Featured Article
What is the GDPR and does it Apply to Our Work?
Brandy Heckman-Stoddard, PhD, MPH (Chief of the Breast and Gynecologic Cancer Research Group) Colleen Woodworth, J.D. (Compliance Officer, Frontier Science Foundation)
The General Data Protection Regulation (GDPR) was passed by the European Union in an attempt to strengthen various data provisions on behalf of data subjects and became effective in 2018. The primary goals of the GDPR are as follows: 1) enhanced protection of EU citizens’ data, 2) harmonization of EU data privacy laws, and 3) expanded and more stringent enforcement. Covered “Personal Data” encompasses any information collected that could directly or indirectly identify an EU citizen and includes a vast array of data items, both direct, such as name and address, and some more indirect, such as dates and treatment information. Notably, health information pertaining to diagnosis, treatment, and genetics is deemed to be an especially sensitive form of data requiring more stringent safeguards. The GDPR extends its reach outside of the EU and affects any foreign organizations that “offer goods or services to, or monitor the behavior of, EU data subjects,” regardless of whether the company or the data in question physically reside within the EU. This means that when a U.S. sponsor is processing data from subjects within the EU, the requirements of the GDPR must still be followed.
The GDPR has been interpreted to apply to clinical trials and clinical work where the data subjects are the research participants. Typically, the regulation is aimed at two primary entities, a “data controller” and a “data processor.” In the case of CP-CTNet, the controller is either the LAO or jointly the NCI and the LAO, as the entity who has the authority to determine which data will be collected and how it will be used. This will depend on who is holding the IND for the study. For IND-exempt studies or studies where the investigator holds the IND, the LAO can negotiate the agreement directly with the European site, making sure that the requirements of the network can be met. For studies where DCP is the IND-holder, DCP needs to be involved in the negotiation so it will need to be a 3-way agreement between NCI, the European site, and the LAO. The processor in a trial is any entity tasked with assisting the controller in actually gathering, storing, transferring, or otherwise processing the relevant information. In the case of CP-CTNet, the processor is the DMACC and the sites accruing to the study. LAOs negotiating the agreement with the sites may need to identify a Data Protection Officer (DPO), which must be a named person (i.e., an entity cannot simply indicate that they have a DPO, rather, it must be a specific person) to act as the interface between data subjects and data protection authorities located in the EU in the case of any complaints or data breaches. For the study in CP-CTNet that is currently dealing with GDPR, the DPO is a named individual within the European site conducting the study.
The GDPR expands greatly on the rights of data subjects. These individuals are provided a number of named rights under the regulation in terms of the information that they are entitled to receive about their data, as well as requests that they may make to the data controllers and processors. These include, in summary, the following:
- the right to obtain confirmation as to which personal data concerning them is being processed, where, for what purpose and to whom it is being transferred.
- to be provided with a copy of the personal data, free of charge, in a transferrable electronic format (to allow potential change of provider).
- to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing/transferring of the data.
The three data subject rights that will have the greatest impact on clinical research are the rights of access, erasure, and portability.
The right of access provisions allow data subjects to request that a controller provide them certain information pertaining to their data, including confirmation that personal data is being processed, where it is being processed, and for what purpose. If requested by a data subject, controller is required to provide a copy of data to the subject free of charge in an electronic format.
The right to be forgotten (“data erasure”) allows a data subject to request that a controller permanently delete any data that is on file that pertains to that data subject. The difficulty with this section of the GDPR is that it conflicts with various clinical trial regulations regarding audit trail compliance, as well as rules such as those established by the FDA that prevent any data collected in relation to a clinical trial from being erased. In prior agreements for GDPR made by the NCI Therapeutics group, data erasure has not been allowed. Data erasure for the purposes of our research is exempt in accordance with the GDPR preamble as well as Article 89.
The GDPR also requires data portability for data subjects, meaning that they should theoretically be able to move all their data from one provider to another as if it were a piece of physical property. Again, in the context of clinical trials, the data value comes from being part of the dataset. Data sharing is also a requirement of NIH funding and thus the sharing is governed by the requirements of the network.
How are we expected to comply with the GDPR?
Informed consent is a critical element under the GDPR, as data subjects must be fully informed as to how their data is proposed to be utilized. Therefore, consent processes must now be much clearer and have explicit opt-in, requiring obvious affirmation from the individual on data processing. It likewise must be easy for them to withdraw this consent. However, under GDPR, all companies must use legible terms and have removed legal language from data privacy consent processes. It must become clear that not only the patient is participating in a trial, but that the patient explicitly consents to the collected data being processed, typically by an additional checkbox. In addition, any entities conducting clinical trial work may need to consider the appointment of a DPO as described above, and all entities on the trial must ensure that there are adequate protections in place to prevent the inadvertent breach of participant data. This may take the form of various security controls and processes aimed at protecting any data in possession of the entity.
The controller, the LAO, on a specific project should have policies and procedures in place to describe how compliance with the GDPR will occur. Controllers may be required to post a privacy notice on any public facing websites. If applicable, the appropriate place for this posting will need to be discussed as part of the agreement. These policies and procedures should likewise mention, in sufficient detail, which organizational and logistical approaches are being taken to ensure for the security and confidentiality of the participant data, as well as what steps will be followed in the event of a data breach as described below.
Last, all participating entities on the trial must ensure that all employees are trained as to what action should be taken in the event of a breach. The GDPR defines a “breach” as an “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.” If a breach does in fact occur, the organization must provide notice to an EU member’s state data protection authority within 72 hours after the breach is identified. Any participants affected by the breach must likewise be notified of the incident “without undue delay.”
DMACC Updates
Data Management and Reporting Unit
SVAR Process and Study Builds in Rave for New Studies
During this quarter, DMACC started working with LAOs to create two SVARs (NWU21-08-01 and UAZ21-07-01), continued to make progress on six SVARs (INT21-05-01, MDA20-02-01, MDA21-06-01, UMI21-05-01, UWI20-04-01, and UWI21-06-01), and finalized three SVARs (MDA20-01-01, UAZ21-06-01, and UWI20-00-01). During the next quarter, DMACC plans to start working with LAOs to create two additional SVARs (INT22-09-01 and UMI22-09-02). Work is also ongoing on the study builds in Rave for eight studies, with three on track to be completed by the end of June (MDA20-01-01, UAZ21-06-01, and UWI20-00-01).
Virtual Specimen Repository
The Virtual Specimen Repository Group met on May 24. DMACC shared a functional prototype of the Virtual Specimen Repository website during this meeting. The CP-CTNet Virtual Specimen Repository will allow Portal Gateway users to graphically view specimen repository data, including number and type of specimens collected, participant counts, and mechanisms for filtering that data by a variety of criteria (e.g., age, race, ethnicity, sex, and time of collection).
Data from UAZ and NWU for studies UAZ20-01-01 and NWU20-02-01 continue to funnel to DMACC in real time.
Meetings
Study Initiation Meetings (SIMs) were held for five studies during this quarter, including MDA20-01-01, MDA21-06-01, UAZ21-06-01, UWI20-00-01, and INT21-05-01. Two Cross-Network Collaboration (CNC) calls were held on May 2, 2022 and June 29, 2022.
Documentation
DCP and DMACC collaborated to update the following documentation on cp-ctnet-dmacc.org:
- SOP 01-01 Essential Documents
- SOP 03-03 LAO Oversight Activities
- DCP Delegation of Tasks Log
- DCP Delegation of Tasks Log-Site Principal Investigator
- DCP Delegation of Tasks Log-Individual Staff
- DCP Delegation of Task Log Master Task List
Educational Content
DMACC offered 13 training sessions for CP-CTNet members during April, May, and June. Training session topics included the Medidata Rave recruitment journal, the CP-CTNet DMACC website and Portal Gateway, the protocol deviation reporting and review process in Medidata Rave, and the Stars and Medidata Rave enrollment flow. To see a list of upcoming training and to register, go to the Training Registration page on the Portal Gateway.
Clinical Trials Auditing Unit
Northwestern University will be hosting the Audit Team for CP-CTNet’s first on-site audit July 13-15, where we will conduct audits for three of their open studies (NWU20-01-03 Lisinopril-Liver, NWU20-02-01 Metformin/Megestrol-Endometrial and NWU20-02-02 Atorvastatin-Colon). The Audit Team will also be travelling to Cedars-Sinai Medical Center July 27-28 to conduct an audit of NWU20-01-03 Lisinopril-Liver.
The Auditing Unit also recently collaborated with DCP and the LAO Coordinators to revise several SOPs to support auditing activities within the network. We hope you find these to be helpful resources. Major updates have been made to SOP 03-03 LAO Oversight Activities and we thank the LAO Coordinators for their review, feedback, and helpful contributions to these SOP revisions.
Another focus of the Auditing Unit is to revise the Audit System application that was released at the end of October 2021. Phase 1 of the updates have been implemented and we are looking forward to using the system at our upcoming audit visits. The Audit System will be demonstrated to the network once all phases have been implemented.
Administrative and Coordinating Unit
I-SCORE 2022 Meeting
Thank you to all the meeting organizers, presenters, moderators and participants who attended the 2022 I-SCORE Meeting on March 31 and April 1. Despite a change to a virtual format again, over 160 people attended from all over the world.The meeting provided a great opportunity for information-sharing and collaboration between DCP staff and Consortia/CP-CTNet members. Dr. Leslie Ford, Associate Director of Clinical Research at DCP, kicked off the meeting and expressed excitement about future advances in the field of cancer prevention. Dr. Eva Szabo provided an overview of both the Consortia and CP-CTNet Programs, including the science and status of the Consortia studies. For CP-CTNet, Dr. Szabo reviewed the infrastructure, approved concepts, and program logistics. The agenda for the meeting can be viewed on the DCP website.
We are already looking forward to next year’s meeting. I-SCORE 2023 will be held in-person in Rockville, MD with a virtual option on March 30-31, 2023. More information about the 2023 meeting will be circulated when it becomes available.
Madison Annual Site Visit
On June 13 and 14, DMACC hosted colleagues from DCP and Frontier Science in Madison, WI for the annual site visit. This is the first in-person CP-CTNet meeting since October 2019. DMACC presented on many of the initiatives that have been in progress since funding first began and plans for the future to advance the goals and mission of CP-CTNet.
Network Updates
Equity, Diversity, and Inclusion (EDI) Committee Updates
EDI for Education: A learning needs survey was sent to the LAOs/AOs to complete. We had a great response rate! DMACC analyzed the data and the committee plans to share the results at a meeting in August 2022.
EDI in Clinical Trials: The committee is discussing best practices, improving the protocol template to address inclusion, how to improve recruitment strategies and will be directly addressing exclusion/inclusion criteria.
EDI Staffing: Dr. Howard Bailey is polling CP-CTNet sites regarding their EDI policies related to staff recruitment and retention. The committee is considering options for how to evaluate the level of staff diversity of CP-CTNet.
Research Funding Opportunities
For a list of funding opportunities, check the Funding Opportunities page on the CP-CTNet DMACC website.
The Division of Cancer Prevention and the Division of Cancer Control and Population Sciences are happy to announce that the Clinical Trials Planning Grants FOAs have been published. A webinar will be held in the coming weeks to discuss the mechanism and answer any questions. The first submission date is October 25. Please reach out to the individuals listed in the FOA for additional questions and if you plan to apply. Remember that if you plan to conduct your study through one of our cooperative agreement programs, then you must apply to the U34 (not R34) mechanism.
New FOAs:
- PAR-22-173: Cancer Prevention and Control Clinical Trials Planning Grant Program (R34 Clinical Trials Optional)
- PAR-22-174: Cancer Prevention and Control Clinical Trials Planning Grant Program (U34 Clinical Trials Optional)
- PAR-21-330: Utilizing the PLCO Biospecimens Resource to Bridge Gaps in Cancer Etiology and Early Detection Research (U01 Clinical Trial Not Allowed)
Publications
The CP-CTNet Publication Guidelines were approved and were emailed out to network colleagues and were also posted to the CP-CTNet DMACC website.
Active and DCP-Approved Studies
A list of active and DCP-approved studies is available on the Trials page on the CP-CTNet DMACC website. Each trial includes the DCP ID, clinicaltrials.gov ID, Status (recruiting or not yet recruiting), the study start date, and a link to a trial-specific information page once trial information is available on ClinicalTrials.gov.
Upcoming Events
Meetings and events can be found on the Meetings and Events page on the CP-CTNet DMACC website.
- July 25, 2022 External Advisory Committee Meeting with the DMACC
- July 29, 2022 Quarterly Steering Committee Meeting (Virtual)
- September 7-9, 2022 Translational Advances in Cancer Prevention Agent Development (TACPAD) Virtual Workshop on Immunomodulatory Agents
-
October 28, 2022 Quarterly Steering Committee Meeting (Virtual/possibly in person in MD)
Cycle # Steering Committee Date Concept Solicitation Date Concept Due Date 12 July 29, 2022 Aug. 5, 2022 Oct. 5, 2022 13 Oct. 28, 2022 Nov. 4, 2022 Jan. 9, 2023