DPM.research

Get in touch with us

Do you have any questions concerning our product portfolio or you would like to learn more about our customized services? Do not hesitate to contact me:

Christian Weigand

Christian Weigand
Head of Mobile Health Lab Bamberg
Digital Health and Analytics | Fraunhofer IIS

mhealth-lab@iis.fraunhofer.de