Questions and answers on the data section of the template

Below you will find questions and answers about the data section of the model-PIF. The questions and answers are also available as a document.

Where can I find general information about the consequences of the General Data Protection Regulation (GDPR) for medical scientific research?

General information about the consequences of the GDPR for medical research can be found here.

Why does the first paragraph of Section 10 say that date of birth is also collected, used and stored? This is usually not necessary.

This paragraph is intended to give an impression of the personal data that are being processed as part of the research. At this point in the PIF, it is not important whether certain data is or is not only included in the source documents/medical files and/or in the case report forms (hereinafter “CRF”). The source documents/medical files will often contain the exact date of birth. In the CRF, however, this information will only be collected if it is necessary for the study. In the past, concern about whether or not to register the date of birth stemmed from fear that it would make data more traceable to individuals. As a consequence the data would then fall under the scope of privacy legislation requirements. Under the current – broad – definition of ‘personal data’ in the GDPR, this is no longer an issue because the data in the CRFs (even when coded) is still considered to be personal data under the GDPR. If the date of birth has to be included in the CRF, the necessity will have to be justified in the protocol.

Why are coded data also considered personal data? When the data in the CRFs that is sent to an external party are coded, it is not personal data, is it?

Even when the key for the coding remains at the research location, there is a possibility of tracing the data back to an individual person and it remains personal data in terms of the GDPR.

In the section on ‘Accessing your data for inspection’, it states that “national and international supervisory authorities” can have access to the uncoded data. Does this also include the MREC?

No: in the Netherlands the MREC does not have access to the uncoded data. The term ‘national and international supervisory authorities’ refers to authorities such as the Dutch Health and Youth Care Inspectorate (IGJ), the European Medicines Agency (EMA) and the American Food and Drug Administration (FDA).

In the previous version of the template PIF, the research team was also mentioned in the section on ‘Access to your data for inspection’. The research team is not mentioned in the version of May 2018. Why has this been left out?

In the new version of the template PIF, the text about ‘access for inspection’ focuses on institutions with supervisory tasks. They need access to all personal data in order to be able to assess the quality and reliability of the study. The research team does not belong in this list of external controllers and is therefore no longer included. With regard to the rights for research staff to access or process personal data, the reasoning is that – just as in the rest of the healthcare sector – those rights are derived from the rights of the researcher or the institution, as the party responsible for the processing of personal data (the ‘controller’). The researcher or institution is responsible for making sure that processing by members of the research team meets the requirements of the GDPR, including the duty of confidentiality when processing sensitive personal data.

In the section ‘Data retention periods <if applicable> and bodily materials’, it says: “Your data must be stored for [....] years at the research location <if applicable> and for [....] years by the sponsor.” How can this retention period be determined and how can be specified to which data this applies?

As stated in the explanatory notes to this section in the template PIF, there may be different retention periods applicable, depending on the type of the research. Article 58 of EU regulation 536/2014 for clinical trials specifies a retention period of at least 25 years for data in clinical trials with medicinal products. In anticipation of this regulation becoming applicable, the Central Committee on Research Involving Human Subjects (CCMO) considers it acceptable to already apply this retention periods in research with medicinal products.
For advanced therapeutic medicinal products (ATMPs), a retention period of at least 30 years has been specified in legislation and regulations. For other studies covered by the Medical Research Involving Human Subjects – i.e. studies without medicinal products - no retention period has been specified in the legislation and regulations. In those studies the CCMO considers a retention period of at least 15 years as appropriate, provided that it is substantiated in the protocol. Where shorter retention periods than the above-mentioned intervals suffice for specific studies, the CCMO will consider the use of shorter periods more appropriate. The retention periods for the data by the research location and by the sponsor are in principle the same. If they are different, the template PIF offers the possibility of separately stating the retention periods by the research location and by the sponsor. The protocol must further specify the data that has to be stored by the research location and by the sponsor during the retention period. Such details do not have to be included in the PIF.

The following information is no longer on the consent form: “I consent to my data being stored at the research location for [15] years after the conclusion of this study.” Why has this been removed?

The storage of data can be considered to be part of the ‘collection and use of my data/bloodsamples/bodily material for answering the research question in this research’ for which consent is requested in the consent declaration. Separate permission for storage is therefore not necessary.

In the text, the research subject is informed about the transfer of data to countries outside the European Union (EU). Shouldn’t the research subject give permission for this, where applicable? This was part of the permission form in the previous version of the template PIF.

This has been changed in the version of May 2018. An appropriate level of protection of personal data should be ensured when data are transferred to countries outside the EU. In that case, no separate permission is needed for the transfer of personal data to countries outside the EU. The protocol should describe the measures that have been taken in order to guarantee an appropriate level of protection in the country outside the EU. If no appropriate level of protection can be guaranteed, separate permission for transfer to a country outside the EU will have to be requested. In that case, the extensive information obligation pursuant to the GDPR must also be complied with.

In case of a sponsor-initiated study, is it mandatory to list the contact information of the sponsor (in the ‘controller’ role) in Section 10? Industry prefers it that subjects cannot contact the sponsor directly. Because the patient’s data could then become known or ‘unblinded’. Isn’t it possible to direct all questions from the research subject about the processing of personal data to the research institution?

There seems to be a misunderstanding here. It is not undesirable (and actually not prohibited) for the sponsor to become aware of the identity of the participant, if this results from an action by a participant (for instance, while exercising rights under the GDPR). If the industry is the sponsor of the study, both the sponsor and the research institution are considered (joint) ‘controllers’ of the personal data. The GDPR requires the research subject to be informed about the identity and contact details of the controller(-s). Therefore the contact information of the sponsor must also be included in the PIF. The GDPR is also pertinent in that the subject must be able to contact all the controllers with any questions about the processing of their personal data or in order to exercise their rights. This means that the sponsor must be prepared for this and must set up appropriate procedures.

If the sponsor is based outside the EU, should they also be mentioned as a controller, in addition to their representative in the EU?

A representative of the controller within the EU needs to be appointed to function as the point of contact for the supervisory body and the subject for questions about compliance with the GDPR and about the exercising of rights. If contact information for the controller themselves is additionally included, it may be sensible to note that the representative is the first and preferred point of contact.

Can the controller in an institution be the same person as the data protection officer?

No, the controller is usually the Board of Directors of the institution. The data protection officer is appointed by the controller (Board of Directors) to advise on the compliance with the GDPR and should therefore have an independent position. Appointing a data protection officer is usually mandatory (if sensitive personal data is being processed on a large scale).

Is the representative of the controller within the EU the same as a legal representative?

Specifically for issues surrounding the processing of personal data by the data processing controller that is located outside the EU, the GDPR requires that a representative must be appointed who is located within the EU. It can be – but does not have to be – the same organisation that also functions as the legal representative for the other issues surrounding the conduct of the research.

The current template PIF states that if a patient stops during the study, all collected data may be used. Isn’t it true that under the GDPR everyone may request to have their data deleted?

When drafting the current text for the template PIF, a distinction was made between the decision of the research subject to stop participation in the study on the one hand, and withdrawal of permission for the processing of their personal data on the other. On the one hand, when drafting the current text, the CCMO has taken note of the opinion of WP29 that if consent is the basis for the processing of personal data (which is now deemed to be the correct basis for WMO-related research), based on Article 17, paragraph 1 sub (b) of the GDPR (and there is no other legal ground for the processing), the data must be deleted if the data subject so requests. On the other hand, Article 17, paragraph 3 sub (d) of the GDPR states that paragraphs 1 and 2 are not applicable “to the extent that processing is necessary for[...] scientific research purposes [...] in accordance with Article 89(1) of the GDPR.”
It has been decided to assume that the provisions in Article 17, paragraph 3 sub (d) of the GDPR apply, and the European Commission has at the same time requested clarification. The European Commission has indicated that there are problems with exclusively focusing on consent as the basis for processing personal data for scientific research, while other bases are also conceivable (the legal obligation of the controller or the legitimate interests of the controller) which would also circumvent the sharp edges of the provisions of Article 17, paragraph 1 sub (b) of the GDPR. This has not yet been crystallised fully and until then we consider the current text to be ‘the best possible’ option.

Is the text of Section 10 in the template PIF also mandatory for the PIF for research subjects aged between 12 and 15?

With regard to ‘exercising control over the processing of personal data’, the General Data Protection Regulation (just like the old Personal Data Protection Act) has a different age limit, namely that rights can only be exercised by the subject themselves from the age of 16 and that those rights are exercised by the parents or representatives until then. The CCMO’s opinion is that this means that all references in the PIF for subjects aged 12 to 15 to “you are being asked for permission/consent for this” must be removed and that a simplification of the text can be implemented. The text of the PIF for the parents must then be complete and must remain so.