This is an open-access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/2.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in JMIR Medical Informatics, is properly cited. The complete bibliographic information, a link to the original publication on http://medinform.jmir.org/, as well as this copyright and license information must be included.
Obtaining data without the intervention of a health care provider represents an opportunity to expand understanding of the safety of medications used in difficult-to-study situations, like the first trimester of pregnancy when women may not present for medical care. While it is widely agreed that personal data, and in particular medical data, needs to be protected from unauthorized use, data protection requirements for population-based studies vary substantially by country. For public-private partnerships, the complexities are enhanced. The objective of this viewpoint paper is to illustrate the challenges related to data protection based on our experiences when performing relatively straightforward direct-to-patient noninterventional research via the Internet or telephone in four European countries. Pregnant women were invited to participate via the Internet or using an automated telephone response system in Denmark, the Netherlands, Poland, and the United Kingdom. Information was sought on medications, other factors that may cause birth defects, and pregnancy outcome. Issues relating to legal controllership of data were most problematic; assuring compliance with data protection requirements took about two years. There were also inconsistencies in the willingness to accept nonwritten informed consent. Nonetheless, enrollment and data collection have been completed, and analysis is in progress. Using direct reporting from consumers to study the safety of medicinal products allows researchers to address a myriad of research questions relating to everyday clinical practice, including treatment heterogeneity in population subgroups not traditionally included in clinical trials, like pregnant women, children, and the elderly. Nonetheless, there are a variety of administrative barriers relating to data protection and informed consent, particularly within the structure of a public-private partnership.
The Declaration of Helsinki extends the ancient medical tenet of “
Consider, as an example, the importance of understanding which medications can be safely used during pregnancy, especially during the first trimester, since some exposures at this time may have teratogenic potential [
Here, we describe the legislative challenges in data ownership and barriers to approval faced by a public-private partnership in conducting an observational study of self-reported maternal medication use and pregnancy outcomes.
This observational study of direct-to-consumer data collection on various exposures during pregnancy was conducted through a public-private partnership known as the Pharmacoepidemiological Research on Outcomes of Therapeutics by a European ConsorTium (PROTECT) [
While other PROTECT work packages focused on methodological challenges using existing data sources, we explored digital technologies for frequent and timely data collection from consumers for the purposes of determining whether this is a viable alternative as a pharmacovigilance tool.
This study was conducted according to the current best practices for noninterventional drug safety research including full protocol, specification of analytic methods and data to be collected, and a description of the plan for protecting human subjects [
There was substantial variation in the requirements for ethical review.
Country specific protocol differences; ethical and data protection requirements and timing.
Protocol |
Denmark | Netherlands | Poland | United Kingdom | European Medicines Agency |
Country lead | Statens Serum Institute | University of Groningen | Poznan University of Medical Sciences | Newcastle University |
N/Aa |
Minimum age (years) | 18 | 18 | 18 | 16 | N/Aa |
Informed consent | Electronic only, IVRSb not acceptable | Both Internet and IVRSb possible | Written informed consent required in addition to Internet and IVRSb informed consent | Both Internet and IVRSb possible | N/Aa |
Consent for individual record linkage | Required for study entry | N/Aa | N/Aa | Separate consent requested | N/Aa |
Ethical approval |
Not required | Waiver (certificate of nonobjection) | 1 week | 3 weeks | N/Aa |
Time for |
~3 months | 1 day | 9 months | 2 weeks | 3 months opinion, 5 months prior check |
a N/A=not applicable
b IVRS = Interactive Voice Response system
Denmark did not require ethical review for an observational study. In the Netherlands, a waiver (literally, a certification of nonobjection) was granted since the personal identifiers were securely retained and maintained separately from study analysis files. In Poland and the UK, ethics submission required submitting the study protocol and all study documents (informed consent, questionnaires, etc) and other administrative information.
It is also worth noting the differences between countries in enrollment requirements and informed consent. Although the study was designed to give the choice of participating by phone or Internet to facilitate recruitment of low-income women, one country required all participants to enroll on the Internet before being able to respond by phone, and another required printing and mailing written informed consent in addition to consent by phone or Internet.
Formal notifications were required for data protection. The European Medicines Agency, as required under Article 27 of Regulation (EC) number 45/2001, submitted a notification for prior check with the European Data Protection Supervisor (EDPS) in October 2010. The EDPS opinion was that, since all study partners were involved in the development of the protocol and all could decide on the “means and purposes of the processing of personal data” and review results, all study partners effectively determined the purposes of the collection of the data and were “joint controllers”. As a result of this ruling, a formal memorandum was prepared detailing each partner’s role and participation in the study, responsibilities to the study and other partners, and to data protection. It took about 14 months to get these agreements in place, since they required agreement from all study partners. After these provisions were in place, the EDPS confirmed that the processing operations would not involve any breach of Regulation (EC) No 45/2001.
In the Netherlands, approval of data protection was granted on the same day the request was submitted, and review was also relatively quick in the UK and in Denmark. However, review by the Polish Data Protection Agency took 9 months and required submission of special items including the characteristics of the Personal Data Administrator, the technical and organizational conditions, and how those conditions would be fulfilled to comply with Polish legislation.
Data collection for this study closed in the first quarter of 2015. Analyses examining the type of information reported by respondents are in progress, including comparisons of self-reported data with that available from electronic medical records and with the Danish National Prescription Registry. Analyses will be completed in 2015.
Using direct reporting from consumers to study the safety of medicinal products allows researchers to address a myriad of research questions relating to everyday clinical practice, including treatment heterogeneity in population subgroups not traditionally included in clinical trials, like pregnant women, children, and the elderly. Internet-based studies such as this may also be useful for studying illicit drug use and other risky behaviors, since there is some evidence suggesting that patients will tell computers things that they might not tell health care professionals [
There were substantial barriers due to the nature of the funding structure, in addition to the challenges typically encountered in conducting direct-to-patient medical research. Public-private partnerships like this IMI project are becoming more prevalent as desirable funding mechanisms for research on the safety of medications and medical devices used in everyday clinical practice, for example, IMI Get Real [
The text of the proposed data protection regulation, which was endorsed by the European Parliament at its first reading in March 2014, if adopted into law, will do little to improve the situation [
Data protection legislation is intended to allow freedom of movement of data, while protecting people from the theoretical harm of disclosure of personal data. This theoretical harm of disclosure of data that could be linked to an individual needs to be balanced against the potential for actual harm that could result from failure to identify safety signals in a timely fashion. Further, issues of data protection which require joint controller status to be shared among multiple parties may discourage participation, and might even drive health research away from regions of most interest to areas with potentially weaker protection of patient privacy and medication use that is quite different [
European Commission
European Data Protection Supervisor
European Union
Innovative Medicines Initiative
Pharmacoepidemiological Research on Outcomes of Therapeutics by a European ConsorTium
United Kingdom
The research leading to these results was conducted as part of the PROTECT consortium [
None declared.