Subject Access Requests (SARs), also known as Data Subject Access Requests (DSARs), are a core right under the GDPR and many other global data privacy laws. These requests allow individuals to access the personal data that organizations hold about them, promoting transparency and accountability in data processing.
Although SARs are a common compliance requirement across industries, they present unique challenges in the clinical trial context. Clinical trial sponsors and research institutions must strike a careful balance between upholding participants’ privacy rights and maintaining the scientific integrity of research data. This article examines SARs within the context of clinical trials and offers practical advice for meeting compliance obligations.
SARs Beyond Participants
While the challenges of SARs in clinical trials often relate to protecting scientific integrity and managing coded or pseudonymized data, it is also important to note that personal data of healthcare personnel and other staff is also processed in the running of a clinical trial. Handling those SARs might prove to be slightly less complex as the personal data is not directly tied to research activities, but they should still be processed with due care in accordance with all applicable requirements.
Access Rights vs. Scientific Obligations
At their core, SARs allow individuals to confirm whether their personal data is being processed and, if so, to access or obtain a copy of that data. Organizations must typically provide further information such as the purposes of processing, categories of personal data involved, recipients, retention periods, and the individual’s data protection rights.
Under the GDPR, Article 15 specifies these disclosure requirements, but other regulations such as the California Consumer Privacy Act (CCPA) and Brazil’s General Data Protection Law (LGPD) have similar provisions with variations in scope and detail.
Beyond the core trial dataset, SARs may also encompass other sources of personal data, such as participant recruitment platforms, internal communications, and administrative systems. Effectively responding to requests requires a comprehensive understanding of the data lifecycle and the various systems where personal data may be stored.
The Right to Deletion and Its Challenges in Clinical Trials
SARs may also include requests for deletion, a right established under GDPR Article 17. While this right exists under many data protection laws, its application in clinical trials is limited. Personal data that has been incorporated into the research dataset is generally retained to preserve the scientific integrity and reliability of the study, and to meet regulatory requirements. Although participants may withdraw consent or request deletion, previously collected data is typically not erased or altered because doing so could compromise study results and violate ethical research standards, including Good Clinical Practice (GCP).
The Informed Consent Form (ICF) is the primary document for managing participant expectations regarding data deletion. It should explicitly state that withdrawal from the trial does not guarantee deletion of data already collected and integrated into the research dataset. The ICF should also explain the rationale for this limitation, linking it to scientific validity and regulatory compliance.
Sponsors should regularly review and update the ICF to ensure it reflects current legal requirements and research practices. Providing clear, understandable language in the ICF helps minimize later disputes and supports transparent communication with participants.
When deletion requests are received, prompt and clear explanations should be provided to participants about why erasure is not feasible. Coordinated efforts between privacy officers and clinical teams are essential to balance respect for participants’ rights with adherence to scientific and regulatory frameworks.
AI, Data Access, and Transparency in Clinical Trials
The use of artificial intelligence (AI) and automated decision-making is becoming more prevalent in clinical trials, particularly for tasks such as participant selection and outcome prediction.
Under the GDPR, when automated decisions significantly affect individuals, data controllers are required to provide meaningful information about the logic involved, the data categories used, and the potential impact on the individual. Although this requirement is explicitly defined in the GDPR, other jurisdictions are increasingly introducing similar transparency obligations.
Even when these AI models are complex, organizations must provide clear, easy-to-understand explanations about how decisions are made. The Advocate General of the CJEU has stressed that organizations cannot avoid this responsibility by saying the information is too complicated. Instead, it is up to the data controller to provide information that helps individuals understand what data was used and how it influenced the decision.
Handling SARs
Managing SARs effectively begins long before a request is made. A well-designed informed consent form and privacy notice should clearly explain which data rights apply and any limitations, such as the inability to delete data once it is incorporated into the trial dataset. This helps participants understand the scope of their rights and identify the appropriate point of contact.
Once a SAR is received, the appropriate person or organization handling it must first verify the requester’s identity through appropriate methods. Next, it must determine which privacy law applies, as different laws impose varying response timelines. For instance, the GDPR generally requires a response within one month, which can be extended by two additional months for complex requests. The CCPA allows 45 days to respond, with a possible 45-day extension. Brazil’s LGPD requires a response within 15 days. Regardless of jurisdiction, best practice is to acknowledge the request promptly and keep the individual informed throughout the process, especially when more time is needed.
After identifying the applicable data, one must assess what can lawfully be disclosed. Administrative personal data may be accessible, while research-critical or anonymized data is often excluded due to regulatory or scientific constraints. Throughout the response process, communication should be secure and easy to understand. If access to certain data must be limited or denied, the rationale should be clearly explained to the requester.
The Sponsor’s Role in SARs
Typically, the sponsor of a clinical trial does not have access to identifiable data of participants. This is because the data is typically pseudonymized or key coded in blinded trials. Accordingly, the sponsor’s role in handling SARs must be carefully managed to avoid compromising the blind and the study’s scientific integrity. The investigator or study site is usually better positioned to handle SARs. When a sponsor receives an SAR from a participant, the participant should be referred to their study doctor or the trial site. It is recommended to adopt a policy for handling such SARs to streamline the process and avoid situations that might compromise the study’s integrity. Any referral of a participant’s request to the site or elsewhere should also be documented.
Documenting SAR Responses for Compliance
Maintaining a consistent approach to SAR handling is essential for demonstrating compliance. Organizations should keep a centralized SAR log, document identity verification procedures, track response timelines and correspondence, and record legal or scientific justifications for any limitations placed on the request. Assigning clear responsibility for SAR management helps ensure that responses are handled consistently and meet regulatory standards.
Subject Access Requests involve complex requirements and increasing enforcement risks, especially in clinical trial settings. VeraSafe helps organizations develop and maintain SAR processes that comply with GDPR, CCPA, and emerging AI regulations. Contact VeraSafe to schedule a free consultation and ensure your SAR procedures are compliant and efficient.
You may also like:
MR-001 and Data Privacy in French Clinical Trials
Special Categories of Personal Data Under the GDPR
Guide to DPIAs in EU Clinical Trials: Navigating Regulatory Submissions
Related topics: GDPR, EU Privacy Laws, Clinical Trials
