Royal Decree 957/2020, of 3 November, regulating observational studies with medicinal products for human use, was published on 26 November. It includes important developments in the field of observational studies understood as “all research involving the collection of individual data relating to human health, provided that it does not meet any of the conditions required to be considered a clinical trial, and that is carried out for any of the following purposes:
a) “To determine the beneficial effects of medicinal products, as well as their modifying factors, including the perspective of patients, and their relationship with the resources used to achieve them,
b) To identify, characterize or quantify adverse reactions to medicinal products and other risks to patient safety related to their use, including possible risk factors or effect modifiers, as well as measure the effectiveness of risk management measures.
c) To obtain information on the patterns of use of medicinal products in the population”.
Special mention should be made of the references and clarifications it makes in relation to the application of data protection regulations, and which are the subject of this pill. Before getting into the detail, it is important to note that Article 4 establishes a single, binding and obligatory opinion system for the entire country. This fact highlights the need for all CEIms (Ethics Committees for investigation with medicinal products) to have access to the same assessment tools, to ensure common and adequate assessment of the aspects related to data protection, regardless of which CEIm assesses the project.
At this point, approval by a CEIm does not legitimize the processing of data. It is a requirement to allow the research project to be carried out, and therefore, regardless of the assessment of the CEIm, if the Data Protection Officer of a centre, either directly or through their Data Protection Centre, detects data processing that contravenes the data protection regulations, they must report this and ask the controller to take appropriate action to remedy it. ROYAL DECREE 957/2020
In relation to the content of the Royal Decree on data protection itself, and in particular the one established in article 5, which regulates the informed consent and protection of personal data of the participating subjects, the following must be considered:
- Point 1 of article 5 regulates the need for informed consent and the cases that are exempt, with informed consent understood as the “free and voluntary expression by a subject participating in an observational study with medicinal products, of their willingness to participate in a given study after being informed of all aspects of it that are relevant to their decision to participate or, in the case of minors or incapacitated subjects, the authorization or consent from their legally designated representatives to include them in the study”. In other words, when talking about informed consent we are talking about care-type consent to carry out the action or project, which must be distinguished from consent for the processing of data.
This is precisely what section 3.c of this article 5 states, when it establishes that “Sponsors of studies that use any source of information that includes the processing of personal data must take into account the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and of Organic Law 3/2018, of 5 December, on the protection of personal data and the guarantee of digital rights, and in particular the following: [...] c) Without prejudice to the provisions of section 1, the consent of the participating subject will be required unless another legitimate basis is applicable for the processing of their personal data included in those referred to in Articles 6.1 and 9.2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. In addition, the sponsor and researchers must apply the criteria governing the processing of data in health research in accordance with the seventeenth additional provision of Organic Law 3/2018, of 5 December”.
That is to say, this article establishes that, even if informed consent is not necessary for the execution of the project, what is necessary is consent in terms of data protection or the existence of any of the legitimate bases of articles 6 and 9 of the GDRP that allow for the processing of personal data in the framework of the corresponding study, and in accordance with additional provision 17.2 of the LOPD-GDD.
- This article 5 also establishes other provisions on data protection in the same line as the GDPR and the LOPD-GDD which we detail below:
· The sponsor must have evaluated and mitigated, through the appropriate measures in each case, the impact that the execution of the study may have on personal data protection (art. 5.a). This provision means that before proceeding to carry out any processing as part of a study, the risks involved in the processing must be analysed, and if necessary the corresponding impact assessment must be carried out, in the manner established by additional provision 17.2.f.1 of the LOPD-GDD.
· The sponsor and the researchers of the study must guarantee the confidentiality of the data of the participating subjects (art. 5.b). This generic provision implies that the necessary security measures must be taken to guarantee unauthorized access to, re-identification and security of the data.
· The conditions of access to personal data must be detailed in the protocol, including the conditions under which it may be transferred outside the European Economic Area, if this is foreseen (art. 5.d). One of the elements to be detailed in the protocol is how the data will be accessed, specifically including the need to detail whether any international data transfers occur.
- In line with this article 5, we also find the provision of article 11.k, which states that one of the elements that requires an assessment by the CEIm is indeed compliance with data protection regulations.
And in line with this, Annex 1 of the standard which establishes the structure and recommended content of the protocol, states in its point 10.c “Data confidentiality: conditions of access to and processing of personal data, including, in the case of the transfer of personal data of Spanish patients to a third State, proof of compliance with European regulations on personal data protection. In the case of research using anonymous data or data that has been pseudonymized, the procedure for this will be established in the study protocol”.
Therefore, all this content, including that established in the GDPR and the LOPD-GDD, is what a research protocol must contain in relation to the processing of data, and what must be assessed by the CEIm.
To facilitate and homogenize this task, we have attached an annex to this pill containing proposed content for these protocols that make it easier for researchers to complete the necessary information and for the CEIm to have it in a structured way so that it can assess it.
In conclusion, when carrying out observational studies the following is necessary:
1. There must be a legitimate basis for the processing of data, for which any exemption regarding informed consent understood in the terms indicated in this note does not apply.
2. The data controller or processors must process the data in accordance with the provisions of the GDPR and the LOPD-GDD, and this processing and the way it is carried out must be detailed in the protocol submitted to the CEIm. The protocol must detail, among other things, the legitimate bases for the processing of data, the type of identification of the data as anonymous or pseudonymized, the mechanisms used to ensure the data anonymous or pseudonymized, and the security measures adopted to guarantee compliance with data protection regulations.
To perform these actions, we recommend implementing the procedures and models established in the Assessment Guide on the aspects relating to the Data Protection regulations in research projects and drafted for this purpose by the Research Working Group of the Data Protection Office.
3. CEIm members must have sufficient knowledge and tools to be able to evaluate and document the corresponding assessment of the data protection aspects of projects indicated in the previous point, and which must be described in the protocol.
4. Prior to the participation of the institution in a research project, we recommend that the Data Protection Centre be mandatorily informed, to avoid actions that could pose a data processing risk and in application of the principle of proactive responsibility.