Diana Jabbar-Lopez on rare diseases, patient data and how life science organisations can maintain compliance in the search for breakthrough treatments.
There are thousands of rare diseases with often only a few hundred people worldwide diagnosed with a single condition. Finding enough patients who fit the right criteria for a rare disease clinical trial is a significant challenge. Research organisations must find ways to overcome this obstacle while also continuing to improve treatment for life-changing conditions.
Sharing data to advance clinical research is of particular importance to rare diseases where expertise is limited, and patient populations are geographically dispersed. The definition and regulations affecting rare diseases also differ considerably by jurisdictions, creating further challenges in managing the logistics of conducting research across multiple locations.
The majority of patients diagnosed with a rare disease are children and young people, which adds to the complexity of data sharing in rare disease research. This means that companies often need to adhere to additional regulations in the handling of patient data for vulnerable groups.
These challenges force many clinical research organisations (CROs) and drug developers to reach out to more patients across borders. As a result, requiring compliance with many different regulations in order to recruit sufficient patients to obtain informative results. Sharing comprehensive data between sites, companies, countries and continents is crucial.
The majority of rare diseases have a genetic component so sharing genomic data is essential to predict, prevent, diagnose and develop new drugs and treatments. To help process the rich data available from studying rare diseases, many companies use Artificial Intelligence (AI) to help identify trends and patterns. This raises further concerns around data protection compliance. So how can the life sciences industry ensure data compliance while nurturing innovation in such an important area of research?
The two most well-known data privacy regulations in recent years are the HIPPA in the US and the GDPR in the EU. While similar in many ways, in practice, they both differ on areas such as consent requirements, definition of personal data, deletion of data, and data breach requirements.
The GDPR’s scope is much broader and it covers all personal data, regardless of the industry and geography whereas HIPPA has a much narrower scope focusing solely on healthcare.
Meanwhile, other countries are building out their own data privacy regulations. For example, the Brazilian General Data Protection Law (LGPD), India’s Personal Data Protection Bill, Chile’s Privacy Bill Initiative and the New Zealand Privacy Bill. This is an area in constant flux at different rates around the world.
These differences present significant challenges for global life science companies to apply a consistent approach to processing patient and genomic data for research and drug development. For companies to remain compliant and safeguard their innovation practices, they must engage with local regulators and local market data experts.
Most people are reluctant to share their personal health data. However, there is evidence that within the rare disease population, individuals are much more willing to share their data as they may benefit from the researchers making use of this information. Informed consent is crucial for patients to feel comfortable sharing their personal health data with multiple companies across multiple jurisdictions.
Data Protection Officers (DPOs), as mandated by the GDPR, can play a key role in fostering this open communication. HewardMills is a global DPO provider, from our experience DPOs can be a much-needed link between a company, patients and data regulators. Local DPOs can support research organisation by closely following the development of specific in-market privacy laws.
To help ensure open data sharing that remains compliant, DPOs can also make sure that patients are provided as much detail as possible on the project. Individuals are increasingly aware of their privacy rights and they may want more control over their data. One of the most common privacy concerns amongst patients is the sharing of their data with third parties, so it is important to be completely transparent in this area.
Active patient participation breaks down barriers and builds trust; a critical step when engaging with such a limited and often vulnerable population.
In navigating the complicated and ever changing global regulatory landscape, life science organisations often come across data sharing blockers. The differences between different markets adds to the complexity as companies can’t apply a single global approach to data handling for research purposes.
Given the complexities of this process, many organisations employ a restricted data sharing model where they run separate and local analyses. In this model, the size of the database is significantly limited so the analysis is less comprehensive.
To make this point clearer it is worth highlighting the GDPR’s ‘secondary use’ for research purposes where even among EU countries there are different views on how to implement this requirement. For example, while secondary research is typically allowed in Spain without additional patient consent, in Italy researchers often have to reconfirm patient consent for research purposes.
A popular solution to this problem is anonymising data for international collaboration. While this ensures compliance, it can restrict how the data could have been used for future scientific research. In particular, future developments can come from re-contacting certain patients, which isn’t possible with anonymised data.
There are many initiatives that have already started the discussion around making data sharing much more efficient globally, including between privacy and public organisations.
For example, in the UK the Information Commissioner’s Office (ICO) awarded the PHG Foundation (run by Cambridge University) a research grant to investigate how the GDPR impacts the field of genomics. This highlights an important need for sector-specific solutions such as standard contractual clauses, codes of conduct, and certification mechanisms to facilitate international transfer of genomic data.
These collaborations among multi-stakeholders are crucial to ensure data privacy doesn’t prevent medical research. In the case of the EU, consistency across regulators’ interpretation on the processing of healthcare data in research is key to help data sharing in a more flexible and efficient way.
Internally, organisations should use the support from the DPO to continue these conversations and embed practices that trigger compliance analyses and build privacy by design.
Diana Jabbar-Lopez is a Data Protection and Privacy Consultant at HewardMills, a global company providing DPO (data protection officer) services. Diana is based in Switzerland.
Sign up to our newsletter