When embarking on clinical trials, it’s important for organizations to handle participants’ personal data with heightened caution, given its sensitive nature. Simultaneously, compliance with specific legal requirements, especially those unique to each country, becomes imperative. Take France, for instance. The CNIL, its data protection authority, requires organizations to obtain prior authorization to conduct certain types of research.
Fortunately, navigating the intricate landscape of data protection during clinical trials is eased by the CNIL’s reference methodologies. These present a structured approach to compliance. Adhering to one of these methodologies empowers organizations to process personal data through self-declared compliance, sidestepping the often cumbersome prior authorization process. In this post, our spotlight is on one specific methodology: MR-001.
What is MR-001?
MR-001 is CNIL’s research methodology for studies requiring consent from participants and is tailored for:
- interventional research, including research with minimal risks and constraints;
- clinical trials of drugs, with the exception of clinical trials in clusters; and
- research requiring examination of genetic characteristics.
If an organization intends to undertake the specified research, it can opt for one of two routes: conform its processing activities to MR-001 methodology and self-declare compliance to CNIL via a MR-001 Declaration, or submit a research authorization request to CNIL.
It’s recommended to follow the MR-001 methodology and the self-declaration process due to its efficiency, saving time compared to seeking CNIL authorization. However, one of the above approaches should be attended to before any processing of personal data in connection with a study in France takes place. Further, it is important to note that the MR-001 Declaration and CNIL authorization process is distinct from the submission to the relevant ethics committee and separate ethics committee approval must still be sought.
Although declaring conformity with the MR-001 methodology is considered to be the more efficient option, there are still several items that need to be attended to before an organization can declare conformity, and some of them can be quite time-intensive.
Relevance and Scope of MR-001
MR-001 is pertinent for any organization conducting clinical trials in France and includes a limited list of personal data categories that can be processed in the context of the trial. Categories of personal data such as identity, age, health data, ethnicity, family situation, education level, and lifestyle habits, can be processed while specific categories of sensitive data, such as religion or criminal offenses, are off-limits. The sponsor of the trial needs to be able to justify that the personal data collected is relevant, adequate, and strictly necessary. For example, if a sponsor wishes to collect ethnicity related data, the specific scientific reasons justifying such collection must be documented.
What are the MR-001 requirements?
In order to conform to MR-001, the data controller (the sponsor of the trial) must comply with various obligations. These include, for example:
- The data controller must carry out a data protection impact assessment (DPIA) before declaring compliance with MR-001.
- The data controller must appoint a data protection officer (DPO), in accordance with article 37 of the GDPR.
- Research participants must be provided with prescribed information regarding the research. This includes information on the collection of personal data which shall be compliant with MR-001 requirements and the provisions of Article 13 of the GDPR including information such as the identity and contact details of the data controller, the purpose of the processing, the legal basis for processing, etc.
- A privacy notice must also be provided to health professionals involved in the research.
- A security and confidentiality policy must be implemented and monitored.
Limitations and Restrictions
While MR-001 streamlines clinical trial requirements, it has limitations. On-site monitoring is allowed, but remote monitoring requires CNIL authorization. There are also restrictions on cross-border transfers of personal data. Only the following may be transferred outside the European Union:
- Data indirectly identifying clinical trial participants (i.e. pseudonymized data); and
- Data that directly or indirectly identifies research professionals involved in the research.
Furthermore, the transfer must be strictly necessary for the implementation of the research or the exploitation of its results and is subject to the specific provisions and safeguards of the GDPR.
A Word of Warning
While the CNIL’s reference methodologies enable smoother compliance, it is important to recognize that the CNIL actively monitors adherence to these methodologies. In a notable development in 2023, the regulatory body issued warnings to two medical research organizations for non-compliance. The infractions primarily revolved around failures to provide adequate information to participants and to conduct a comprehensive DPIA.
These incidents underscore the necessity for organizations to meticulously assess their compliance posture before declaring conformance to MR-001. Beyond the initial declaration, a sustained commitment to the stipulated obligations is also imperative. Regular internal audits and reviews ensure that the organization not only meets the baseline requirements but consistently upholds the integrity and security of participants’ personal data throughout the course of the research. Remember, compliance is not a one-time box-ticking exercise but an ongoing commitment to the requirements set forth by CNIL.
Navigating the intricacies of MR-001 can be complex, but the VeraSafe team is ready to assist your organization in achieving and maintaining compliance. From initial assessments to continuous support, we help clinical trial sponsors align with the stringent requirements outlined by CNIL, fostering a seamless and legally sound clinical trial process.
You may also like:
Guide to DPIAs in EU Clinical Trials: Navigating Regulatory Submissions
Viable Transfer Mechanism for Key-Coded Clinical Trial Data
Data Privacy Automation: Pros, Cons, and Pitfalls of Streamlining Compliance