The introduction of theClinical Trial Information System (CTIS) has ushered in a new era of transparency and efficiency in the realm of clinical trials. However, with this advancement comes the paramount responsibility of ensuring data privacy. This article delves into the impact of CTIS on data privacy for clinical trial sponsors and outlines the necessary steps to ensure compliance with the new clinical trial regulation that birthed the CTIS platform.

 

Prelude: The CTIS has been introduced under the Clinical Trial Regulation (EU) 536/2014, referred to as the "CTR". This regulation changes how clinical sponsors submit their trial results. Additionally, the CTR, as noted in Annex 1D.17(ak) and subsequent sections, mandates that sponsors include in their study protocols measures for data protection compliance, ensuring personal data confidentiality, and addressing data breaches. Therefore, adherence to the CTIS also demands that sponsors evaluate their responsibilities as dictated by theCTR.

Understanding the CTIS Framework

The CTIS, established in accordance with Articles 80 and 81 of the Regulation (EU) No 536/2014, serves as a centralized platform for the submission of clinical trial-related information. From the initiation of clinical trial applications to ongoing supervision throughout the trial lifecycle, the CTIS plays a pivotal role. It's a collaborative effort involving the European Medicines Agency (EMA), Union Member States, and the European Commission.

Data Privacy in the CTIS Landscape

The CTIS is designed with stringent data protection measures. Personal data, such as the names and contact details of principal investigators, are captured within the CTIS's secure domain. While certain details, like the list of principal investigators' names and contact details, are made public, other personal data remains confined to the secure domain.

Moreover, the CTIS ensures that documents meant for public viewing do not contain personal data. For instance, the names (but not signatures) of the sponsor and coordinating investigator signatories of the clinical study report remain visible in the report loaded into the database, but other personal data is kept confidential.

Compliance with Data Protection Regulations

The processing of personal data within the CTIS is grounded in the public interest. The EMA, MemberStates, European Commission, and clinical trial sponsors are joint controllers in the CTIS, bound by legal obligations to collect and upload relevant documents.The data centers used for CTIS are located within the EU, specifically in the Netherlands, Ireland, andGermany.

Ensuring Data Privacy:Steps for Clinical Trial Sponsors

  1. Understand the CTIS Framework: Familiarize yourself with the CTIS's structure and its data protection measures. Recognize the distinction between data in the CTIS's secure domain and data made public.
  2. Ensure you draft a GDPR compliance statement in line with local European regulations. This is specified in the "Compliance with Regulations" section and within the Documents section of Part II of the sponsor's dossier.
  3. Stay updated with regulatory changes: Regularly review the guidelines and recommendations provided by the EMA and other relevant bodies. Recently     the EMA has revised its transparency rules for example.[1]
  4. Engage in transparent communication: Inform all stakeholders, including trial participants, about the data being collected, its purpose, and the measures in place to protect their privacy.
  5. Implement robust data protection measures: Employ state-of-the-art encryption and other security measures to safeguard data. Regularly audit and update these measures to counter evolving threats.
  6. Train your team: Ensure that everyone involved in the clinical trial is well-versed with the CTIS's data protection protocols and understands the importance of data privacy.
  1. Before making any data updates on the platform, consider the distinction between public and non-public publications. Ensure you review the anonymization process, especially if it has been entrusted to your CRO.

Conclusion

The CTIS represents a significant stride forward in the clinical trial landscape, offering transparency and efficiency. However, with its advent, the onus of ensuring data privacy has become even more pronounced. By understanding the CTIS framework and implementing robust data protection measures, clinical trial sponsors can navigate this new landscape confidently and compliantly.

 

Resources

To delve deeper, here are some valuable resources to better understand the data protection requirements as outlined in the CTR and CTIS:

  • https://euclinicaltrials.eu/ctis-for-sponsors/
  • https://www.ema.europa.eu/en/human-regulatory/research-development/clinical-trials/clinical-trials-information-system-training-support
  • https://www.youtube.com/watch?v=s3Pqpvv6B1s&t=229s

                                                                                     

 


[1] https://www.ema.europa.eu/en/news/revised-transparency-rules-eu-clinical-trials-information-system-ctis

Seamus Larroque

CDPO / CPIM / ISO 27005 Certified

Home

Discover our latest articles

View All Blog Posts
October 14, 2024
Clinical Trials
Guideline

Analyzing the Similarities and Differences Between ICH-GCP and GDPR in Clinical Trials

ICH-GCP and GDPR are vital for clinical trials, setting standards for participant protection and data integrity, with distinct focuses and enforcement approaches.

September 9, 2024
Biotech & Healthtech
Data Breach
Health Data Strategy

Comprehensive Cyber Insurance for the Life Sciences Industry

Cyber insurance provides coverage to businesses, including those in the life sciences industry, to protect against losses from cyberattacks, such as data breaches, ransomware, and other threats. For life sciences companies, which handle high-value intellectual property and sensitive data, tailored cyber insurance policies offer essential protection against financial, legal, and reputational damage while complementing existing cybersecurity measures.

August 7, 2024
Data Breach

UK data watchdog to fine NHS vendor Advanced for security failures prior to LockBit ransomware attack

The UK data watchdog is set to fine NHS vendor Advanced for security failures that occurred before the LockBit ransomware attack. These security lapses contributed to the vulnerability exploited during the attack.