Clinical trials and pharmacovigilance: Spanish Code of Conduct leads the way in data management
EU institutions and practitioners share a need for greater clarity on the processing of personal data in health research. In an effort to expand the regulatory framework with self-regulatory instruments, the Spanish Data Protection Authority (AEPD) recently approved a “Code of conduct for the processing of personal data in the field of clinical trials and other clinical research and of pharmacovigilance” (the “Code of Conduct” or “Code”) supported by Farmaindustria, the national trade association for the pharmaceutical industry in Spain. This offers food for thought on the Italian framework for data protection in clinical research and pharmacovigilance.
THE FIRST EXAMPLE IN EUROPE
The Code of Conduct, the first of its kind in Europe, is divided into three parts and is 153 pages long. A first section devoted to general provisions is followed by a protocol for clinical trials and other clinical investigations and a protocol for pharmacovigilance. The implementation of these protocols should lead to application of uniform criteria to the various parties, ensuring high standards of protection for stakeholders and consumers. Moreover, commitment to a code of conduct has a number of potential benefits under the GDPR.
CLARITY AND STANDARDIZATION FOR CLINICAL RESEARCH
As mentioned above, the Code of Conduct succeeds in providing the clarity that the field of clinical research certainly needs. In addition to addressing some issues of principle, the Code provides practical and concrete solutions to issues that, although theoretically straightforward, may turn out to be rather thorny and complex in reality. For example, regarding the roles and responsibilities of the parties involved in clinical research, the Code takes a clear position: the sponsor and the center act as data controllers, each within the scope of its own activities, and they are not subject to joint and several liability. But the Code does not just regulate this through an abstract rule: it also provides a standard data protection clause for the contract between sponsor and trial center.
A series of standards are attached to the Code. These include not only contractual clauses to regulate the relationships between the various parties involved, but also a model register for processing and a model response to a request for the exercise of rights received by a sponsor. The clarity and pragmatism of this material are certainly appreciated, especially at a time when, in the face of increasingly complex realities and technologies, guidelines provided by national authorities and European bodies often contribute to interpretive doubts rather than dispelling them.
THE QUESTION OF CONSENT
In an effort to clarify and streamline, the Code of Conduct identifies the legal basis for processing in the context of clinical research by following the approach provided by the opinion of the European Data Protection Board (the “EDPB”) and thus abandoning the requirement of consent as the legal basis for such processing. In fact, the EDPB previously noted that consent was inadequate for two sets of reasons: the first set, of a practical-operational nature, includes the difficulty (or even impossibility) and cost of acquiring consent, its subsequent revocability, and the inherent documentation burdens; the second set of reasons concerns the legal validity of consent from participants in medical research, given the likelihood of conditioning and the imbalance of power in that scenario.
Likewise, the Code of Conduct provides as a legal basis for the processing of data for clinical trial purposes the fulfillment of legal obligations without the need for the consent of the data subject (Article 6(c) GDPR) and for reasons of public interest to ensure the high quality and safety of medical products and devices (Article 9(i) GDPR), as well as for the conduct of scientific research under national and European law (Article 9(j) GDPR).
In relation to transfers abroad—very frequent in the field of medical research—the Code takes a clear position: if it is completely impossible for the recipient of the data to re-identify the research participants—because they have previously been rendered anonymous by the owner sending the data—the data protection rules do not apply and no safeguards need to be adopted for the transfer. This principle certainly follows from correct application of the rules and is not new, but it has been formalized in a Data Protection Authority ruling in a very coherent manner.
THE SPANISH CODE OF CONDUCT AND PHARMACOVIGILANCE
As far as personal data protection profiles are concerned, Italy has dealt with the topic of pharmacovigilance only incidentally in the Guidelines for the processing of personal data in the context of clinical trials of medicinal products of July 24, 2008, and in a few other specific provisions. The Code of Conduct contains precise provisions and provides clarity on many aspects. Just to name a few, with reference to the legal basis for processing, the Code identifies fulfillment with legal obligations (Article 6(c) GDPR) and the public interest related to the duty to ensure high standards of quality and safety of health care and medicines and medical devices (Article 9(i) GDPR).
The Code also raises the question of what the legal scenario is when an adverse reaction is reported not by the person concerned but by a third party (e.g., a caregiver or parent) and specifically whether it is necessary to wait to provide the information before collecting data on the adverse reaction. According to the Code, the answer to this question is negative, because in any case the data are being collected to protect the vital interest of the patient experiencing the adverse reaction. Although this rule refers to a scenario in which the patient cannot provide consent (rather than a discussion of when to provide the information), “a harmonized and reasonable interpretation of the article allows us to consider that the data collection should be carried out immediately, without waiting for the patient to be able to understand the information to be provided, given that their health or even life could be in danger.”
Regarding the way data is collected, the Code describes in detail and through very useful infographics how collection works through various channels, including social networks, precisely outlining the various steps—starting from a (public or private) message used to make the report and continuing through sharing the data with the authorities.
The Code of Conduct introduced in Spain marks an important step toward self-regulation, a key element in the original design of the GDPR. It also provides a pragmatic and rational example of application of privacy regulations, which, far from having to be considered in absolute terms, can and must coexist with scientific progress and public health protection, while also respecting patients’ fundamental rights and freedoms. Adoption of a similar instrument in Italy could bring medical research discipline more in line with the outlines set forth by the GDPR and the EDPB. This would make it possible to clarify some aspects of health research that remain murky and to dictate more detailed rules for pharmacovigilance (from a data protection point of view). While we wait for Italy to adopt such an instrument, Spain’s Code of Conduct provides interesting food for thought and interpretive arguments for the field of medical research in Italy (although the Garante’s unofficial position on this Code has been highly critical).
 See “Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR),” adopted by the European Data Protection Board on January 23, 2019; and “EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on Health Research,” adopted by the European Data Protection Board on February 2, 2021. Both documents were adopted at the request of the European Commission under Article 70(1)(b) of the GDPR.
 See Article 24(3), Article 32(3), Article 35(8), and Article 83(2)(j) of the GDPR.
 See Opinion cited in footnote 1.
 Subject to the informed consent patients must provide to participate in a clinical trial.