This first study setup process relates to the design of the study protocol (defines the purpose and means including the justification of the collect of sensitive data) and the CRF (identifies the data to be collected).

Development of guidelines (protocol), project plans, data collection forms including case report forms (CRF)

Setting up the framework of evidence for privacy by design, including integration of data minimisation, purpose limitation, and confidentiality principles.

Processing of personal data of study subjects is not envisaged

NA

NA

Refers to all activities carried out to design the information and/or Informed Consent Form (ICF) for the study subjects according to the type of study and the applicable regulations.

Development of information for study subjects about study-related data processing

Compliance with the right to information of study subjects

Processing of personal data of study subjects is not envisaged

NA

NA

Refers to all activities related to the selection of investigational sites that would potentially participate to a clinical study, including in context of a feasibility study, and up to the signature of the contract with the investigational sites. Foreseen pre-trial investigators meetings can be part of this class of services. The concerned service may be referred to as “Site feasibility”, “Site identification”, “Investigator selection”.

Collection and analysis of personal data of healthcare professionals

Selection of healthcare professionals qualified and capable of performing investigator’s roles; assessment of compensation and remuneration; arrangement of investigator meetings

Collection/obtainment, transfer/transmission, storage, analysis, deletion/destruction

Healthcare professionals: surname, name, gender, date of birth, signature, postal address, electronic and telephone contact details, bank details; education: qualification(s); professional life (including professional background, method and type of practice, necessary elements for assessing the knowledge they have for conducting the research); where applicable, registration number in the shared register of healthcare professionals; total compensation and remuneration received; participation in other studies; training schedules, performance; travel itineraries, passport and visa data, travel costs, booking details; travel times, etc.

Bid defense meeting to completion of site initiations, site identification may continue throughout the research

Refers to all activities, performed by the CRO, and related to the collection of data required for the purpose of the clinical research program. 

• Data collected directly from subjects/proxies.
• Data collection by healthcare professionals through CRF (paper or electronic).
• Data collection from other data sources.

Accumulating study databases of health data for conducting research

Enabling main purpose of research; identification of individuals as study subjects

Collection/obtainment, transfer/transmission, storage, analysis

Study subjects: data concerning health; photographs and/or video and/or voice recordings not enabling the research subjects to be identified, e.g., masking the face, the eyes, distinctive characteristics, dates pertaining to the conduct of the research, i.e. enrolment date and visit dates; ethnic origin; genetic data strictly necessary to comply with the research objectives or purposes, not enabling the direct or indirect identification; marital status; level of education; socio-professional category; professional life, e.g., occupational exposure; affiliation to social security, (excluding registration number in the national identification directory of natural persons), supplementary insurance (mutual, private insurance); participation in other research or studies, in order to ensure compliance with the inclusion criteria; consumption of tobacco, alcohol and recreational drugs; lifestyles and behaviors, assistance (domestic help, family), physical exercise (intensity, frequency, duration), diet and eating habits, leisure pursuits; lifestyle, e.g., urban, semi-urban, traveler, sedentary; accommodation private house or block of flats, floor, lift, etc.; sex life; vital status, etc.

Pre-screening until study termination/withdrawal or until the study product receives a marketing authorisation or until two years after the final publication of the research results; or where there is no publication, until the final report of the research has been signed

Refers to all activities performed by the CRO in the frame of monitoring of the study. The monitoring process strives to fulfil three purposes to:

• Protect the rights and well-being of human subjects;

• Conduct the trial in compliance with the protocol, GCP or other applicable standard and applicable regulatory requirements;

• Verify the accuracy and completeness of trial data

  Monitoring activities are usually conducted according to three different approaches

  (1) onsite monitoring;

  (2) remote monitoring;

  (3) centralized monitoring (data management), when data oriented activity where data managers execute checks on data and provide indicators and deep data analysis to study monitors; monitors then execute site monitoring (on-site and / or remote) to solve detected issues.

Comparing source records and completed data collection forms; ensuring proper completion and storage of ICF, safety reporting

Verification of accuracy of data transfer from source records to study data collection forms, of appropriate authorization to processing and participation

Collection/obtainment, transfer/transmission, analysis, storage, deletion/destruction

Study subjects: data concerning health; photographs and/or video and/or voice recordings not enabling the research subjects to be identified, e.g., masking the face, the eyes, distinctive characteristics, dates pertaining to the conduct of the research, i.e. enrolment date and visit dates; ethnic origin; genetic data strictly necessary to comply with the research objectives or purposes, not enabling the direct or indirect identification; marital status; level of education; socio-professional category; professional life, e.g., occupational exposure; affiliation to social security, (excluding registration number in the national identification directory of natural persons), supplementary insurance (mutual, private insurance); participation in other research or studies, in order to ensure compliance with the inclusion criteria; consumption of tobacco, alcohol and recreational drugs; lifestyles and behaviors, assistance (domestic help, family), physical exercise (intensity, frequency, duration), diet and eating habits, leisure pursuits; lifestyle, e.g., urban, semi-urban, traveler, sedentary; accommodation private house or block of flats, floor, lift, etc.; sex life; vital status, etc.

Pre-screening until study termination/withdrawal or until the study product receives a marketing authorisation or until two years after the final publication of the research results; or where there is no publication, until the final report of the research has been signed

Medical Monitoring services vary according to study design and regulatory classification. Medical supervision is regulated for clinical trials.

Such services may include the following activities

• Participation in study steering committees and integration of expertise as appropriate
• Development and/or review of protocol and study documents (initial and amendments)
• Participation in study feasibility assessment and site selection
• Study stakeholder training including participation in investigators meetings with a focus on IMP and medical aspects of the protocol
• Day to day problem-solving and medical guidance on study related issues to the project team, e.g., specific site questions for protocol clarification; completion of the CRF, safety-related management issues; for interventional studies, check patient eligibility per protocol and review protocol deviations
• Close monitoring of clinical study database from safety perspective
• Provide medical input on safety data and case narratives
• Review and comments study data analysis and outcomes (SAP, CSR, publications)

Communication with regulatory authorities, ensuring compliance with regulatory requirements, evaluation of eligibility of study subjects for entering/continuing participation

Demonstrating accountability for appropriate management of health-related risks, analysis of impact from the investigational product on well-being of study participants

Collection/obtainment, transfer/transmission, analysis, storage

Study subjects: data concerning health; photographs and/or video and/or voice recordings not enabling the research subjects to be identified, e.g., masking the face, the eyes, distinctive characteristics, dates pertaining to the conduct of the research, i.e. enrolment date and visit dates; ethnic origin; genetic data strictly necessary to comply with the research objectives or purposes, not enabling the direct or indirect identification; marital status; level of education; socio-professional category; professional life, e.g., occupational exposure; affiliation to social security, (excluding registration number in the national identification directory of natural persons), supplementary insurance (mutual, private insurance); participation in other research or studies, in order to ensure compliance with the inclusion criteria; consumption of tobacco, alcohol and recreational drugs; lifestyles and behaviors, assistance (domestic help, family), physical exercise (intensity, frequency, duration), diet and eating habits, leisure pursuits; lifestyle, e.g., urban, semi-urban, traveler, sedentary; accommodation private house or block of flats, floor, lift, etc.; sex life; vital status, etc.

Pre-screening until study termination/withdrawal or until the study product receives a marketing authorisation or until two years after the final publication of the research results; or where there is no publication, until the final report of the research has been signed

CROs can provide a large spectrum of services contributing to the safety of medicinal products and medical devices. Services are performed either in post-marketing setting (spontaneous reporting system outside a study and other services such as systematic literature review and signal detection) and/or in studies or other organised data collection system that are not qualifying as clinical studies (solicited collection of safety information).

Typical procedures managed by PV units in studies include: guidance on AEs to be collected during the study and rules for reporting by site to PV unit; individual case safety report management (including: acknowledgment of receipt of individual AE reports, case triaging for duplicate, recording in safety database, AE report quality control and query, causality assessment and case narrative writing); submission of valid cases to competent authorities as appropriate.

These activities are highly regulated. They require the use of a safety database independent from clinical study database, allowing proper case management and electronic submission of valid cases to regional databases (typically, EudraVigilance in EU).

Beside individual case management and submission, Pharmacovigilance require generation of periodic aggregate reports (DSURs, PSURs). Case processing may require direct nominative contacts with reporters (consumers and healthcare professionals) but submission to authorities are managed in a de-identified way.

Communication with regulatory authorities, ensuring compliance with regulatory requirements, evaluation of eligibility of study subjects for entering/continuing participation

Demonstrating accountability for appropriate management of health-related risks, analysis of impact from the investigational product on well-being of study participants

Collection/obtainment, transfer/transmission, analysis, storage

Study subjects: data concerning health; photographs and/or video and/or voice recordings not enabling the research subjects to be identified, e.g., masking the face, the eyes, distinctive characteristics, dates pertaining to the conduct of the research, i.e. enrolment date and visit dates; ethnic origin; genetic data strictly necessary to comply with the research objectives or purposes, not enabling the direct or indirect identification; marital status; level of education; socio-professional category; professional life, e.g., occupational exposure; affiliation to social security, (excluding registration number in the national identification directory of natural persons), supplementary insurance (mutual, private insurance); participation in other research or studies, in order to ensure compliance with the inclusion criteria; consumption of tobacco, alcohol and recreational drugs; lifestyles and behaviors, assistance (domestic help, family), physical exercise (intensity, frequency, duration), diet and eating habits, leisure pursuits; lifestyle, e.g., urban, semi-urban, traveler, sedentary; accommodation private house or block of flats, floor, lift, etc.; sex life; vital status, etc.

Pre-screening until study termination/withdrawal or until the study product receives a marketing authorisation or until two years after the final publication of the research results; or where there is no publication, until the final report of the research has been signed

Supplementary patient services that will require processing of the administrative identifying data of the study subjects (surname, name, postal address, electronic and telephone contact details, bank details).

Examples of DtP  services that can be provided by a CRO: travel arrangements, including plane, train, taxi, special transport, e.g., Crohn disease patients; accommodation bookings; and related reimbursement of transport costs for the participants and/or the payment of allowances; follow-up of the persons concerned as specified in the research protocol, e.g., sending a text message [SMS] to complete an online questionnaire, activating a computer account to use a linked application; patient engagement into study, e.g., a CRO employs an online platform or elsewise through which potential study subjects could receive reference to a closest medical site; medical site will perform final eligibility assessment and enrolment; delivery of the health products, equipment, e.g., dialysis machines; delivery and home collection of sample(s) required for the research; home nursing services; food catering, e.g., anorexic patients requiring special diet, etc.

Communication for the delivery of the service

Providing support to study subjects that is related to the administrative activities that are needed or complementary to the research and are beyond the essential research purpose

Collection/obtainment, transfer/transmission, storage, de identification (pseudonymisation, anonymization, aggregation, masking, removal of data elements), deletion/destruction

Depend on type of service, and will imply combination of minimal health data, e.g., disease name, general information on the individuals’ specific health condition; with identifying data of study subjects, e.g., surname, name, postal address, e-mail address, bank details; transportation services, location, reimbursement costs, etc.

Study subject’s data received to end of service delivery with consequent deletion of identifying data; duration of retention of aggregate data for financial accountability shall be defined by the applicable national laws

Refers to the following activities:

• Development of a Data Management Plan (DMP) before data management activities start to describe the processes used to manage the data throughout the conduct of the study.
• Process for the development of data collection systems for paper based, electronic and hybrid systems; this covers Electronic Data Capture (EDC) software management from configuration, maintenance and change control during production phase.
• Process for the development of data collection systems for paper based, electronic and hybrid systems; this covers Electronic Data Capture (EDC) software management from configuration, maintenance and change control during production phase.
• Process for the development of data collection systems for paper based, electronic and hybrid systems; this covers Electronic Data Capture (EDC) software management from configuration, maintenance and change control during production phase.
• Quality control of the database for paper documents (including defining sample, data and variables to be checked and acceptable threshold as well as actions to be taken according to results).
• Ongoing Data cleaning process during the study from the first data captured to the final database locked. This will be done by using program edit checks, data listings review, medical review, quality review and source data verification. This could include reconciliation with external data.
• Data coding process to allow coding medical data received via the medical database per defined coding guidelines; this will include auto encoding and manual encoding process as well as coding reports review.
• Safety Event Database Reconciliation process to reconcile key safety event data variables stored in the study clinical database and in the safety/pharmacovigilance database.
• Data review (interim, final) where quality  of  the  data  is  evaluated  and  general decisions are taken to ensure the data transmitted for the analysis will have the appropriate level of quality.
• Database lock and unlock process for interim and final study database to restrict access to the database to avoid non-authorized modification of the clean database before the analyses. This include extraction of the database in a specific location ensuring proper read only access but also no change happened between the copy of extracted files and the removal of access rights of the database.
• Data transfer process (import and export) including development of transfer specifications to ensure transfers are performed according to specifications with appropriate quality check. Specification may include transfer method, format, frequency, content of the files (names/labels/formats of the variables), test transfer modality, detection of identifiable data including how they will be handled and specific measures to guarantee the security of the transfer of these data.

Data Management class of services may include data engineering (processing data to enable machine to machine data transmission for instance), data science (development of processing algorithms based on artificial Intelligence techniques) and data analyses (restitution of data in a way adapted to their interpretation and support for decision making). A CRO with the appropriate expertise may also offer data anonymisation of personal data of study subjects via secure methods.

Establishing and/or following the established rules for verification of data accuracy, verification proper, data coding, data entry, communication for service delivery

Verification, control, restoration of data accuracy

Collection/obtainment, access, analysis, alternation, combining, transfer/transmission, de-identification (pseudonymisation, anonymization, aggregation, masking, removal of data elements),, deletion/destruction, storage

Study subjects: study health data, subject identification code, demographic data

Setup of study database to database lock/transfer of trial master file, including anonymization of all or part of personal data

Refers to the following activities:

• Development of a Statistical Analysis Plan (SAP) that describes the variables to be analyzed and the method to be used to perform the analysis.
• Processes for statistical analyses covering the programming, quality control and delivery of statistical analysis, including the datasets, and statistical Tables, Figures and Listings (TFL) outputs and the process to communicate (where, how , access restricted) the results of the statistical analyses to the medical writer for the development of the clinical study report or any other stakeholders, e.g., sponsor.
  

Analysis of study data obtained from the results of data management activities, communication for service delivery

Statistical analyses of study, development of tables, figures and listings (TFL)

Collection/obtainment, analysis, combining, alternation, transfer/transmission, de-identification (pseudonymisation, anonymization, aggregation, masking, removal of data elements), storage

Study subjects: study health data, subject identification code

Development of statistical analysis plan (SAP) to provision of clinical study report to sponsor

Refers to all activities carried out to design the CSR that accurately reports the study objectives, methods, the statistical analyses performed and their results. The results are presented in an aggregated way but some individual coded data can be listed as necessary.

Interpretation of study data in accordance with study results, including aggregated and identifying personal data

Development of description, summary, presentation of analysis of the research via the clinical study report

Collection/obtainment, storage, alternation, transfer/transmission, deletion/destruction, de-identification (pseudonymisation, anonymization, aggregation, masking, removal of data elements)

• Study subjects: study health data, subject identification code, etc.
• Healthcare professionals: name, position, place of work, opinions, qualifications, experience in clinical research, etc.

Receipt of statistical analyses outcomes to acceptance of clinical study report by sponsor

Refers to all processes performed in the frame of the financial monitoring of a clinical research program, and in particular the payment of investigational sites: fees and complementary procedures (additional examinations, products etc.).

Arrangement of money transfer, receipt of payment confirmations

Execution of financial contractual obligations

Collection/obtainment, transfer/transmission, storage, deletion/destruction, de-identification (pseudonymisation, anonymization, aggregation, masking, removal of data elements)

Healthcare professionals: bank account numbers, contact details, location, position, etc.

End of archiving period for financial accountability

The public disclosure is the process where the results of statistical analyses outcomes, documentation developed for the study, clinical study report is spread in the public domain such as regulatory agencies who made available CSR to public, scientific journals or events where the sponsor publish scientific values on the research.

Transfer of study data to a third party location with subsequent disclosure by the third party

Mandatory and requested/voluntary disclosure

Transfer/transmission (as disclosure methods), de-identification (pseudonymisation, anonymization, aggregation, masking, removal of data elements), storage, deletion/destruction

• Study subjects: study health data, subject identification code
• Healthcare professionals: name, position, place of work, opinions, qualifications, experience in clinical research, etc.

Receipt of statistical analyses outcome/CRS to confirmation of performed disclosure

Refers to all activities carried out by the CRO for the translation of study documents/data including personal data, e.g., CSR.

Change of the language code for the representation of study data

Presentation of study data, including personal data, in the language understandable for the authorized recipients

Collection/obtainment, storage, de identification (pseudonymisation, anonymization, aggregation, masking, removing of data elements), deletion/destruction

• Study subjects: data concerning health; photographs and/or video and/or voice recordings not enabling the research subjects to be identified, e.g., masking the face, the eyes, distinctive characteristics, dates pertaining to the conduct of the research, i.e. enrolment date and visit dates; ethnic origin; genetic data strictly necessary to comply with the research objectives or purposes, not enabling the direct or indirect identification; marital status; level of education; socio-professional category; professional life, e.g., occupational exposure; affiliation to social security, (excluding registration number in the national identification directory of natural persons), supplementary insurance (mutual, private insurance); participation in other research or studies, in order to ensure compliance with the inclusion criteria; consumption of tobacco, alcohol and recreational drugs; lifestyles and behaviors, assistance (domestic help, family), physical exercise (intensity, frequency, duration), diet and eating habits, leisure pursuits; lifestyle, e.g., urban, semi-urban, traveler, sedentary; accommodation private house or block of flats, floor, lift, etc.; sex life; vital status, etc.

• Healthcare professionals: surname, name, gender, date of birth, signature, postal address, electronic and telephone contact details, bank details; education: qualification(s); professional life (including professional background, method and type of practice, necessary elements for assessing the knowledge they have for conducting the research); where applicable, registration number in the shared register of healthcare professionals; total compensation and remuneration received; participation in other studies; training schedules, performance; travel itineraries, passport and visa data, travel costs, booking details; travel times, etc.

Delivery of the service, and partial archiving as required for study purposes

Refers to all activities performed by a CRO in the frame of audits, e.g., on-site audits, commissioned where access to confidential information may be required for the audits where personal data falling under the scope of this Code may be concerned.

Review of study data and development of audit evidence

Verification of legal, contractual, applicable standard/regulatory compliance

Collection/obtainment, analysis, transfer/transmission, storage, de identification (pseudonymisation, anonymization, aggregation, masking, removing of data elements), deletion/destruction

Any study data, including personal data listed in services, target data depend on audit scope

Audit request and preparation to end of archival period for the audit documentation, as required by applicable national law

Provision of IT managed services refers to the process of delivering all administration and management services required to maintain a software solution in a fully operational condition according to the terms of the Service Contract to a client. The owner of the source and executable code of the software solution can be a third party, as well as the provider of the IT infrastructure. The applicable usage license conditions shall be included as part of the Service Contract, as well as all conditions of delivery of the software maintenance.

Such software license can be purchased directly by the Sponsor from the IT vendor and used by other CROs according to their Service Contract or purchased by the CRO from the IT vendor who then shall be listed in the sub-processors' list.

 A CRO is providing an IT managed service and may decide to submit this service for the assessment of its compliance with the requirements of the Code, if the CRO

−      Provides and maintains in operational condition the platform for hosting information system applications;

−     Provides and maintains in operational condition the virtual infrastructure of the information system used to process study-related personal data, including health-related data;

−     Manages and operates the information system used to process study-related personal data, including health-related data;

−     Performs backup of the study-related personal data, including health-related data.

Such IT platforms can be as follows:

-        Electronic Data Capture system that can be accessed by investigational sites, CROs staff in charge of monitoring and / or data management as well as sponsor's mandated staff

-        Clinical Trial Management System (CTMS)

-        An Interactive Web Response System (IWRS) platform

-        An electronic Patient Reported Outcome (ePRO) platform etc.

Example:

When a CRO delivers software for TMF maintenance class of services (22), which enables configuring and  further operating/managing the TMF, the CRO is subject to the requirements applicable for services (16).

Establishing tools/mechanisms to perform programmed data flow/processing

Maintaining integrity, availability and confidentiality of data when processed through the delivered software solution

Collection/obtainment, storage, deletion/destruction

• Study subjects: data concerning health; photographs and/or video and/or voice recordings not enabling the research subjects to be identified, e.g., masking the face, the eyes, distinctive characteristics, dates pertaining to the conduct of the research, i.e. enrolment date and visit dates; ethnic origin; genetic data strictly necessary to comply with the research objectives or purposes, not enabling the direct or indirect identification; marital status; level of education; socio-professional category; professional life, e.g., occupational exposure; affiliation to social security, (excluding registration number in the national identification directory of natural persons), supplementary insurance (mutual, private insurance); participation in other research or studies, in order to ensure compliance with the inclusion criteria; consumption of tobacco, alcohol and recreational drugs; lifestyles and behaviors, assistance (domestic help, family), physical exercise (intensity, frequency, duration), diet and eating habits, leisure pursuits; lifestyle, e.g., urban, semi-urban, traveler, sedentary; accommodation private house or block of flats, floor, lift, etc.; sex life; vital status, etc. May imply combination of minimal health data, e.g., disease name, general information on the individuals’ specific health condition; with identifying data of study subjects, e.g., surname, name, postal address, e-mail address, bank details; transportation services, location, reimbursement costs, etc.

• Healthcare professionals: surname, name, gender, date of birth, signature, postal address, electronic and telephone contact details, bank details; education: qualification(s); professional life (including professional background, method and type of practice, necessary elements for assessing the knowledge they have for conducting the research); where applicable, registration number in the shared register of healthcare professionals; total compensation and remuneration received; participation in other studies; training schedules, performance; travel itineraries, passport and visa data, travel costs, booking details; travel times, etc.

Until termination of consultation and maintenance

Provision of physical hosting infrastructure refers to all processes required to deliver to a client the necessary physical resources to host a software solution, such as secure data centre facilities, including processing capacity, data storage space, internet connectivity, monitoring systems etc. As well as possible virtualisation technologies and/or management resources.

A CRO is providing an IT managed service and may decide to submit this service for the assessment of its compliance with the requirements of the Code, if the CRO

−    Provides and maintains in operational condition the physical sites for hosting the hardware infrastructure of the information system used to process study-related personal data, including health-related data.

−  Provides and maintains in operational condition of the hardware infrastructure of the information system used to process study-related personal data, including health-related data.

Such services are to a large extent ‘domain agnostic’, and physical infrastructure can be implemented ‘on premises’ by a corporation or a hospital. However, continuity of service, security and confidentiality challenges are such, that the demand for the provision of Infrastructure as a Service or "virtualised data centre services" is growing and some countries throughout the EU member states have now developed standards (largely based on ISO 27001) or even certification processes for the delivery of such services when they are purchased for the delivery of IT solutions hosting health data. Service Providers delivering IT Managed Service may purchase such physical hosting infrastructure from third parties.

Example:

-     When a CRO provides the software for TMF maintenance class of services (22), which enables configuring and further operating/managing the TMF, as well as installs the software on its hosts the hardware provided and maintained by the CRO on its premises, at least until the shipment to the Sponsor the CRO is subject to the requirements applicable for services (16) and (17).

-  A sponsor purchases from an IT vendor an EDC-CTMS solution to run all its studies. The Service Contract foresees that the IT vendor provides a "turn-key" solution, with all the required secure hosting facilities, including data center, servers, firewall, etc. If the software was provided for the sponsor for the Sponsor to use "on-premises" in their own environment, the secure hosting facilities would be those of the Sponsor and the secure hosting service would not be included neither in the Service Contract, nor in the related Data Processing Agreement.

Establishing and maintaining secure environment for data use

Ensuring appropriate technical and organizational measures for data use

Collection/obtainment, storage, transfer/transmission, deletion/destruction

• Study subjects: data concerning health; photographs and/or video and/or voice recordings not enabling the research subjects to be identified, e.g., masking the face, the eyes, distinctive characteristics, dates pertaining to the conduct of the research, i.e. enrolment date and visit dates; ethnic origin; genetic data strictly necessary to comply with the research objectives or purposes, not enabling the direct or indirect identification; marital status; level of education; socio-professional category; professional life, e.g., occupational exposure; affiliation to social security, (excluding registration number in the national identification directory of natural persons), supplementary insurance (mutual, private insurance); participation in other research or studies, in order to ensure compliance with the inclusion criteria; consumption of tobacco, alcohol and recreational drugs; lifestyles and behaviors, assistance (domestic help, family), physical exercise (intensity, frequency, duration), diet and eating habits, leisure pursuits; lifestyle, e.g., urban, semi-urban, traveler, sedentary; accommodation private house or block of flats, floor, lift, etc.; sex life; vital status, etc. May imply combination of minimal health data, e.g., disease name, general information on the individuals’ specific health condition; with identifying data of study subjects, e.g., surname, name, postal address, e-mail address, bank details; transportation services, location, reimbursement costs, etc.

• Healthcare professionals: surname, name, gender, date of birth, signature, postal address, electronic and telephone contact details, bank details; education: qualification(s); professional life (including professional background, method and type of practice, necessary elements for assessing the knowledge they have for conducting the research); where applicable, registration number in the shared register of healthcare professionals; total compensation and remuneration received; participation in other studies; training schedules, performance; travel itineraries, passport and visa data, travel costs, booking details; travel times, etc.; bank account numbers, contact details, location, position, etc.

Until completion/termination of service

Refers to the process consisting in providing technical support to users of an IT platform used in the context of one or several clinical studies. This kind of service is usually included in the Service Contract of IT vendors. It can include a shared information system to record and follow every request for support (ticketing system). It requires that personal data from the potential users (investigators, clinical research assistants, clinical nurses etc.) be collected. Because the users may refer to practical cases / situations, patients' data may be exchanged with the hotliners. This may also be the case if the IT platform includes ePRO or eCOA systems and first level support is provided by the IT vendor.

Providing technical support to resolve technical difficulties related to the use of software employed to process personal data

Ensuring organizational security measures for data use

Collection/obtainment, storage, transfer/transmission, deletion/destruction, de identification (pseudonymisation, anonymization, aggregation, masking, removing of data elements)

• Study subjects: data concerning health; photographs and/or video and/or voice recordings not enabling the research subjects to be identified, e.g., masking the face, the eyes, distinctive characteristics, dates pertaining to the conduct of the research, i.e. enrolment date and visit dates; ethnic origin; genetic data strictly necessary to comply with the research objectives or purposes, not enabling the direct or indirect identification; marital status; level of education; socio-professional category; professional life, e.g., occupational exposure; affiliation to social security, (excluding registration number in the national identification directory of natural persons), supplementary insurance (mutual, private insurance); participation in other research or studies, in order to ensure compliance with the inclusion criteria; consumption of tobacco, alcohol and recreational drugs; lifestyles and behaviors, assistance (domestic help, family), physical exercise (intensity, frequency, duration), diet and eating habits, leisure pursuits; lifestyle, e.g., urban, semi-urban, traveler, sedentary; accommodation private house or block of flats, floor, lift, etc.; sex life; vital status, etc. May imply combination of minimal health data, e.g., disease name, general information on the individuals’ specific health condition; with identifying data of study subjects, e.g., surname, name, postal address, e-mail address, bank details; transportation services, location, reimbursement costs, etc.

• Healthcare professionals: surname, name, gender, date of birth, signature, postal address, electronic and telephone contact details, bank details; education: qualification(s); professional life (including professional background, method and type of practice, necessary elements for assessing the knowledge they have for conducting the research); where applicable, registration number in the shared register of healthcare professionals; total compensation and remuneration received; participation in other studies; training schedules, performance; travel itineraries, passport and visa data, travel costs, booking details; travel times, etc.; bank account numbers, contact details, location, position, etc.

Until completion/termination of service

Refers to the process consisting in removing / deleting all data of a client from the IT environment of the provider when the contractual relationship terminates. The Service Contract shall include provisions for decommissioning services.

Decommissioning services shall be required for any class of services that envisages the employment of a computer system processing personal data. The Data Processing Agreement shall implement the corresponding requirements for those data falling under the GDPR.

Example 1:

In this example, a sponsor subcontracts the realization of a clinical study to a CRO who purchases an EDC system for that specific study. The EDC system is a multitenant system delivered as a Software as a Service (SaaS).

When the contract between the CRO and the IT Vendor terminates, decommissioning services consist in deleting all study data from the EDC platform. In this case through, the multitenant EDC software remains fully operational for other studies after the decommissioning was completed.

Example 2:

In this example, a sponsor purchases an EDC-CTMS system from an IT Vendor to carry a range of clinical studies. The EDC-CTMS system is required to be deployed in a dedicated secure hosting environment provided by the IT vendor. When the contract between the CRO and the IT vendor terminates, decommissioning services consist in deleting the dedicated hosting environment, including study data from all the studies that have been performed using this EDC-CTMS platform.

Removing the concerned personal data from IT environment

Ensuring technical and organizational security measures for data use

Collection/obtainment, deletion/destruction, de identification (pseudonymisation, anonymization, aggregation, masking, removing of data elements)

• Study subjects: data concerning health; photographs and/or video and/or voice recordings not enabling the research subjects to be identified, e.g., masking the face, the eyes, distinctive characteristics, dates pertaining to the conduct of the research, i.e. enrolment date and visit dates; ethnic origin; genetic data strictly necessary to comply with the research objectives or purposes, not enabling the direct or indirect identification; marital status; level of education; socio-professional category; professional life, e.g., occupational exposure; affiliation to social security, (excluding registration number in the national identification directory of natural persons), supplementary insurance (mutual, private insurance); participation in other research or studies, in order to ensure compliance with the inclusion criteria; consumption of tobacco, alcohol and recreational drugs; lifestyles and behaviors, assistance (domestic help, family), physical exercise (intensity, frequency, duration), diet and eating habits, leisure pursuits; lifestyle, e.g., urban, semi-urban, traveler, sedentary; accommodation private house or block of flats, floor, lift, etc.; sex life; vital status, etc. May imply combination of minimal health data, e.g., disease name, general information on the individuals’ specific health condition; with identifying data of study subjects, e.g., surname, name, postal address, e-mail address, bank details; transportation services, location, reimbursement costs, etc.

• Healthcare professionals: surname, name, gender, date of birth, signature, postal address, electronic and telephone contact details, bank details; education: qualification(s); professional life (including professional background, method and type of practice, necessary elements for assessing the knowledge they have for conducting the research); where applicable, registration number in the shared register of healthcare professionals; total compensation and remuneration received; participation in other studies; training schedules, performance; travel itineraries, passport and visa data, travel costs, booking details; travel times, etc.; bank account numbers, contact details, location, position, etc.

Until termination/completion of service

TMF is set of electronic records and/or hardcopies relating to a clinical study, systematized and indexed for easy retrieval and use. The service consists in TMF

• Setup in agreement with the sponsor’s requirements, if any
• Assigning responsibilities for the filing and maintenance
• Identifying the study documents that are subject to filing
• Carrying out ongoing submission and processing of the documents
• Storage
• Review for accuracy and compliance with the regulatory and sponsor’s specifications
• Transfer to the sponsor

Maintenance of Trial Master File (TMF)

Essential study documents, including personal data are catalogued in a standard manner, in compliance with ICH GCP and all other applicable standard

Collection/obtainment, storage, deletion/destruction

• Study subjects: any pseudonymised personal data processed for the research
• Healthcare professionals: any personal data processed for the research

TMF setup to transmission of the TMF to the research sponsor

Refers to services provided by the CRO to support the sponsors or the investigational sites to comply with their obligations after the end of the study. For example, according to GCP and CTR (2014/536), sponsors and investigational sites are required to archive all study related documents (TMF) and study data.

Data storage in accessible format with no active access envisaged

Maintaining data availability for regulators, future studies, additional authorization submissions

Collection/obtainment, archival, deletion/destruction, de identification (pseudonymisation, anonymization, aggregation, masking, removing of data elements)

• Study subjects: any pseudonymised personal data processed for the research
• Healthcare professionals: any personal data processed for the research

At least 25 years after the end or cancellation of the research; or any other duration according to type of studies and per applicable legal/regulatory/standard/contractual requirements

Transfer of personal data to regulatory authorities for evaluation of study personnel qualifications as a criteria of permission for study conduct

Compliance with the legal obligations to ensure appropriate qualifications of healthcare professionals through submission of regulatory dossiers accounting for adequate qualification of researches/investigators

Collection/obtainment, transfer/transmission, storage, archival, deletion/destruction

Healthcare professionals: surname, name, gender, date of birth, postal address, electronic and telephone contact details, bank details; education: qualification(s); professional life (including professional background, method and type of practice, necessary elements for assessing the knowledge they have for conducting the research); where applicable, registration number in the shared register of healthcare professionals; total compensation and remuneration received; participation in other studies, signature

Study subjects: any pseudonymised personal data processed for the research Healthcare professionals: any personal data processed for the research

Transfer of personal data of healthcare professionals to travel agencies, hotels, visa centers, and other third parties whose services are needed to enable transportation of healthcare professionals to the location of the investigative meeting

Ensure appropriate awareness of the investigative team of the research protocol and study requirements through delivering face to face research documents-focused trainings, enabling healthcare professional to network exchanging their experience in similar research; especially relevant for multinational research conducted at multiple investigational sites

Collection/obtainment, transfer/transmission, storage, de identification (pseudonymisation, anonymization, aggregation, masking, removing of data elements), deletion/destruction

Healthcare professionals: surname, name, postal address, electronic and telephone contact details, bank details; position, birth country, birth city, national ID type, national ID, citizenship status, citizenship country, nationality, travel details, national and international passport, visa applications, visa details, travel dates, itinerary, hotel booking details; bank account numbers, etc.

From acceptance by healthcare professional of the invitation to the investigator meeting to the provision of compensation of travel expenses to the healthcare professional by the sponsor; and/or end of retention of all financial accountability documents by CRO