Taking a Proactive, Preventive Approach to Data Privacy in Clinical Documentation
Simin Takidar is a Senior Principal Medical writer with Parexel, and the Subject Matter Expert for clinical trial transparency activities in Medical Writing Services, with over 13 years of experience in Medical Writing. Bipasha Das is head of the Parexel Clinical Trial Disclosure group and has over six years of experience.
Data privacy has taken on increasing urgency as citizens insist on their right to govern their own data, winning support from governmental and regulatory agencies worldwide. The new EU Clinical Trials Regulation (EU-CTR 536/2014) includes specific guidance relative to sensitive information, corporate confidentiality, and patient privacy in the biopharma industry. A key requirement is clinical trial transparency and publication of redacted clinical trial documents and reports. For those doing business in the EU, patient privacy must also be preserved in line with the General Data Protection Regulation (GDPR)1. This suggests a potential conflict with data transparency.
Given the nuanced demands of the new regulations and the risk of grave financial penalties2 for GDPR violations, those responsible for clinical documentation face a complex undertaking. This is exacerbated in the rare disease area, where the clinical population is quite small. Understanding how to interpret and comply with these mandates, including the redaction and anonymization of documents and data, is an urgent need. We have identified five common pitfalls and best practices to avoid them.
- Failure to understand and fulfill the role of the data controller. Sponsor companies, from large enterprises to smaller biotech firms, are responsible for all content releases from clinical trials –essentially giving them the role of a data controller. Sponsors are required to implement appropriate technical and organizational measures to ensure that documents and data are processed in accordance with these regulations and to protect patient privacy. Sophisticated tools are now available to identify terms and patterns classified as personal protected data (PPD) and company confidential information (CCI) in documents and data sets. However, technology alone will not eliminate risk. Experience in technology and with the regulations (i.e., an experienced data processor) and strong internal oversight of the data redaction program are required.
- Insufficient insight leads to a lack of foresight. The evolving regulatory landscape has changed the paradigm for validating and applying process and information systems. With stringent transparency and disclosure requirements, compliance is simply not enough. Sponsors can deploy tools for redaction and anonymization, but the best practice is to build in “Privacy by Design” measures to drive the process from the outset.
- Inability to identify risk or reidentification and understand the data utility principle. A quantitative risk-assessment approach, with emphasis on data utility, will inevitably be required by health authorities. This will be more challenging for smaller populations where there is a greater chance that an individual may be identified. Sponsors need to recognize that even after redaction and anonymization techniques are applied, individual patients might still be distinguishable. An invaluable tool is a robust data de-identification and assessment solution that can compute the risk of reidentification while predicting the utility value of data.
- The limitations of manual redaction methods. Meeting all transparency and disclosure requirements and protecting intellectual property requires first accurately identifying and securely redacting and anonymizing the two critical categories of sensitive information (PPD and CCI). The manual process of actually redacting these data involves reading through regulatory documents and redacting sensitive information using standard Adobe/Kofax redaction tools. While these tools can search, redact and match text patterns in documents, using them exclusively is less than ideal. When dealing with high volumes of pages, this method is highly resource-dependent, time-consuming, tedious, and costly and carries a high risk of accidental exposure.
- Dependence solely on automated redaction. Automation alone cannot meet regulatory requirements. Sponsors may underestimate the expertise, resources, and manual effort required to employ such a tool for preparing a redacted package for regulatory submission.
How Parexel Can Help: An End-to-End Solution
Parexel Regulatory Consulting Services comprises former regulators from the likes of FDA, EMA and NMPA, who have helped develop and inform guidance worldwide. As a premier global service provider for Regulatory Affairs, we support our clients with an in-depth interpretation of regional regulations, smooth liaison with Health Authorities, and solution-oriented consultancy. Our robust transparency service encompasses protocol registration, results disclosure and lay summary development, redaction packages, and strategy discussions in preparation for submissions.
To augment this robust transparency service, Parexel’s dedicated clinical trial transparency team now uses a redaction/anonymization tool that employs artificial intelligence and natural language recognition, trained by our experts to identify PPD and CCI in documents and data sets. This cutting-edge tool, which can be applied to redact multiple files, recognizes numeral and text patterns and allows data to be generalized and risk quantified.
In addition, our clients benefit from our regulatory guidance on internal processes, templates, and best practices that we have adapted to be “proactive, not reactive; preventative, not remedial” – a fundamental principle of the Privacy by Design approach. The combination affords you an end-to-end solution supporting not just compliance but purposeful, predictable efficiency in delivering a suitably redacted submissions package in a timely fashion.
For more information, please reach out to ClinicalTrialTransparency@parexel.com.
1 More information about GDPR may be found here: https://gdpr-info.eu/
2 Under GDPR, the EU’s data protection authorities can impose fines up to €20 million (US$20.4 million), or 4% of worldwide turnover for the preceding financial year – whichever is higher.