Informing the patient about the processing of their personal data, which is mandatory in the InformConsent Form, has even become a prerequisite, essential for obtaining the patient’s participation agreement in the clinical trial as well as for the latter’s authorization by the competent data protection authorities. Conducting a successful clinical study therefore now requires perfect control of the patient’s consent process and related legal provisions.

 

The Inform Consent Form and the cornerstone of patient consent

In clinical research, the Inform Consent Form (ICF) is intended to ensure that the participation of any person in a research project is free and informed. This consent is part of a definition that has become formal, designating “any free, specific, informed and unequivocal expression of will, by which the person concerned agrees, by a statement or a clear positive act, to participate in a clinical trial”. This consent must be informed, which requires clear and precise information allowing the person to understand how their personal data is collected and processed, in order to make an informed decision whether or not to give their consent to participate in the clinical trial

 It is therefore essential to set out in the framework of the ICF all the constituent elements of informed consent. This document must include in detail the objectives pursued, the method (study description, visits, product information), the legal aspects, the financial aspects as well as the patient’s data protection and privacy.  

How to meet the requirements of patient data protection in the ICF?

The mention in the ICF of the processing of personal information applicable in the context of a clinical trial is necessary for more than one reason. It is not only a question of guaranteeing the protection of patient’s rights and freedoms, by issuing the now mandatory GDPR information, but also of addressing the need for reliable and quality personal data collected, and of ensuring the integrity of this data subsequently.

The requirement set by the regulations on highly sensitive data, such as health data aims to ensure compliance with the personal data protection. As such, the dedicated section in the ICF makes it possible to avoid any confusion between consent to participation in a clinical trial and explicit consent to the processing of personal data.

Consent forms local regulatory tones

The Guide to Good Clinical Practice developed by the International Council on Harmonisation (ICH) section 4.8 10, lists a total of 20 specific points that are embodied as subjects of vigilance in the drafting of the ICF.

Generically, these elements cover many fields regarding data protection requirements:

-       the purpose of the data processing – i.e the reason why the data is processed by differentiating between research, care and pharmacovigilance,

-       the categories of data concerned,

-       the duration of data detention,

-       the basic basis as well as the legal basis for processing personal data,

-       the exercise of patients’ rights.

 The protection of sensitive personal data is exposed to local data protection regulation related to the country in which the study takes place. In addition to following the ICH guidelines, which help enforce the provisions of the GDPR, clinical trial sponsors must comply with these legal obligations.    
In Europe, health data processing activities are strictly regulated by the General Data Protection Regulation that defines the protection of EU-member citizens’ data since 2018.

Patient data processed in the context of a clinical trial, even pseudonymized, are subject to this data regulation, knowing that some EU member states prefer the legal basis of consent (Article 6. A of the GDPR) while others opt for the legitimate interest of the sponsor (Article 6. F of the GDPR).

As such, the ICF must be drafted in a specific way.

Compliance anticipation: a key for the  trial sponsor

The description of the sponsor’s practices in terms of health data protection must be complete from the policy on managing the exercise of patient’s rights, to the data retention policy. It must, prior to the drafting of the ICF, have a clear idea of how it intends to protect the patient data included in its clinical trial, especially since the GDPR extends to subcontractors’ obligations previously imposed only on data controllers.

Finally, the sponsor’s dialogue with the Ethics Committee is based on the formalism of the ICF since the Committee gives its opinion on the conditions of validity of the research, in particular about the compliance with data protection of trial participants. Understanding one’s expectations and uses therefore makes it possible not to delay the phase of patient inclusion.

A key document of a clinical trial, the ICF is therefore part of a GDPR compliance framework that requires in-depth knowledge and a perfect mastery of European data protection regulations. It is precisely the expertise of Iliomad, which accompanies you in the process of writing this document, implementing the appropriate language, and taking into account the regional and national data protection prerequisites.

Seamus Larroque

CDPO / CPIM / ISO 27005 Certified

Home

Discover our latest articles

View All Blog Posts
October 14, 2024
Clinical Trials
Guideline

Analyzing the Similarities and Differences Between ICH-GCP and GDPR in Clinical Trials

ICH-GCP and GDPR are vital for clinical trials, setting standards for participant protection and data integrity, with distinct focuses and enforcement approaches.

September 9, 2024
Biotech & Healthtech
Data Breach
Health Data Strategy

Comprehensive Cyber Insurance for the Life Sciences Industry

Cyber insurance provides coverage to businesses, including those in the life sciences industry, to protect against losses from cyberattacks, such as data breaches, ransomware, and other threats. For life sciences companies, which handle high-value intellectual property and sensitive data, tailored cyber insurance policies offer essential protection against financial, legal, and reputational damage while complementing existing cybersecurity measures.

August 7, 2024
Data Breach

UK data watchdog to fine NHS vendor Advanced for security failures prior to LockBit ransomware attack

The UK data watchdog is set to fine NHS vendor Advanced for security failures that occurred before the LockBit ransomware attack. These security lapses contributed to the vulnerability exploited during the attack.