In the world of clinical trials, obtaining ethical approval is essential. While the specific requirements may vary, one aspect always remains of great importance: the data protection policy. In this article, we aim to give you a comprehensive overview of the requirements for developing a robust concept. Discover the necessary steps to safeguard sensitive data of study participants and to meet the legal requirements.
Privacy by design: Crucial importance of choosing a suitable end device
In order to avoid potential data protection problems in a clinical trial, thorough planning is of crucial importance. The concept of “privacy by design” plays a central role. One aspect that influences the conduct of the study is the selection of a suitable end device. Most trials will probably use a normal PC as a terminal device and run as a (web) application. Many trials are currently underway that use mobile devices to simplify data collection in everyday clinical practice. These trials may also collect data on the move, possibly even at the patient’s home (read more on this topic in our blog article on wearables). Choosing the right device and operating system is, therefore, critical to secure data collection. The device and operating system must be sufficiently up-to-date and regularly provided with security updates. This must also be ensured during the course of a clinical trial.
Assessing manufacturer’s use of third-party libraries for app integration
When selecting a suitable manufacturer for a device in a clinical trial, it is important to check whether the manufacturer has integrated his own third-party libraries into its app. These libraries are commonly used for crash reports or logging. They may pass on meta-information, such as the frequency of use, location, or time of medication intake, to third parties, even though the actual data remains on the device. The risk also applies to in-house developments if external packages are added. For this reason, we recommend avoiding external libraries whenever possible. However, if this is not feasible, it is essential to carry out a comprehensive review (audit) before integration in order to identify and minimize potential data protection risks.
Prioritizing necessary data and anonymization for enhanced privacy
Prior to data collection, it is crucial to determine the necessary data. Data collection based on the principle of “collect first and then see what data will be used” is not permitted. When dealing with sensitive data, it is recommended to assess the possibility of reducing its size and anonymizing it. For example, it may be sufficient for a study to have a record of the year of birth within a certain time period rather than the exact date. That’s an example of data minimization.
Securing data repositories: Implementing effective access controls for enhanced data protection
A data protection concept also includes access control to data repositories. There are two levels to consider when it comes to data access: the logical level, which determines who is authorized to view which (partial) data and what rights they have to process it. The physical level determines who has access to the data in the first place. Access controls are implemented using both analogue and digital security measures. Analogue measures include access controls, locking, and identification, while digital measures include encryption, distributed systems, and authentication. It is important to regularly review the effectiveness of the measures taken and to adjust them if necessary.
Data protection policy essentials: Retention periods and compliance with GDPR Rights
In addition to the aforementioned items, a data protection policy also includes defining the retention period. This period specifies how long the data will be kept and when it will be deleted or anonymised. The General Data Protection Regulation (GDPR) also grants additional rights to data subjects that must be incorporated into the policy.
Overall, a comprehensive data protection concept is of great importance to ensure the protection of sensitive data. A combination of analogue and digital security measures can guarantee access rights and physical security.
With our study management system DPM.research, we have created a system that ensures the handling of study data in accordance with the GDPR. The system can also be flexibly adapted to the respective study setting.
Image copyright: ©sdecoret – fotolia.de
Add comment