Using PETs to Responsibly Share Clinical Trial Data
Janssen’s Head of Clinical Data Standards & Transparency, Stephen Bamford, recently published the compelling article “Applications of privacy-enhancing technology to data sharing at a global pharmaceutical company” in the Journal of Data Protection and Privacy. This article discusses the pharmaceutical company's commitment to clinical trial data transparency and sharing, and the ways in which privacy-enhancing technologies (PETs) are employed to help fulfill that commitment.
Data synthesis is the most recent PET adopted by Janssen, but it has quickly become their go-to tool to facilitate secondary research using clinical trial data. Bamford notes that “the use of synthetic data for research purposes is preferred whenever possible.”
Janssen is involved in several leading-edge data sharing initiatives such as Yale University’s YODA Project, Project Data Sphere and DataCelerate, making clinical trial data available for secondary research and innovation. Initiatives such as these are changing the way in which clinical research is conducted to the benefit of not only the pharmaceutical industry, but researchers, patients, and the public as well. But broader sharing of clinical trial data has the potential to put patients at risk if it is not carried out in a responsible manner that respects the privacy of data subjects and takes into account the consent provided by clinical trial participants. This is where PETs come in.
PETs such as the three main tools used by Janssen for its data-sharing initiatives — data synthesis, pseudonymisation, and anonymisation — can mitigate privacy risks while allowing for broader access to data. Data synthesis, pseudonymisation, and anonymisation are practically proven technologies that are being applied across many different industries to safeguard patient and consumer privacy. Of course, these PETs go hand-in-hand with other privacy, security and contractual controls that may be required, depending on the context, to ensure that individual privacy is secured and regulatory compliance is maintained.
A guiding principle leading the implementation and use of PETs at Janssen is data minimization . Data minimization is a requirement of many global privacy regulations, such as the General Data Protection Regulation (GDPR) in European countries  and the Health Insurance Portability and Accountability Act (HIPAA) in the United States . The principle indicates that personal information being collected and/or processed should be “limited to what is necessary in relation to the purposes for which they are processed” . PETs are key tools in operationalizing this principle. For example, data synthesis can produce datasets that do not contain personal information (low identification risk). The data synthesis process replicates the patterns and distributions of real data sets while creating a fully synthetic dataset that has no 1:1 mapping with actual individuals. The use of PETs like data synthesis helps organizations ensure that the least amount of personal information, or no personal information in some cases, is being utilized for a given purpose.
Also, due to the fact that fully synthetic data is not considered to be personal information, organizations benefit from needing fewer controls in the processing and sharing of this data. As a result, fully synthetic data may be used for internal purposes such as software testing and research in lower level environments with fewer security controls than would be required for personal information. And when fully synthetic data is shared externally with independent researchers, fewer conditions need to be attached and monitored/enforced.
For more information on how PETs can be used by organizations to facilitate data sharing, see the July 2020 Special issue of the Journal of Data Protection and Privacy co-edited by Editor-in-Chief, Ardi Kolah, and guest editor and Replica Analytics’ co-founder, Khaled El Emam. This issue includes Stephen Bamford’s article discussed here as well as other insightful contributions from leading privacy and technology practitioners in UK, France, Belgium, US, Canada, and Hong Kong.
 European Parliament and the Council of the European Union, REGULATION (EU) NO 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF APRIL 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)., vol. NO 2016/679. 2016.