Data privacy and data sharing within the regulatory framework governing human, health-related research in Switzerland

The topics of data privacy and data sharing in the context of clinical research can be addressed from many angles. The overall scientific rationale for data sharing, international recommendations, the perimeters of research data sharing, the legal basis in Switzerland, technical aspects of data processing and documentation, governance, and policies for data sharing were recently addressed in a collective initiative led by the Swiss Clinical Trial Organisation’s (SCTO’s) Clinical Trial Unit Network. The resulting guidance document on sharing data from clinical research projects is available on the SCTO Platforms’ website.¹ This article focuses on the regulatory framework governing data privacy and data sharing in clinical research and how it pertains to specific elements of clinical studies.

Although the Human Research Act (HRA) addresses the topic of accessing health-related personal data, it does not directly address the topic of sharing research data (i.e. data collected for the purpose of conducting research or data generated by research activities) – with the exception of Article 56, which makes the registration of clinical trials mandatory in order to ensure a first step towards transparency to the public on past and ongoing clinical research. It should be kept in mind that the HRA was finalised in 2011, when sharing research data was not as high of a priority as it is nowadays. And at that time, open data – an issue increasingly raised by evidence-based medicine initiatives such as the Cochrane collaboration and journal editors (e.g. the International Committee of Medical Journal Editors (ICMJE)) – was not yet transposed within the clinical research regulatory frame. Nevertheless, many principles contained in the HRA have to be taken into account when addressing diverse aspects of research data sharing and when analysing the impact regulation has on practices highlighted in this article.

Using health-related data for research: Coded versus anonymised data

In Switzerland, the Human Research Act defines data as follows:

• Health-related personal data means information concerning the health or disease of a specific or identifiable person, including genetic data (Art. 3, let. f).
• Genetic data means information on a person’s genes, obtained by genetic testing (Art. 3, let. g).
• Coded health-related personal data means health-related data linked to a specific person via a code (Art. 3, let. h).
• Anonymised health-related data means health-related data which cannot (without disproportionate effort) be traced to a specific person (Art. 3, let. i).

Before being analysed, data sets of all clinical studies (interventional and observational) contain coded health-related data. A code links the identifying data to the study data, and the key is kept in a matching table that must be stored in a protected environment in order to ensure data privacy.

According to Switzerland’s Human Research Ordinance (HRO), the anonymisation of health-related personal data requires all items which, when combined, would enable the data subject to be identified without disproportionate effort to be irreversibly masked or deleted. In particular, this means that an individual’s name, address, date of birth, and unique identification numbers must be masked or deleted (Art. 25, paras. 1 and 2). It is important to note that the ability to guarantee the anonymisation of biological material and genetic data is increasingly being questioned due to technological advances. If consent to participating in a clinical study is revoked, according to Article 9, paragraph 1 of Switzerland’s Clinical Trials Ordinance (ClinO) and Article 10 of the HRO, the biological material and health‑related personal data of the person concerned must be anonymised after data evaluation has been completed. However, the anonymisation of that person’s biological material and personal data may be dispensed with if: a) the person concerned expressly renounces this right when revoking consent or b) it is established at the beginning of the clinical trial that anonymisation is not possible and the person concerned, having been adequately informed of this fact, consented to participate in the trial (ClinO, Art. 9, para. 2).

For researchers, anonymisation leads to a loss in value of data because it is no longer possible to compare anonymised data with other data or future data related to the same source persons. In the context of clinical trials, anonymisation makes it impossible to perform audits and controls on medical data that can only be performed on the source data. Furthermore, anonymisation prevents participants from withdrawing their consent if they change their minds.^2,3 And finally, anonymisation can also impact participants by, for example, preventing long-term safety follow-up if there are concerns about delayed adverse events.

Informed consent form

Before any participant’s health-related data and biological materials can be used for research, the participant must give his or her consent, usually in writing. Exceptions to written informed consent are outlined in Article 9 of the HRO. An informed consent form (ICF) is the document containing all information for patients on the following topics:

• how the participant’s personal and health data will be protected (including for genetic data) and whether the data may reveal the participant’s identity
• the person(s) who may use the participant’s health-related data and samples
• the access that a limited number of people may have to the participant’s data because it is necessary for their functions in the study
• the coded (or uncoded) form of data to be transmitted to other research teams within the framework of the project or to be available for data sharing
• information on the retention of health-related data and samples
• how to access a synthesis of the global results, research results, and/or findings of the study
• conditions for participants in the event that their data or samples are commercialised.

swissethics has proposed a variety or informed consent templates regarding the further use of coded or uncoded health-related personal data or materials, which are available on its website. Two of these templates (for general consent and for informed consent according to HRA/HRO Art 28.) are for research projects subject to Chapter 3 of the HRO and contain informed consent forms for coded health-related personal data or biological materials that are collected as per clinical routine or where additional procedures are performed. According to Article 28 of the HRO, when health-related personal data or biological materials are used in an uncoded form,additional information is to be provided in the informed consent form.

In clinical studies subject to the ClinO or the Ordinance on Trials with Medical Devices (ClinO-MD), participants who have given their consent in a specific clinical study do not automatically authorise the further use of their health-related data or biological materials outside that study. To allow such further use of research data, participants have to sign an additional informed consent form. This template is embedded in the template for study information for participants in clinical trials according to HRA, ClinO, and ClinO-MD (available in French, German, and Italian).

In the absence of informed consent, further use may be made of health-related personal data or biological materials for research purposes in the exceptional cases outlined in Article 34 of the HRA. An exemption from the requirement of informed consent may be requested from the competent ethics committee, which is granted if the justification meets the ethics committee’s expectations.

It is important to note that, in contrast to coded or anonymised health-related data, truly at source anonymous health-related data are outside the scope of the HRA, and informed consent is not needed for them to be used for research purposes.

Study protocol

A study protocol is an essential reference document that describes the practical methods of how a clinical study is conducted and, in particular, how its clinical data are managed. The choice of data collected must be proportional to the purposes of the research: data must be adequate to be able to confront the research hypotheses, and there can be no random collection of all kinds of irrelevant data. Moreover, the use of data from a protocol must be justified and limited to the objectives listed in the protocol.

According to Article 15 of the HRA, the study protocol has to precisely define measures for protecting confidentiality before, during, and after the clinical trial when processing individual health-related data about potential and enrolled participants. The protocol should also describe the means whereby personal information is collected, kept secure, and maintained.^{4, 5} In general, this involves the following:

• assigning a unique participant identification number that replaces a participant’s identifying information; the creation of the study participant code should be clearly described in the protocol (ClinO, Art. 18; HRO, Art. 5)
• securely storing the coded data, the identifiable information, and the linking code in separate, independent locations (e.g. in paper format in a locked cabinet or within password-protected digital files and storage media) (ClinO, Art. 18; HRO, Art. 5)⁶
• limiting access to the minimum number of individuals necessary for quality control, auditing, and analysis; the protocol should stipulate that for data verification purposes, authorised personnel (e.g. the clinical monitor), regulatory authorities, or the ethics committee may require direct access to nominative source data or documents that are relevant to the study, such as parts of the medical records (ClinO, Art. 18).^{7, 8}

Moreover, the access and transmission of a clinical data set to authorised individuals should be outlined in the protocol, including measures to guarantee data privacy (e.g. via virtual private network internet transmission). Participants’ anonymity must be ensured when data are presented at scientific meetings in coded form or published in scientific journals.

Case report form

Case report forms (CRFs) are an integral component of clinical trials and are addressed in regulations and guidelines (e.g. ClinO, Art. 5 and Art. 18; HRO, Art. 5; and ICH GCP E6(R2), Section 1.1). Each clinical trial participant has a CRF file. Research site staff (investigators and study coordinators) note measures and findings, as defined in the study protocol, and transfer the data to the study sponsor and/or statistician for analysis. If the data in the individual CRFs are not correct, the overall results of the trial may be compromised.

Two types of CRFs are used in clinical research: a traditional paper CRF and an electronic CRF (eCRF). Electronic CRFs are generally preferred over paper-based CRFs due to improved data quality and integrity, relatively better discrepancy management, and a faster database lock. Electronic CRFs also facilitate remote monitoring and real-time access to data. It is, however, essential to ensure that the equipment used for data entry (e.g. computers, mobile phones, and tablets) is password-protected and can be accessed only by the appointed personnel. Secure equipment and restricted access, together with the exclusion of personal identifiable information (such as a participant’s name, date of birth, social security number, address, phone number, or email address), are recommended to guarantee confidentiality and protect the privacy of research participants. The ultimate goal of a well-designed CRF is to provide researchers with a tool that allows them to collect all the relevant information the study needs to answer the research question, that will facilitate later data sharing, and that protects participants’ information and anonymity. Table 1 summarises the main points to consider when designing a CRF.

Data management plan

A data management plan (DMP) is a living document that explains the life cycle of all data used in a clinical study. It presents how data are generated and/or collected, how data are documented, where data are stored, how data are shared, and how data are preserved and protected. Two types of DMPs are used in clinical research: one for submitting a grant application and one for conducting a clinical study. When applying for funding, the DMP is a declaration of intent that shows the applicant has anticipated all aspects of data management, from generating and/or harvesting data to sharing and/or archiving data. Most universities provide guidelines and support for completing the four sections of the DMP that the Swiss National Science Foundation (SNSF) requires with grant applications. Even though this DMP is mandatory, its content is not yet evaluated at the time of the grant application.

The second type of DMP, a clinical DMP, is a formal document that provides all information on how data has been obtained, processed, organised, stored, protected, and shared during a clinical study and after it (archiving). A clinical DMP:

• exhaustively defines and describes all study (meta)data and, if needed, data sets
• identifies all tasks to be conducted with data (including tests and the validation of tools and/or procedures, e.g. eCRF validation)
• identifies all roles and responsibilities in detail (including names, resources, and competencies)
• lists risks linked to long-term data management
• presents how data safety, storage, and/or archiving are handled and how confidentiality and ethical principles are protected (e.g. standards and methodology used in the study as well as quality assurance processes used for data collection and/or generation in order to ensure data protection; the latter may include a confidentiality agreement, permission to access/share data, information to participants about data sharing, and/or facilities for storage)
• indicates how (meta)data are accessed and shared, including information on a license for publishing and sharing data or the existence of a steering committee for sharing data; it should be noted that some constraints exist that prevent data sharing (e.g. legal, confidentiality, and intellectual property rights constraints).

The clinical DMP is updated on a regular basis, with versioning and signatures, and is approved by the sponsor and/or project leader.

Data transfer agreement

Once data are collected, cleaned, and analysed, they can be shared. Data transfer agreements (DTAs), also referred to as data transfer and use agreements (DTUAs), are inter-institutional or intra-institutional contractual documents that regulate the overarching architecture for the collaborative use and exchange of data. In regard to biomedical research, this mostly relates to personal and health-related data. A DTA/DTUA assigns the participating parties within a research project their roles as data provider, data recipient, and data controller. It typically defines a set of rules that regulate data processing, which includes the collection, transmission, storage, security, access, reuse (further use), archiving, and destruction of data. Additionally, but not exclusively, a DTA/DTUA regulates confidentiality, intellectual property rights, and publication rights. Therefore, the terms and conditions outlined in a DTA/DTUA depend on the predefined specifications of the corresponding research project as well as on the responsibilities of the participating parties.⁹ DTAs/DTUAs are legal contracts and, as such, must comply with data protection laws and regulations.

In Switzerland, the processing of personal and health-related data is subject to the Federal Act on Data Protection (FADP), which is expected to be updated in 2023. The relevant regulations are defined in Switzerland’s Human Research Act, the Clinical Trials Ordinance, and the Human Research Ordinance as well as the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) Guideline for Good Clinical Practice (E6) and all cantonal data protection legislation. In the European Economic Area (EEA), the processing of data is subject to the General Data Protection Regulation (GDPR). The US Health Insurance Portability and Accountability Act (HIPAA) provides a list of 18 items considered to be identifiers.¹⁰ Transferring sensitive data within Switzerland and/or abroad is only permitted if the research project’s participants have been informed and have given their consent. In general, data may not be transferred outside the EEA unless it is transferred to a country or territory that provides an adequate level of protection for personal data. However, exceptions can be made if participants have been informed and have given their consent. DTAs/DTUAs have become an integral part of the legal and regulatory framework of multicentre research projects and require approval from institutional review boards (IRBs), namely the competent ethics committee.

Publication

In most circumstances, clinical researchers aim to present their clinical trial results in a peer-reviewed paper that is published in a reputable academic journal. However, publishing and disseminating research results is not only desirable from a “prestige” perspective; it is often required and governed by laws and regulations.

With the aim of enhancing the public transparency of clinical trial data, regulatory agencies have implemented certain disclosure rules. These concern all data, including positive, inconclusive, and negative clinical trial results. In Switzerland, the registration of clinical trials and public access to registries is regulated by the HRA and ClinO. Studies with medical devices (ClinO‑MD) are regulated accordingly until the corresponding legal regulations come into force. For an authorised clinical trial, sponsors must register clinical trial data in a primary registry equivalent to the World Health Organization’s International Clinical Trials Registry Platform (ICTRP), such as the ClinicalTrials.gov registry of the US National Library of Medicine or the European Union Drug Regulating Authorities Clinical Trials Database (EudraCT) registry powered by the European Medicines Agency (EMA). Additionally, data from clinical trials authorised in Switzerland have to be entered in the Swiss National Clinical Trials Portal (SNCTP) federal registry. Retrospective and prospective studies without interventions (studies regulated by the HRO) do not have to be registered. However, since registration is often a requirement for publication in international journals, it is recommended for all studies. Since the ICMJE issued its widely distributed statement in 2017 calling for sharing data from clinical trials,¹¹ most registries have implemented additional fields to be completed with information about the data sharing policy for the registered study.

European Union (EU) initiatives and legislation, such as the EMA’s guidance on its Policy 0070, the EU’s new Clinical Trials Regulation (CTR) and the EU’s Medical Device Regulation (MDR), have gradually increased public access to clinical trial data over the last few years. Recently, the EMA established a Clinical Trials Information System (CTIS) as a single electronic entry point for clinical trials information in the EU and the EEA. CTIS offers study participants, healthcare professionals, and the general public the possibility to search for clinical trial information. Swiss clinical trial sponsors are also eligible to register their trials in CTIS if they have sites located within the EU/EEA. For medical devices, the European Database on Medical Devices (EUDAMED) will be created, which will provide similar insight into study data.

However, offering access to data and information demands the consideration of confidentiality and data protection regulations, such as the EU’s General Data Protection Regulation and Switzerland’s revised Federal Act on Data Protection. Therefore, it is imperative to understand the interrelated challenges and compliance issues around data sharing and data protection regulations when navigating through the regulatory landscape of clinical trial data publication.

Responsibilities for data handling

Respecting data privacy and organising data sharing are responsibilities shared between different functional roles in clinical research: the sponsor or project leader and his or her team, the investigator and his or her team, and clinical study monitors as well as external partners receiving partial or complete data sets from the clinical study. Although the sponsor or project leader is clearly in charge of a study’s main activities (creating the database, implementing monitoring, signing DTA/DTUA, etc.), the investigator and his or her team as well as external partners also play an active role in protecting data privacy and must also comply with laws and regulations when sharing data. Table 2 gives an overview of roles and responsibilities for data privacy and data sharing.

As researchers navigate through the complex world of clinical study data, they must know and respect many legal requirements and guidelines in their research practice – regardless of their role within a clinical study. Implementing a trial or an observational study requires time, energy, and information. Prior to beginning a study, it is advisable to check the HRA and its ordinances and the ICH’s Guideline GCP E6(R2) and to consult the local legal department in order to be well prepared for the data privacy and data sharing aspects of the study.

References

1. Gahl P et al. (2021) Sharing of data from clinical research projects: Guidance from the SCTO’s Clinical Trial Unit Network. Available on the SCTO Platforms’ Tools & Resources website. doi: 10.54920/SCTO.2021.02
2. Junod V and Elger B (2018 Dec 10) Données codées, non-codées ou anonymes. Jusletter. Accessed 26 April 2022: https://jusletter.weblaw.ch/fr/dam/publicationsystem/articles/jusletter/2018/961/donnees-codees_-non-_3fe623ed73/Jusletter_donnees-codees_-non-_3fe623ed73_fr.pdf [in French]
3. Ethics Committee Vaud (2019 Oct 3) Protection des données, anonymisation et recherche [informational event]. Accessed 26 April 2022: https://www.cer-vd.ch/lunch [in French]
4. SPIRIT (n.d.) Spirit statement: 27. Confidentiality. Accessed 26 April 2022: https://www.spirit-statement.org/ethics-and-dissemination-24-31/#confidentiality
5. International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (2016) Guideline for good clinical practice E6: 6.13 Data handling and record keeping. Accessed 26 April 2022: https://www.ich.org/page/efficacy-guidelines
6. SPIRIT (n.d.) Spirit statement: 19. Data management. Accessed 26 April 2022: https://www.spirit-statement.org/methods-data-collection-management-analysis-18-20/#
7. SPIRIT (n.d.) Spirit statement: 23. Auditing. Accessed 26 April 2022: https://www.spirit-statement.org/methods-monitoring-21-23/#auditing
8. International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (2016) Guideline for good clinical practice E6: 6.10 Direct access to source data/documents. Accessed 26 April 2022: https://www.ich.org/page/efficacy-guidelines
9. Harvard University (n.d.) Data use agreements. Accessed 26 April 2022: https://researchdatamanagement.harvard.edu/data-use-agreements
10. Total HIPAA (n.d.) GDPR and HIPAA compliance: Do they overlap? Accessed 18 May 2022: https://www.totalhipaa.com/gdpr-and-hipaa/
11. Taichmann D et al. (2017 June 6) Data sharing statements for clinical trials: A requirement of the International Committee of Medical Journal Editors [editorial]. Annals of Internal Medicine. Published on Annals.org. Accessed 26 April 2022: https://icmje.org/news-and-editorials/data_sharing_june_2017.pdf