Can a patient be trusted to understand what he or she consents to? A commentary.
By Cécile van der Heijden*
A well written informed consent form in a clinical trial ought to also consider medical confidentiality, both by informing the potential data subject about the consequences of giving the physician consent to provide specific (medical) information to the sponsor of the clinical trial, and by requesting the participant’s informed consent.
On 29 April 2023, an article was published on the Dutch investigative platform Follow the Money in which an interesting point was addressed about a Freedom of Information Act request concerning clinical research contracts held by academic hospitals. In this article, among other things, statements were included about the impossibility of ever adequately informing study participants of data use by a commercial party. Furthermore, it was claimed that a sponsor of a clinical trial might use data obtained during the clinical trial to market products. In this article, I aim to place this discussion in the scope of the broader legal framework applicable to clinical trials as well as to open a discussion about whether study participants are taken serious enough by research parties.
For completeness’ sake, I note that I plan to discuss Freedom of Information Act requests in a separate blog and would like to focus this post solely on several points made in the article by lawyers in relation to medical confidentiality, marketing and anonymization.
Legalese
For legal purposes: I have no knowledge of the contracts discussed in the Follow the Money article and this article reflects merely my professional observations based on legal points made in the article without any relation to any of my clients. While a Freedom of Information Act request that is fulfilled means that the information is available for anyone, I have not sought out the documents involved on purpose as they hold little relevance to legal discussion.
I will not go into detail about the specifics of the examples included in the agreements as I do not feel these points are relevant to the legal discussion that we need to have about clinical trial agreements, medical confidentiality and the GDPR.
Note that where I refer to a clinical trial (terminology from the Clinical Trial Regulation), I also mean clinical investigations under medical devices legislation (MDR and IVDR) for which this article holds similar relevance.
Medical confidentiality
One of the most interesting things in the article is that a professor of healthcare law claims that it is not permitted to provide patient data to third parties for commercial purposes, not even where the patient has given consent to do so. He emphasizes that the health care professional cannot inform the patient about this, as the health care professional does not know what will happen with the data. Patients participate in a clinical investigation and medical confidentiality applies to that just as it does to regular care.
To start, I’d like to point out that it will be very difficult to conduct clinical trials without some background information about the patient. Such information will, for example be used to verify whether the patient complies with inclusion criteria or is subject to specific exclusion criteria (i.e., the patient is pregnant). Medical information is primarily needed to ensure the patient’s safety during the clinical trial. Because of this, there is a need for the lifting of medical confidentiality in relation to the clinical trial. Participation of a patient in a clinical trial without disclosing confidential information is not possible. A patient that is enrolled in a clinical trial concerning medication for breast cancer likely has breast cancer. Otherwise, such patient would be subject to exclusion criteria. By enrolment, medical confidential information is thus shared with the sponsor by implication. This would already constitute a breach of medical confidentiality, at least in the Netherlands. Medical confidentiality for professions subject to the Act on Professions in Individual Health Care (“Wet op de Beroepen in de Individuele Gezondheidszorg”) emphasizes that all information that comes to the attention of a health care professional in the provision of care is subject to medical confidentiality.
It is entirely correct that medical confidentiality cannot be lifted solely based on the consent of the patient, but also requires an individual assessment by the health care provider who must maintain medical confidentiality. Notwithstanding, I do not agree with the claim that the physician has no idea what will be done with the personal data provided for or obtained during the clinical trial, especially as this physician is in general also involved in the investigation. It could even be the principal investigator. In the Netherlands, it is generally assumed that a hospital participating in a clinical trial qualifies as joint controller with the sponsor in relation to the data processing aspects of that clinical trial. In my opinion, this a bit too enthusiastic, especially considering that the European Data Protection Board considers only those parties that participate in the drafting of the study protocol a controller in relation to a clinical trial or clinical investigation, but I will refrain from sidestepping in this regard. The fact is that joint controllership means that the hospital (and via the hospital, the physician) are co-responsible for the contents of the ICF and the information provided to the patient. Consequently, the hospital has the right to request that an external sponsor clarifies any processing purposes that are unclear to the hospital and must also request amendment of parts it cannot agree with. It is therefore impossible that investigators do not know what happens with the data in relation to and following upon the completion of the clinical trial. For completeness’ sake I note that in the Netherlands, depending on the legal situation in an individual hospital, a physician owned legal entity or the legal entity in which the physicians are united may be a separate party to the agreement.
Assuming that the ICF and informational notice are up to par, there is however no reason why a patient could not consent to the release of information to the sponsor of the clinical trial, even for marketing purposes, at least from a GDPR perspective. The level and amount of information that is given to the patient upfront is key and my expectation is that the data used for marketing purposes will usually be aggregated study results rather than information about patients (more on this later in this blog post). The question could even be asked whether the aggregated study results qualify as personal data at all. Nevertheless, it is the task of the hospital, and by extension, the physician, to ensure that they can adequately inform the patient. Of course, in respect to consent in relation a clinical trial, we need to differentiate between ‘GDPR-consent’, ‘medical confidentiality consent’ and ‘clinical trial participation consent’, although they will often be obtained via a single document. Medical confidentiality cannot be lifted by consent for GDPR processing. However, the statement that a patient never can consent to the lifting of medical confidentiality implies that hospitals and physicians do not fulfil their roles in the research seriously, do not consider the contracts to a sufficient level and apparently do not take patients seriously. If a patient has received adequate information on his or her level of understanding and the physician has ascertained that the data will be used within strict parameters (even in relation to ‘marketing’), a patient should be able to freely elect that it is worthwhile to have its data used for purposes beyond the conduct of the clinical trial itself, such as but not limited to market access or data donation initiatives that become more and more prevalent. Most participants in clinical trials are not uncouth children and while the values behind medical confidentiality (the right to have access to healthcare without fear for disclosure) are absolutely worth upholding, it is time that the patient is informed adequately and his or her consequent wishes are taken seriously.
At the same time, by taking their tasks during the negotiation process seriously, hospitals and physicians can discern whether they consider a potential sponsor of a clinical trial a trustworthy party. By doing so, they can avoid parties that seek to circumvent the protection granted to medical data, for example by encouraging study participants to request their own copies of their medical information (for example based on formats provided by sponsors) under the GDPR or to download them from personalized medical health environments (in Dutch: “persoonlijke gezondheidsomgeving” or “PGO”) and then forward them for participation in a clinical trial.
A statement that consent can never be obtained for the lifting of medical confidentiality in relation to marketing purposes also overlooks the reason why clinical research is conducted in the first place. It also gives the impression that there is a lack of knowledge about what marketing means in relation to medical devices and clinical research. Clinical research is never undertaken just for fun or to write a nice publication. The intent behind clinical research is to prove the performance, efficacy and safety of medical devices and medicinal products, to provide insight in the clinical effects of a medical device, or, in case of certain phase 4 investigator-initiated studies, to determine whether a more cost-effective product provides equally good results as the golden standard thus far in use for a specific treatment. The data obtained during clinical research are necessary to obtain a marketing authorisation (medicinal products) or a CE-mark (medical devices). For medical devices, the data may also be necessary to fulfil the post-market surveillance obligations included in article 83 of the MDR / article 78 IVDR.
Joint controllership
A privacy lawyer quoted in the article emphasized that the text of the research agreements was so vague that he had trouble understanding what data would be exchanged between the site and the sponsor. He then made the point that if he could hardly figure out what data would be exchanged, how would a patient then understand what he or she consents to when participating in the clinical trial. An important point that he missed is that a research agreement is as such not a privacy document (although data processing clauses may be included). All actions undertaken by a site in relation to the clinical trial are documented in the study protocol, including which data is to be collected. Inclusion thereof in the clinical trial agreement, or as it is better known: the site agreement, is not strictly necessary or mandatory. Furthermore, most patients will never lay eyes on the site agreement as this is an agreement between the parties that normally contains commercial terms that are not disclosed to patients. Under no circumstances is a site agreement required to be made available to the patient, even when the site agreement also contains data protection clauses. For the purposes of compliance with the GDPR, there is no need to ever share a joint controller agreement (or a processing agreement, for that matter) with the patient. However, the essence of the arrangement between two or more controllers must be made available to the data subject (see article 26(2) GDPR). In my opinion, the ideal location to do so would be the privacy notice or the patient information letter insofar as the privacy notice is already included therein.
GDPR-consent
To ensure the validity of GDPR-consent, it will be necessary to clearly deviate between GDPR consent and the other consents as well as between consent for various processing purposes (see article 7(2) GDPR and recital 32 to the GDPR). That processing in a clinical trial setting is based on data subject consent is not an established fact by the way. Although in the Netherlands consent is seen as the default, various member states have differing opinions and follow the line set by the European Commission in its opinion on data processing and the CTR . The Commission opinion contains another example of the infantilization of the patient. In the opinion, the European Commission emphasizes that consent for the processing of personal data in the context of a clinical trial will rarely qualify as freely given (a key criterium to obtain valid consent) due to the dependence of the patient on its physician and possible from the clinical trial. While there is absolutely a valid point in that approach, it feels somewhat contradictory that a patient can freely elect to participate in a clinical trial from the perspective of bodily autonomy to be treated with medication of which the safety has not yet been established, but apparently not freely decide that he or she would like his or her data to be used to establish the safety and efficacy of the research product and to bring the medical device or medicinal product to the market. It even assumes that a patient would never be able to consent to medical treatment because of dependency on the healthcare professional.
Transparency
Any data subject, not just a patient participating in a clinical trial, has the right to be adequately informed about any processing of personal data in a transparent manner. Transparency entails that the data subject is informed in a manner that is in line with the patient’s level of understanding. Where consent is required, the European legislator explicitly emphasizes that any preformulated declaration of consent should be provided in an intelligible form and should be written in clear and plain language (see recital 42 GDPR). Consequently, the information provided to the data subject looking to participate in a clinical trial should make clear what data processing will ensue upon inclusion in the clinical trial.
What is included in an informed consent form is determined by the sites and the sponsor individually and is influenced by both the protocol and the site agreement. When we look at the standard contract templates used by the Dutch Clinical Research Foundation (DCRF) and the Central Committee on Research Involving Human Subjects (CCMO) for site agreements, not only does the sponsor have processing purposes that evolve beyond joint control (most notably: obtaining a market authorisation / obtaining a CE-mark) but sites have these as well (education, internal research). The informational notice (whether included in an informed consent form or not) should address both the purposes subject to joint control and the individual purposes of the controller.
The purposes of obtaining a marketing authorisation / obtaining a CE-mark / fulfilling the legal obligation to conduct post-market surveillance / pharmacovigilance are both individual and legitimate processing purposes that are important for the healthcare sector in general and the patient population in particular.
Anonymization
The fact however that the article states that certain companies are satisfied with anonymized or pseudonymized data and that other companies to the contrary want to obtain all data available, claiming ownership of personal data (note that this was a rough translation on my part and not a direct quote), means that several key points were overlooked. For example, the Follow the Money article addressed that several agreements that were made public as a result the Freedom of Information Act request contained ownership clauses concerning the data resulting from the clinical research. Ownership of personal data is not possible. However, it may be that the site agreements merely addressed study outcomes and the documentation embodying those. Personal data may have been the source for such study outcomes and developments created during and in relation to the study. It is possible to claim contractual ownership. Developments and inventions may also be subject to intellectual property rights. This can however not be ascertained without looking into the agreements itself and may differ between the various agreements. This is however not the point I want to discuss in relation to this claim.
Where a company sponsors clinical research and is involved in the drafting of the study protocol, such party qualifies as controller in relation to the study data (see the aforementioned guidance from the European Data Protection Board). It does not matter that the controller does not hold all personal data (directly identifying patient information in this case), the fact that it was collected on his behalf suffices because the sponsor determines means and purposes of the processing (in collaboration with the study site(s)) (see again the aforementioned guidance). In other words, for the sponsor of a clinical trial, the personal data collected via the clinical trial will never qualify as anonymized data for the sponsor during the clinical trial and many years after. Only upon irreversible destruction of the investigator site file which contains the informed consent forms after the legal retention period upon completion of the clinical trial period has lapsed, it may be possible to achieve a sufficient level of anonymization to speak of anonymized data. It will be difficult to imagine a situation in which a sponsor of a clinical trial (or even a registry for that matter) will be able to obtain anonymized data prior to the end of the retention period.
Once data becomes anonymized, the question rises whether the data will always be considered anonymized from that moment onward. This will depend on various factors at that moment in time in which anonymization is considered (not only the moment on which anonymization techniques are first applied) including but not limited to all the techniques used, other data that is available to the party holding the data (privately or in the public domain), available technology at the moment the directly identifying data are deleted and the costs and amount of time required for identification (see recital 26 to the GDPR). Albeit not listed in the GDPR as a relevant criterium, the nature of the data will also play an important role. There is more and more discussion about whether genetic data can actually be anonymized, although this will again require a case-by-case assessment which should take the scope of the genetic data involved in account (i.e., the whole genome versus a specific gen). Regardless thereof, usually, personal data available in a study will undergo key coding as a form of pseudonymization rather than anonymization.
Billboards?
The Follow the Money article states that consent is also obtained for marketing purposes and quotes a privacy lawyer who states that a broad clause concerning marketing may mean that a patient who participates in a clinical trial could end up on a billboard. In my experience, research agreements prohibit reidentification of the patient and as the identification key is held by the hospital, it seems impossible that specific study participants are identified by the sponsor. Not identifying study participants is not only a contractual principle but a core principle of scientific research as it ties directly to the blinding of the clinical trial. It would also be contrary to the basic principles of good clinical practices. Furthermore, the release of study data into the public domain likely would qualify as a separate processing purpose which requires its own legal basis apart from the general purpose of ‘marketing’. My expectation – again without reviewing any of the documents involved and without being aware of the intention of the sponsors involved – would be that the marketing either refers to placing a product on the market or that it refers to statistical information used in advertising material for health care professionals once the device has been placed on the market or the medicinal product has obtained its marketing authorisation, for example to indicate the efficacy of the treatment. It seems unlikely – in general – that a study participant will be singled out for advertorial purposes without that patient’s explicit informed consent for this purpose. Again, the patients may have their own motives for participating, such as removing the shame patients experience around a specific medical condition. Also, billboard advertising is largely visual in nature and for the use of photo’s separate agreements are necessary in relation to the intellectual property rights.
It is paramount in this respect that parties recognize that marketing (meaning advertorial activities) and placing on the market (the first making available of a medical device on the market) / obtaining a marketing authorisation (an authorisation for making a medicinal product available on the market) are entirely different things. The reference to the market in the latter two categories means that the medical device or medicinal product becomes available to patients and/or health care providers. This is by nature not advertising. Marketing is however a very broad category, so for the sake of transparency, more information should be given to the patient in the ICF/privacy notice. This however does not mean that such further information should also be reflected in the agreement with the hospital. After all, the hospital should, as a joint controller, be involved in the drafting of the ICF, and is thus able to review the exact details of the information given to the patient.
Conclusion
Let me be clear that I believe patients should be taken much more seriously. Blanket statements that medical confidentiality can never be lifted in relation to research with a commercial sponsor, regardless of the patient’s consent is a very negative interpretation of the principle and right of medical confidentiality and do not give sufficient value to the considerations of the patient. It also overlooks that the research parties have an obligation in light of informing the potential research participants. While the strict interpretation of the principle of medical confidentiality does mean that a physician must also make its own assessment of whether medical confidentiality may be lifted, this does not mean that such assessment must always be negative in nature.
The assumption that medical confidentiality cannot be lifted shows that the hospital and physician have not taken their tasks in relation to the research documents (both agreements and study ICF) and the informing of the patient seriously. If they have discussed all aspects of the ICF and agreement with the sponsor, physicians will not be in the position where they agree to participate in the collection of personal data for purposes that they feel cannot lift medical confidentiality for. This will however mean not only negotiating the agreement and ICF on a legal level but also looking into the consequences of the processing activities deviated on a level that may currently not always be considered. In the end, such more in-depth approach will only benefit the individual participants but also benefit society and the healthcare sector.
*With thanks to my colleague Erik Vollebregt for his valuable comments to the draft version of this blog post.
About. This blog is written by Cécile van der Heijden, an attorney-at-law specialized in EU data protection law in the life sciences sector and healthcare law and Floris van der Laan, a paralegal with an interest in technology and its connection to EU privacy and data protection law. Both are Amsterdam-based.
This blog is written with the intent to provide interesting updates about legal developments in the life sciences sector and to share thoughts about legal aspects of data protection law and life sciences specific legislation.
DISCLAIMER. This blog is written strictly on a personal title and does not reflect the opinion of our employer. Posts on this blog, including reactions and comments from authors, cannot replace legal advice and do not lead in any manner to an attorney/client relationship. If you would like to seek legal advice from us, please reach out to us via cecile.vanderheijden@axonlawyers.com
Follow us on: https://www.lifesciencesprivacyblog.com/feed
Life Sciences & Privacy Blog 