We Checked EPARs for Personal Data and Found It
By Kristin McDougall, Work Stream Lead, Transparency & Disclosure
What started as research on a European public assessment report (EPAR) on the European Medicines Agency (EMA) website for a sponsor, quickly turned in to a wide spread transparency and disclosure health and wellness check. With the General Data Protection Regulation (GDPR) in effect, knowing exactly what documents are posted publicly and what is contained within them is critical. Have you double-checked your documents lately for protected personal data (PPD)? If not, I suggest you do based on our findings.
The Protected Personal Data We Found
First, we stumbled across subject identification (ID) numbers in one EPAR that was published to the EMA website before Policy 0070 came into effect. This begged the question, “are there more?” We then searched all the medicines for which we had redacted Policy 0070 submissions. We found eleven more documents with IDs. In these cases, the full clinical trials that were summarized in the EPAR were already posted on the EMA Clinical Data website or are in the process of being posted. That means the personal data was not being consistently processed and anonymized. As a result, patients are potentially at a higher risk of being re-identified.
After searching a total of 106 medicines on the EMA website, we found that 25% had documents with 1-2 missed patient ID numbers and even entire tables of patient level data. In multiple cases, we found up to six documents with IDs in them for a single medicine.
Patient/Subject IDs are Direct Identifiers
As defined by GDPR, personal data pertains to any information relating to an identified or identifiable natural person or “data subject,” such as a name or identification number. In the world of clinical trials, patient or subject ID numbers are commonly used throughout documents and are considered direct identifiers because they are unique to an individual and can be used to identify them, either by themselves or in combination with other readily available information. The risk of re-identification is high when it comes to public disclosure. That is why all clinical trial submissions under EMA Policy 0070 have these types of IDs anonymized in some way, either through redaction or transformation.
The clinical trial transparency and disclosure landscape is constantly evolving, and more regulations are on the way from the U.S. Food and Drug Administration and Health Canada. Failure to protect patients’ personal data may result in serious penalties. Partnering with a vendor who provides expertise, services, and technology to meet transparency and disclosure requirements is important to maintaining compliancy and increasing engagement and trust.
At Synchrogenix we are passionate and proactive, which is why we are sharing our findings with each company that had missed PPD so they can take appropriate action.