Patient consent and the GDPR: what does it mean for clinical trials and research?

Clinical trials and research take place within a complex landscape of legal requirements covering ethical and policy guidance. Participating in trials and research is expected to be voluntary and informed consent is always required under the regulations governing clinical trials. However, obtaining informed consent from trial participants may not meet the requirements of explicit consent required under the General Data Protection Regulation (GDPR) for the lawful processing of special category data. In this article we consider the interplay between the Clinical Trials Regulation (CTR) and the GDPR, and why it is advisable to always rely on explicit consent in order to process special category data for clinical trials and research.

Informed consent is a core prerequisite for enrolling any patient in a clinical trial and is required by Article 3(2) of the Clinical Trials Directive 2001/20/EU (Directive) (and national implementing legislation), and Article 29 of the Clinical Trials Regulation (Regulation (EU) No 536/2014) (CTR) when it finally comes into application and replaces the Directive. Consent to participate must be freely given and unambiguous.

Although the CTR entered into force in 2014, its application is contingent upon a functional Clinical Trials Information System, which is not yet operational, and though it is expected in 2020, it might be later. Following Brexit, and the fact that the CTR will no longer have direct effect in the UK, it remains unclear if all of the provisions of the CTR will ultimately remain mirrored in UK legislation, and how the UK might diverge. However, clinical trial sponsors are already using the CTR as their regulatory reference, much like data protection authorities referred to the GDPR before its implementation in May 2018.

The GDPR (in force in the UK as part of the Data Protection Act 2018) ensures the protection of individuals with regard to the processing of their personal data and harmonised rules on the free movement of such data. The CTR aims to ensure a greater level of harmonisation of the rules for conducting clinical trials throughout the EU. By their very nature, clinical trials include the collection of sensitive health data from patients. The CTR puts informed consent at the centre of the regulatory framework for trials, including the use of data. However, informed consent for trial participation should be seen as distinct from any consent provided under the GDPR as a legal basis for processing personal data. We seek to clarify what consent means and needs to mean in this article.

What is personal and special category data?

Personal data is any data relating to living individuals from which they can be either directly identified from the data itself, or indirectly identified by combining with other available data. This latter point is important because all too often people believe they are using anonymised data, which is in fact only pseudo-anonymised or too easily capable of use with other data to associate with an identifiable person. Therefore, you might be subject to the data protection rules but mistakenly think you are not. In addition medical data is all under the GDPR, special category data; defined as personal data that is especially sensitive and so requires more protection. Special category data includes genetic and biometric data, and data concerning health, sex life, sexual orientation, racial and ethnic origin, political opinions and religious or philosophical beliefs. It is important to remember that any data that is properly anonymised (and not merely pseudo-anonymised) so that the data subject can never be identified is not considered to be personal data for the purposes of the GDPR.

Processing personal and special category data

Before processing personal data, a lawful basis for processing must be established in accordance with Article 6 of the GDPR. These legal bases include:

  • consent
  • performance under a contract
  • a legal obligation
  • protection of vital interests
  • performance of a task of an official authority, or
  • processing necessary for legitimate interests (does not apply to public authorities including hospitals)

However, in order to process special category data, both a lawful basis under Article 6, and a condition for processing special category data under Article 9 must be established. In addition to obtaining explicit consent, these conditions include processing necessary for the purposes stated below. Where the Article 9 condition requires a basis in law, organisations must also meet a further condition and the safeguards specified in Schedule 1 of the Data Protection Act 2018.

  • preventative or occupational medicine
  • assessment of the working capacity of the employee;
  • medical diagnosis
  • provision of health or social care or treatment or management of health or social care systems and services
  • public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products, or
  • archiving purposes in the public interest, scientific or historical research purposes

Explicit consent is both a legal basis under Article 6 and a condition to be satisfied for processing special category data under Article 9, but that is where the consensus ends. Many EU member states are applying Articles 6 and 9 differently in the context of clinical research, and offering different guidance.

The competent authorities of some countries state that patient consent is not a valid ground on which clinical data, including special category data, may be processed. For example, the UK Health Research Authority (HRA) has stated that “For the purposes of the GDPR, the legal basis for processing data for health and social care should not be consent. This means that requirements in the GDPR relating to consent do not apply to health and care research.” It is noteworthy that the position of the HRA is somewhat at odds with guidance issued by the Information Commissioner’s Office (ICO), which states that as a general rule you should first consider whether you could give individuals a choice and process their special category data with their explicit consent. Indeed, the generally accepted view is that informed and explicit consent is the safest and most appropriate approach to use of patient data. These positions are well contrasted with France and some other EU member states, where the national data protection regulators demand that clinical trial sponsors obtain consent for processing personal data in clinical trials as part of the informed consent form. This position is more consistent with the CTR, and in our opinion the safer course for your operations.

The interplay between the CTR and GDPR

The European Data Protection Board (EDPB) has endeavoured to examine these different approaches and to try to find a uniform way forward. In January 2019, the EDPB adopted its opinion concerning the interplay between the CTR and the GDPR (the Opinion), and which legal bases under the GDPR are appropriate for processing personal data in the context of a clinical trial1. In particular, the Opinion considers the legal basis for processing personal data during (i) the lifecycle of the trial protocol (primary use), and (ii) for scientific purposes falling outside the trial protocol (secondary use).

(i) Primary use

The EDPB further breaks down processing of personal data for the primary use into two categories:

(a) Processing related to reliability and safety of medicinal products.

The EDPB considers the appropriate legal basis for processing to be Article 6(1)(c)), compliance with a legal obligation; and the condition satisfied for special category data to be that processing is necessary for the reasons of public interest and health (Article 9(2)(i)).

(b) Research activities conducted under the trial protocol.

The EDPB considers that the legal basis for processing data relating to research activities conducted as part of the trial is less straightforward and offers several alternatives. For example, consent as a legal basis (Article 6(1)(a)), in conjunction with consent as a condition to be satisfied for the processing of special category data (Article 9(2)(a)). Alternatively, the legal basis for processing may either be public interest (Article 6(1)(e)) or the legitimate interest of the data controller (Article 6(1)(f)), combined processing in the interest of public health (Article 9(2)(i)) or necessary for scientific research purposes (Article 9(2)(j)), as the condition to be satisfied for the processing of special category data.

(ii) Secondary use

When considering the processing data for scientific purposes outside the remit of the clinical trial protocol itself, the Opinion suggests that any further processing may be considered to be compatible with the primary purpose of the clinical trial and as a result, a new legal basis and Article 9 condition may not be needed.

However, this raises some interesting and uncomfortable questions. The CTR specifically addresses the use of data outside the trial protocol for secondary purposes and allows the sponsor to ask the participant to consent to such secondary use of their data (Article 28(2)).

However, we must remember that informed consent for trial participation is not the same as consent under the GDPR. The EDPB recognises that to require another ground for secondary use would be inconsistent with the presumption of compatibility provided by Article 5(1)(b) of the GDPR, which provides that secondary processing should be compatible with the initial purpose so long as sufficient safeguards are in place. For now, and until any further guidance is forthcoming, the EDPB suggests that the presumption of compatibility should apply to secondary use so long as the safeguards outlined in Article 89 of the GDPR are in place (e.g. technical and organisational measures to ensure respect for the principle of data minimisation).

In summary, the Opinion appears to align with the position taken by the HRA (and somewhat inconsistent with the position of the ICO) that within the context of a clinical trial, consent may not be relied on for primary use processing of patient data in many clinical trials. The EDPB’s conclusion is partly based on its consideration of the fact that trial participants, as vulnerable patients, may be unable to freely give their consent depending upon their clinical status and medical situation. The EDPB goes on to say that there may well be an imbalance of powers between the patient and the trial sponsor.

Where do data controllers stand?

Although the Opinion somewhat clarifies the interplay between the CTR and the GDPR, it also raises many unanswered questions and uncertainties. For example, it is certainly far from ideal that a data subject, namely a vulnerable patient, can consent to participate in a clinical trial and to all of the medical interventions that clinical trial participation entails, and yet may not be able to consent to the processing of their personal data in the same trial because of a perceived imbalance between the patient and researcher.

Furthermore, the Opinion appears to be somewhat inconsistent with detailed guidance on the processing of special category data recently published by the ICO in November 20192. The guidance reminds data controllers that consent is only valid if the individual is able to withdraw their consent at any time. Furthermore, the guidance also states that in order to rely on many of the conditions under Article 9 for processing special category data, you have to demonstrate that it would not be reasonable to obtain consent from individuals. This implies that the ICO has a preference for trial sponsors to rely on consent.

It remains to be seen whether regulatory bodies across the EU follow the EDPB’s approach with regard to consent. Until the situation becomes any clearer, explicit consent for processing special category data remains the gold standard and reduces any risk, certainly in the UK. Therefore, it is advisable for clinical trial sponsors to obtain informed consent for trial participation and a separate explicit consent to meet the requirements of the GDPR for the processing of special category data.

It is also crucially important for trial sponsors to remember that if they do seek to rely on a different Article 9 condition instead of consent this may cause difficulties later on if the data regulator objects. If a data regulator determines that a public interest or scientific ground cannot be relied on for processing special category data, there is always the risk that any clinical data generated and processed in support of marketing authorisation submissions may not be accepted by the relevant medicines regulatory authority.

Overall we always recommend that you consider the potential view of the public and how that may influence outcomes when under regulatory review. It is possible to envision public sympathy for both medical research without consent and for public concern for lack of it. Consider for example the scenario that the information about a patient was lost and became known to an employer or insurance company that led to challenges in the place of employment because of reactions to the condition of the patient or a refusal to insure the patient. In such scenarios the public might think the lack of explicit informed consent to the processing of the personal data that caused these issues is unacceptable. Equally, if presented in the narrow focus of use of data to find cures for illness then people may have sympathy for use without consent. The issue then is one of risk and what you are willing to justify after the event. Consequently, we urge careful thought about the nature of the legal basis of any processing. We recommend explicit informed consent is the sensible starting place, but you should ensure that if relying on consent you can demonstrate it is informed and explicit.


1.   Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR): https://edpb.europa.eu/our-work-tools/our-documents/avis-art-70/opinion-32019-concerning-questions-and-answers-interplay_en

2. The Information Commissioner’s Office’s detailed guidance on the processing of special category data, published November 14th 2019: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/special-category-data/