COVID-19: ANSM guidance on Data Protection requirements for on-going trials

ANSM guidance underlines that adjustments to on-going clinical trials in the context of Covid-19 must comply with French Data Protection law requirements

French data protection law on health research applies to all sponsors, whatever their country of establishment, when they perform clinical trials in France.

In the context of Covid-19, the ANSM – the French Medicines Agency – now allows for adjustments to clinical trials, and has published guidance explaining which adjustments are possible and under which conditions.

However, the ANSM made very clear that any adjustment must remain in line with the rules governing data protection.

Home delivery of medicines and health products

With respect to home delivery of medicines and health products, which is made in order to avoid unnecessary visits of patients to the site, the ANSM underlines that the requirements of the “reference methodology” MR-001[1] from the CNIL must be complied with and explains which information notice requirements must be followed in this specific case.

Notably:

• the subcontractor of the sponsor in charge of the delivery (a processor in the meaning of the GDPR) who gets access to the identification data of the study subject necessary for the purpose of the delivery (such as name, address, phone number…) should not get access to any health data of the patient,
•  in particular, the reference code of the trial transmitted to the subcontractor in charge of the delivery must not allow to reveal a pathology or any health information about the study subject – this means that the trial reference code provided to the subcontractor cannot be the one associated to the trial in public communications or public databases; otherwise, information about the fact that the trial concerns – for example – cancer, would amount to provide the subcontractor with health data,
• the patient must be informed about the identity of the subcontractor, the categories of her/his personal data that will be disclosed to or be accessible by the subcontractor, and about the mission the subcontractor is entrusted with by the sponsor.

Concerning the new information which must be given to the patient about the processing of his personal data by the subcontractor for purposes of delivery, the ANSM considers that such information should be provided in two-steps, as follows:

• Firstly, the site must reach out to the patient before the delivery of the products to inform him about the necessity to communicate his identity and address to the subcontractor for such delivery, and must keep record that the patient does not object,
• Secondly the patient must then be informed with a written and detailed notice  (which can be sent to him by mail, or can be provided together with the packaging of the product, or else by any other means used to communicate with the patient).

In practice, this means that a two-layered approach must be followed: first a short information prior to the delivery which can be for instance by phone, and then a complete written information notice, fully compliant with the GDPR and MR-001, to be provided at the latest at the time of delivery.

Data quality monitoring

The ANSM recalls that in case the lock down prevents the performance of monitoring on site, no transmission of copies of medical records or remote access to electronic medical records should be authorized, even if the data is pseudonymised.

This is in line with the principle of medical secrecy and the confidentiality of personal data, and the MR-001 from the CNIL.

[1] The “reference methodology” MR-001 is a standard established by the CNIL (the French Data Protection Authority) specifying all the data protection conditions governing the clinical trial. Compliance with this reference methodology enables to avoid requesting a specific authorization from the CNIL to perform the trial. If compliance to MR-001 is not possible, an authorization must be obtained from the CNIL.