Privacy Regulations Impact on Global Clinical Trial Endpoint Adjudication
New privacy regulations seem to form every few months, especially with individual U.S. states adopting their own privacy regulations (e.g., the California Consumer Privacy Act or CCPA). Endpoint adjudication committees (EACs), also called clinical event committees (CECs), receive potentially identifiable research data from all over the world. Because of this, they need to stay abreast of these rapidly developing requirements and have systems in place to ensure data compliance and protection. This blog explores what it takes for an EAC/CEC to adequately support worldwide clinical trials.
The Global Reach of EACs and CECs
Pivotal research typically happens globally, from North America to Asia to Europe, and everywhere in between. While sponsors may have country- or region-specific regulatory support, there is typically just one EAC/CEC covering all worldwide data. Having one set of adjudicators across the entire trial aids consistency of determinations and allows for a central decision-making framework.
For the independent EAC/CEC administrators, this means information about events happening worldwide need to be adjudicated. And those pieces of medical records data, scans, electrocardiogram (EKG) results, digital imaging and communication in medicine (DICOM) materials, and other source materials typically have some form of privacy regulation attached to them from the source country.
Even if the materials are sufficiently redacted by the site or sponsor, most pieces of information in the adjudication dossier are coded with a participant number; in the world of international privacy regulations, the code number can mean the data or images for all intents and purposes might as well have the participant’s name on it. This means even if you code the data, the international privacy regulations apply – even if the Health Insurance Portability and Accountability Act (HIPAA) does not.
A Global Patchwork of Regulatory and Privacy Standards
The list of privacy regulations is as unique as the countries who make them:
- European Union’s General Data Protection Regulation (GDPR)
- China’s Personal Information Protection Law (PIPL)
- Brazil’s General Data Protection Law (LGPD)
- The United Kingdom’s version of GDPR
- Thailand’s Personal Data Protection Act (PDPA)
- Israel’s Protection of Privacy Law (PPL)
- South Africa’s Protection of Personal Information Act (POPIA)
- The Nigerian Data Protection Regulation (NDPR)
- The U.S. HIPAA
A recent report from the United Nations Conference on Trade and Development (UNCTAD) indicated nearly 80% of the world’s countries either have or are developing privacy regulations. Almost all regulations impact the type of data for the EAC/CEC to complete its evaluation of individual clinical events occurring in a clinical trial.
Source: United Nations Conference on Trade and Development
EAC and CEC administrators also need to consider each of the 50 U.S. states and individual EU zone countries may also have privacy regulations which go beyond HIPAA or GDPR (e.g., California’s CCPA and Virginia’s Consumer Data Protection Act or VCPDA).
With this global patchwork comes the responsibility of the EAC/CEC administrator to address and adapt to each.
How do These Frameworks Apply to Information Sent to the EAC or CEC?
The core role of an EAC/CEC is to have medical experts independently evaluate a clinical event to determine if a defined endpoint or clinical threshold has been met, or if the event should be categorized in some way (e.g., was it caused by the study drug or an underlying condition). Such an activity certainly requires medical judgement and access to a lot of associated medical information to make the determination on the event.
Sponsor- or site-provided information is compiled by the EAC/CEC administrator into a dossier, which the adjudicators use to make their event assessments. Sites or sponsors almost always redact this information to remove and replace overtly identifiable information. It would be very rare an EAC/CEC would need to see identifiable information in order to make their adjudication determinations. Under the U.S. HIPAA privacy framework, this redacted and coded information would likely be considered a de-identified data set, thus not covered under HIPAA at all.
In contrast, for coded information coming from EU zone GDPR countries, or from other international privacy regulation regimes modeling GDPR’s framework, the coded information received by the EAC/CEC would likely be considered pseudo-anonymized data. Therefore, it would still be protected under the source country’s applicable privacy protections.
For coded information coming from EU zone GDPR countries, or from other international privacy regulation regimes modeling GDPR’s framework, the coded information received by the EAC/CEC would likely be considered pseudo-anonymized data.
Therefore, it would still be protected under the source country’s applicable privacy protections.
What do You Need to Keep in Mind?
An organization that understands the implications of worldwide privacy regulations and their impact on research will be more successful and reduce regulatory risk. The CEC/EAC administrator’s adjudication platform and associated company policies and procedures need to conform to all applicable privacy standards. Sponsors, contract research organizations (CROs), and sites need to work with a reputable partner for independent EAC/CEC administration.
Depending on the privacy regulation, the sponsor will typically consider the EAC/CEC administrator to be a data controller. Therefore, the sponsor organization would need to have appropriate policies and procedures in place, as the controller organization, to verify their associated data processors (e.g., the EAC/CEC administrator) conform with applicable regulatory standards.
With this in mind, it’s important to work with an EAC or CEC administrator who understands the diverse global data regulation landscape. A partner experienced in navigating this space likely has at least consulted with experienced international privacy experts to help ensure the EAC or CEC and associated enabling technology are properly set up to meet the necessary regulatory requirements.
What Else Should Sponsors Think About?
Sponsors need to think about more than just privacy regulations when considering who to work with for independent EAC/CEC administration. They also need to consider technical regulations applicable to the adjudication platform used by the administrator.
For worldwide clinical trials, the adjudication platform likely needs to comply at a minimum with U.S. FDA Part 11 and EU Annex 11, be operated in a SOC 2 compliant data center, and be developed following a GAMP 5 validation methodology.
An EAC/CEC administrator’s adjudication platform should conform with these basic international validation standards in order to compliantly provide adjudication services on a worldwide clinical trial.
Bottom line: Running a worldwide clinical trial is not easy. It takes discipline and a deep understanding of the rules. The independent EAC/CEC supporting the trial needs to be just as well versed in those rules, so working with an experienced partner who has a dedicated focus on these issues is key to the smooth operation of the trial and protection of the participant’s data.