Data Protection in Clinical Trials

Data Protection in Clinical Trials: Privacy and Compliance

In the world of clinical trials, an application for ethical approval is essential. The requirements for this application vary, but one aspect always remains of great importance: the data protection policy. In this article, we would like to give you a comprehensive overview of the requirements for creating a concept. Find out which steps are necessary to protect sensitive data of study participants and fulfil the legal requirements.

Privacy by design: Crucial importance of choosing a suitable end device

In order to avoid potential data protection problems in a clinical trial, thorough planning is of crucial importance. The concept of “privacy by design” plays a central role. One aspect that influences the conduct of the study is the selection of a suitable end device. Most trials will probably use a normal PC as a terminal device and run as a (web) application. Many trials are currently underway that use mobile devices to simplify data collection in everyday clinical practice. These trials may also collect data on the move, possibly even at the patient’s home. Further information on this topic can be found in our blog article on wearables. Choosing the right device and operating system is therefore critical to secure data collection. The device and operating system must be sufficiently up-to-date and regularly provided with security updates. This must also be ensured during the course of a clinical trial.

Assessing manufacturer’s use of third-party libraries for app integration

When selecting a suitable manufacturer for a device in a clinical trial, it is important to check whether the manufacturer has integrated its own third-party libraries into its app. These libraries are commonly used for crash reports or logging. They may pass on meta-information, such as the frequency of use, location, or time of medication intake, to third parties, even though the actual data remains on the device. The risk also applies to in-house developments if external packages are added. For this reason, we recommend avoiding external libraries wherever possible. However, if this is not feasible, it is essential to carry out a comprehensive review (audit) before integration in order to identify and minimize potential data protection risks.

Prioritizing necessary data and anonymization for enhanced privacy

Prior to data collection, it is crucial to determine the necessary data. Data collection based on the principle of “collect first and then see what data will be used” is not permitted. When dealing with sensitive data, it is recommended to assess the possibility of reducing its size and anonymizing it. For example, it may be sufficient for a study to have a record of the year of birth within a certain time period rather than the exact date. That means data minimization!

Securing data repositories: Implementing effective access controls for enhanced data protection

The data protection concept also includes access control to data repositories. There are two levels to consider when it comes to data access: the logical level, which determines who is authorized to view which (partial) data and what rights they have to process it. The physical level determines who has access to the data in the first place. Access controls are implemented using both analogue and digital security measures. Analogue measures include access controls, locking, and identification, while digital measures include encryption, distributed systems, and authentication. It is important to regularly review the effectiveness of the measures taken and to adjust them if necessary.

Data protection policy essentials: Retention periods and compliance with GDPR Rights

In addition to the aforementioned items, a data protection policy also includes defining the retention period. This period specifies how long the data will be kept and when it will be deleted or anonymised. The General Data Protection Regulation (GDPR) also grants additional rights to data subjects that must be incorporated into the policy.

Overall, a comprehensive data protection concept is of great importance to ensure the protection of sensitive data. A combination of analogue and digital security measures can guarantee access rights and physical security.

With our study management system “dpm.research”, we have created a system that ensures the handling of study data in accordance with the GDPR. The system can also be flexibly adapted to the respective study setting. To learn more about dpm.research visit our website or check out our blog article.

Image copyright: ©sdecoret –


Avatar photo

Yvonne Neß

Yvonne is a business developer with a focus on digital health topics, tailoring products to the needs and requirements of the customer. Her strength is to present complex information in a clear and easily understandable manner, aiming to offer new insights and perspectives to our readers.

Add comment

Get started now

Click here for a free demo version of our study management system DPM.research

Get in touch with us

Do you have any questions concerning our product portfolio or you would like to learn more about our customized services? Do not hesitate to contact me:

Christian Weigand

Christian Weigand
Head of Mobile Health Lab Bamberg
Digital Health and Analytics | Fraunhofer IIS