Given the challenges of conducting clinical trials during the COVID-19 pandemic, many countries — including France — have allowed for some use of remote quality controls. In response to guidelines issued recently by European health authorities, the French Commission Nationale de l’Informatique et des Libertés (CNIL) has issued recommendations designed to ensure the protection of compliant processing of personal data. Clinical research associates (CRAs) must be aware of these recommendations and implement appropriate methodologies and safeguards.
Since the onset of the COVID-19 pandemic, the French Commission Nationale de l’Informatique et des Libertés (CNIL) has noted that the health crisis has led to a change in the way quality controls are conducted on behalf of the sponsor of a research project within an investigation center. Clinical research associates (CRAs) in charge of these controls are often no longer able to conduct the controls on the center premises.
In light of guidelines issued by European health authorities on this topic in February 2021 (and updated as recently as 2 April 2021), the CNIL has issued a number of recommendations for the conduct of remote quality controls. These recommendations are designed to ensure that personal data is protected and processed in compliance with relevant requirements and reference methodologies.
Generally, the CNIL calls on sponsors and CRAs to be extremely vigilant when conducting remote controls and, following consultation with the data protection officers (DPOs) of both the sponsor and the investigation center, to implement procedures and policies to ensure compliance, and to document precisely the modalities used in order to demonstrate such compliance. These recommendations by the CNIL are temporary and will expire one month following the formally declared end of the health emergency.
The recommendations cover the following areas, among others:
Filings. Remote quality controls are considered by the CNIL as not compliant with the provisions of the reference methodologies (applicable to research). However, if this is the only deviation of the processing from the applicable methodology, it is not necessary to file a specific authorization request with the CNIL.
However, the CNIL reminds researchers that such remote quality controls are considered a substantial modification of the trial, that the Committee for the Protection of Individuals must be consulted for its opinion, and that the National Agency for the Safety of Medicines and Health Products (L’Agence nationale de sécurité du médicament et des produits de santé, or ANSM) must be informed of any such deviation.
Information. The CNIL advises that the data subjects must be informed in advance regarding remote monitoring modalities. For ongoing studies, the information notice must be updated and provided to trial participants.
Confidentiality and security. Specific measures must be put in place to ensure the confidentiality of data access, including:
Legal measures, such as the CRA signing a confidentiality agreement (even though the CRA is already subject to medical-secrecy requirements).
Enhanced security measures, such as using certified health data hosting; allowing no recourse to a service provider subject to US law or to regulations in countries that do not provide a sufficient protection against access by the authorities; allowing the CRA read-only access to the information, with restricted export possibilities, etc.
The CNIL also provides recommendations for the use of videoconferencing tools, file exchange platforms and access to electronic medical records.
For additional detail, the full text (in French only) of the CNIL’s recommendations are available here.