From the last article, we began exploring data security, its importance to CROs and why CROs must take it seriously in 2024. In this article, we will begin to investigate specific ways of enforcing data security in CROs. This article will be of great use to directors, managers, team leads, and even interns who want to understand the importance of data security and want to ensure that they are not found wanting as it pertains to data security and privacy.
Per the ICH Guideline for Good Clinical Practice, records that could potentially lead to the identification of subjects should be held and protected in all confidentiality, in accordance with the regulatory requirements and laws that guide data security and privacy in that geographical location and corresponding international regulations.
An implication of the above guideline is that in enforcing data security, employees of the organisation will need to be trained on data security regulations and how it applies to regular and also, unique situations. In creating company policy, work instructions and standard operating procedures, considering the implications of various national and international regulations and how they affect the company operations is a good place to start.
Having professional legal help is very crucial at this stage. In a CRO, a good place to start is pointing out the protections afforded to subjects in a clinical trial, especially where it intersects with the workflow. Some of these protections, per the SCDM include:
- An Institutional Review Board (IRB) reviews and approves the protocol.
- The subject has a right to informed consent.
- The subject has a right to withdraw consent.
- The subject has a right to refuse to provide any more data.
- The subject has a right to confidential collection and submission of data.
Also, examining various areas in the clinical trial workflow and emphasising how data privacy should be maintained is also crucial. From a data management perspectives, some of these areas include:
Managing Data that Vendors and External Parties can Access
The risk of data security breaches is heightened when dealing with subject data that is accessible to third parties. Standards may need to be employed for vendors who only have access to vendor-specific data versus those who have access to the study database and all subject-associated data.
For those vendors having access to the database, the data manager should ensure that the vendors subscribe to standards that meet or surpass internal standards. As an overall strategy, ensure your company is performing external audits of vendors that include investigations into their compliance with regulations concerning the protection of personal data.
Lab Data
Reports generated from all types of labs should not contain any subject specific information. This information should be built into data-transfer and reporting specifications. If source documents are to be collected (e.g., radiology, MRI, or ECG reports), the sites should be instructed that all documentation should be stripped of personal identifiers, and appropriate subject identifiers should be assigned prior to submission to data management. If that direction is not followed, data management should follow up with the appropriate internal or external clinical site management to ensure that follow-up and further direction is recommended for specific site violators.
Central Committees
Reports to and meetings with various committees may necessitate presentation of some study data. Different types of committees may require different data points and data sources, according to the committee’s function. A committee may require reports based on the database, data from the database, original source data or copies of source data.
In all cases, personal subject identifiers should be removed prior to presentation of data to the committee, and in some- cases, study identifiers may need to be added. The parties responsible for anonymity of the data may vary depending on the type and source of the data. Someone independent of the study may be utilized when necessary to ensure data anonymity, such as a liaison between the company and the committee.
Data Transfers
Prior to any data transfer, a data transfer specification document should be produced to identify the secure method of transfer and fields to be transferred, including the data keys and structure. Before any data is transferred, the transfer process should be thoroughly tested to ensure no extraneous information is transferred that could jeopardize data privacy. Once the planned data transfer is performed, the transfer should be reviewed to ensure all transferred data matches the database.
Computer and network security
Computer and network security are typically developed and maintained by an organization’s information technology personnel. However, data managers do have a responsibility to ensure that the systems are used appropriately and responsibly. Any lapses in computer or network security may jeopardize the integrity of the database, and therefore, data privacy.
Appropriate Redaction of Personal Data
Redaction is the act of obscuring or removing text from a document before releasing the document to other personnel or departments. An example of clinical data needing to be redacted could include a situation where a comments field was completed with personal identifiers. For example a comments field had the text “Mr. Jones showed improvements,” the data manager should obscure or remove “Mr. Jones” from this text. Organizations should have SOPs to determine when redaction of personal data is needed. This should preferably be performed by the site or monitor, but if not handled at the site, data managers should be mindful of when redaction of personal data is required as well as knowledgeable on the process.