June 13, 2021

Volume XI, Number 164

Advertisement

June 11, 2021

Subscribe to Latest Legal News and Analysis

June 10, 2021

Subscribe to Latest Legal News and Analysis

CNIL Issues Provisional Recommendations for Remote Quality Control of Clinical Trials During the Health Crisis

Given the challenges of conducting clinical trials during the COVID-19 pandemic, many countries — including France — have allowed for some use of remote quality controls. In response to guidelines issued recently by European health authorities, the French Commission Nationale de l’Informatique et des Libertés (CNIL) has issued recommendations designed to ensure the protection of compliant processing of personal data. Clinical research associates (CRAs) must be aware of these recommendations and implement appropriate methodologies and safeguards.

In Depth


Since the onset of the COVID-19 pandemic, the French Commission Nationale de l’Informatique et des Libertés (CNIL) has noted that the health crisis has led to a change in the way quality controls are conducted on behalf of the sponsor of a research project within an investigation center. Clinical research associates (CRAs) in charge of these controls are often no longer able to conduct the controls on the center premises.

In light of guidelines issued by European health authorities on this topic in February 2021 (and updated as recently as 2 April 2021), the CNIL has issued a number of recommendations for the conduct of remote quality controls. These recommendations are designed to ensure that personal data is protected and processed in compliance with relevant requirements and reference methodologies.

Generally, the CNIL calls on sponsors and CRAs to be extremely vigilant when conducting remote controls and, following consultation with the data protection officers (DPOs) of both the sponsor and the investigation center, to implement procedures and policies to ensure compliance, and to document precisely the modalities used in order to demonstrate such compliance. These recommendations by the CNIL are temporary and will expire one month following the formally declared end of the health emergency.

The recommendations cover the following areas, among others:

Filings. Remote quality controls are considered by the CNIL as not compliant with the provisions of the reference methodologies (applicable to research). However, if this is the only deviation of the processing from the applicable methodology, it is not necessary to file a specific authorization request with the CNIL.

However, the CNIL reminds researchers that such remote quality controls are considered a substantial modification of the trial, that the Committee for the Protection of Individuals must be consulted for its opinion, and that the National Agency for the Safety of Medicines and Health Products (L’Agence nationale de sécurité du médicament et des produits de santé, or ANSM) must be informed of any such deviation.

Information. The CNIL advises that the data subjects must be informed in advance regarding remote monitoring modalities. For ongoing studies, the information notice must be updated and provided to trial participants.

Confidentiality and security. Specific measures must be put in place to ensure the confidentiality of data access, including:

  • Legal measures, such as the CRA signing a confidentiality agreement (even though the CRA is already subject to medical-secrecy requirements).
  • Enhanced security measures, such as using certified health data hosting; allowing no recourse to a service provider subject to US law or to regulations in countries that do not provide a sufficient protection against access by the authorities; allowing the CRA read-only access to the information, with restricted export possibilities, etc.

The CNIL also provides recommendations for the use of videoconferencing tools, file exchange platforms and access to electronic medical records.

For additional detail, the full text (in French only) of the CNIL’s recommendations are available here.

© 2021 McDermott Will & EmeryNational Law Review, Volume XI, Number 130
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

Lorraine Maisnier-Boché Data Protection Attorney McDermott Will & Emery Paris, France
Associate

Lorraine Maisnier-Boché focuses her practice on data protection and information technology (IT) law.

She has deep experience in the digital and IT sector as well as the health care industry, frequently advising health care professionals, hospitals, governmental entities, insurance companies, medical device manufacturers, software editors and hosting service providers on complex IT projects.

Lorraine has a strong background in data protection, and regularly advises on GDPR compliance programs, international data transfers, marketing and profiling actions, sensitive data (e.g...

33 1-81-69-14-77
Romain Perray, McDermott Law Firm, Paris, Data Privacy Attorney
Partner

Romain has extensive experience in data privacy and data protection law, and lectures on these subjects in Master of Law classes at the University of Paris-I Panthéon-Sorbonne, the University of Paris-II Panthéon-Assas and the University of Paris V Descartes. He advises on the full range of data protection and data security for clients in life sciences, automotive, insurance, e-commerce, leisure, social networks and even the public sector, especially in the context of smart cities projects.

331-8169-1527
Advertisement
Advertisement