Today is Data Privacy Day, an international initiative to promote privacy and data protection best practices among businesses and organizations. It is also an opportunity to inform people of their privacy rights and the impact technology may have on them.
In the conduct of clinical trials, investigators and clinical trial sponsors are responsible for ensuring the rights, integrity, and confidentiality of participants are protected. This encompasses aspects from recruitment and informed consent, through to the conclusion of research activities and the retention and destruction of data. Here are ten reminders and tips for investigators because, while the duties of a study may be delegated, responsibility may not.
- Understand your institution’s privacy requirements and information security policies. If you are the lead investigator, you must also understand these policies at affiliated institutions. Keep in mind that privacy regulations vary by province.
- Make privacy and information security a line item in your grants and protocols. Designate a member of the study team with a privacy role and allocate time and resources to this task.
- Physical, organizational, and technological measures should be implemented. This is to safeguard the personal data of trial participants. For example, ensure adequate support of infrastructure needed to implement best practices, including appropriate space for the confidential conduct of research activities and secure storage for source documents; apply a policy of segregation of duties for data collection, supported by a role-based access model for electronic data capture platforms.
- Only collect data you need. Ask yourself, is this data point required to fulfill the research objectives?
- Participants’ initials should not be collected on data collection forms or in a clinical trial database. Random letter-code generators or sequential letter-codes (e.g. AAA, AAB, AAC …) are good alternatives.
- Collect full birthdate only when necessary. A full birthdate in a pediatric trial may meet an REB’s approval, for example. Otherwise, collect the participant’s age at screening or, better still, use ranges (e.g. participant is 21-25, 26-30, 31-35, etc.).
- Anticipate and explicitly document likely future uses or collaborations, defining scope and purpose. If a data point is not in the protocol, it should not be in the clinical trial database!
- Understand that identifiable data is a continuum, from direct identifiers such as name, address, and birthdate to indirect identifiers such as geographic location, named facilities, or dates and characteristics (e.g. rare health conditions) on a medical history form.
- De-identify data as soon as possible, segregating personal information from clinical trial data. Encrypt electronic files that link clinical trial data to personal information.
- Limit the devices you use to access data containing personal or identifiable information, and encrypt all devices used to store, access or transfer such data. Cloud-based platforms (e.g. Gmail, SurveyMonkey) may store data on servers in the US and be subject to US laws.
- Participant consent is a dynamic process. This is especially true for qualitative research where, for example, open-ended interview techniques are used; the personal data collected may not always be anticipated at the outset of the interview. Ongoing discussions of consent with research participants is the best way to protect the privacy of individuals and communities.
- Understand your responsibilities in reporting data breaches. These vary by province. If the provincial regulations do not require you to report a data breach, consider whether you are required to do so by your obligations to research participants.
- Make appropriate arrangements, financial and otherwise, for required length of data retention and destruction. Note that your files may be subject to US laws if stored in US-owned data storage facilities.
For more information on privacy and data protection best practices, please see:
Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans – TCPS2 (2018)
International Council for Harmonisation Guidelines
CIHR Best Practices for Protecting Privacy in Health Research (September 2005)
Good Clinical Data Management Practices (GCDMP)