by Giuliana Miglierini
The Data Governance Act (DGA) was approved and adopted in May 2022 by the European Council, following the positive position of the EU Parliament; the new legislation will entry into force after being signed by the presidents of the Parliament and of the Council and twenty days after the publication in the Official Journal of the European Union. The new rules governing data collection and sharing will start to apply 15 months after the entry into force of the new regulation.
The protection of personal data is also central to the new transparency requirements established by the Clinical Trials Regulation (CTR). To support pharmaceutical companies dealing with personal data within the Clinical Trials Information System (CTIS), the drafting of a dedicated guideline is ongoing. The European Medicines Agency has published a document to support the public consultation which will remain open until 8 September 2022.
The Data Governance Act
The new DGA regulation is part of the European data strategy and aims to promote the availability of data within a trustworthy environment, with the final goal to improve their use for research and the creation of innovative services and products.
Central to the DGA are some categories of public-sector data that are subject to property rights (i.e. trade secrets, personal data and data protected by intellectual property rights), which were not covered by the previous Open Data Directive (2019). Under the new rules, the reuse of such data shall be permitted provided that the public-sector bodies allowing it are technically equipped to ensure the preservation of privacy and confidentiality.
The DGA will also parallel the General Data Protection Regulation (GDPR) in providing appropriate safeguards against the unlawful international transfer of or governmental access to non-personal data (as the GDPR does for the personal ones). Secondary legislation may be issued by the Commission, for example, to ensure specific non-EU countries provide appropriate safeguards for the use of non-personal data transferred from the EU, on the basis of the existence of local equivalent measures of a similar protection level to that existing in the EU.
The reuse of public-sector data shall be justified with respect to the provision of a service of general interest; exclusive arrangements are needed, with a duration of 12 months for new contracts and 30 months for the existing ones. The access to data will operate through a searchable electronic register of public-sector data to be established by the European Commission and available via national single information points. Model contractual clauses may be adopted by the Commission in order to support public-sector bodies and re-users with the transfer of nonpersonal data covered by the DGA to third countries.
Data intermediation services
Data intermediation services are the core of the new business model resulting from the Data Governance Act; they will be listed in a register to improve transparency and trust. The final target is to enable a secure environment for the sharing of data.
Digital platforms shall represent the reference point for voluntary data-sharing between companies; they should fulfil all data-sharing obligations at the European and national level. Individuals shall maintain full control over their personal data; service providers should support them in exercising their rights according to the GDPR. New tools may be introduced to facilitate sharing on the basis of data holder’s consent, i.e. personal data spaces or data wallets. Service providers won’t be able to share data for purposes other than the allowed ones, and cannot benefit from selling data, even though they can charge for the transactions the carry out.
Data altruism is another key concept of the DGA regulation, making possible to voluntary share its own data for the common good, for example in the field of medical research. Data altruism will apply to both individuals and companies; the access to data should be possible upon registration of the interested entities in a national register of recognised data altruism organisations. A specific logo will support the easy identification of both compliant providers of data intermediation services and data altruism organisations.
The new European Data Innovation Board (EDIB) will be in charge of assisting the EU Commission on issues relative to the interoperability of data intermediation services and the development of guidelines on the creation of data spaces.
Data protection in the regulatory field
EMA’s draft guideline provides a description of the Clinical Trials Information System, its components and functionalities, as wells the rules for the publication of clinical trials information submitted to the CTIS (chapter 2). The protection of both personal data and commercially confidential information (CCI) submitted to the CTIS is then discussed (chapters 3 and 4), together with the protection of personal data and CCI in inspection reports (chapter 5).
The CTR established the CTIS as the single entry point for the submission of data and documents relating to clinical trials; the corresponding EU Database contains such data and documents, and the two are jointly referred to as the EU Portal and Database (EUPD).
The EUPD is the first component of the CTIS, representing the Clinical Trial module providing secure domains accessible to regulatory authorities and sponsors along the entire life cycle of the medicinal product and a public website where to find public information. The second component of the CTIS is represented by the EudraVigilance (EV) safety module, consisting of the Repository of Annual Safety Reports (ASRs) and the Clinical Trial Module (EVCTM) for Individual Case Safety Reports (ICSRs) of suspected unexpected serious adverse reactions (SUSARs) related to Investigational Medicinal Products. The optimisation of regulatory data flow also involve the use of data contained in the Extended EudraVigilance Medicinal Product Dictionary (XEVMPD), in the Organisation Management Service (OMS), and in the Identity Access Management (IAM).
The CTR regulation establishes the rules preventing the access to data stored in the EU Database on the basis of confidentiality information. Is this the case, for example, of personal data falling under Regulation (EU) 2018/17255 governing the protection of natural persons and their personal data? Commercially confidential information may also fall under this provision, upon consideration of the status of the marketing authorisation and unless there is an overriding public interest in disclosure. This means no data from the clinical trial application dossier can be made public before the decision on the clinical trial has been taken.
All personal data (such as the ones of trial participants) in documents submitted to the CTIS should follow the general principles on anonymisation and pseudonymisation of personal data. The draft guideline provides examples of the public information that should be made available with respect to a certain clinical trial. This should include as a minimum the main characteristics of the trial, the conclusion on Part I of the assessment report for the authorisation, the decision on the authorisation of a clinical trial, the substantial modification of a clinical trial, and the clinical trial results including reasons for temporary halt and early termination.
A dedicated module of the CTIS is meant for inspectors to manage all information relative to GCP inspections conducted under the CTR, including the uploading of the final report. To this instance, the guideline indicates no personal data should be included in the version of the inspection report due for publication.