Transparently Risky: EMA Policy 0070 Forces Publicized Clinical Study Reports
"Life sciences companies in the EU and US are being asked to open up their clinical study reports for public access as standard, but it’s making the industry decidedly nervous," says Cathal Gallagher at d-Wise.
The pressure for life sciences organisations to be more open about their clinical trial results has become a political hot potato, as became clear at a data transparency workshop (Sharing experiences of implementation of EMA POL-0070) held by the European Federation of Statisticians in the Pharmaceutical Industry in September.
The EMA’s Policy 0070, which has just come into play, and parallel moves in the US where new policy is due to take effect in January 2017, have set an expectation – that companies must now make detailed clinical trial findings available to the public.
It is crunch time for the pharmaceutical industry, not least because of the need to rebalance risk.
There is no going back: transparency must now be the default rather than an afterthought. And there are plenty of good reasons for the industry to accommodate the new requirements. Although the EMA has been working towards transparency for some time, the reality of accessing requested documents has been far from ideal – often taking other researchers several months to secure even basic information about previous trials.
But openness terrifies research & development businesses, due to the risk of compromising patient confidentiality – something which carries heavy penalties on top of the blow to public trust. So it comes as no surprise that the industry is baulking at the development.
No place to hide
Regional authorities, on both sides of the Atlantic now, require that public-facing versions of clinical study reports (CSRs) will now be made available as standard when products are submitted for marketing authorisation.
Life sciences companies have little choice in the matter, even though the requirements are ‘recommended’ rather than mandatory. The EMA has said it will publish a progress report each year from now on, highlighting where pharma organisations have got to, and listing companies that are not yet compliant. So there is no hiding now.
This makes life difficult for pharma organisations which are far from comfortable with the requirements - fearing that they could render patient data vulnerable to discovery, whether by accident or malicious intent from a company or individual that enjoys exposing large businesses.
Companies must now walk a fine line between showing the rest of the world they want to cooperate, while reassuring patients (not to mention shareholders) that they have robust processes to safeguard the privacy of participants in clinical trials.
The authorities have done their best to set down some parameters, but they have not yet succeeded in reassuring the pharma industry. Under previous EMA requirements (Policy 0043), requested clinical study reports could be supplied as redacted files (with patient references blacked out). Now however, companies are encouraged to manipulate parts of the documents - deliberately changing any information that could lead to a clinical trial subject being identified. This includes not just direct references such as a subject’s ID number, but also information about their medical history, location, date of birth or death (quasi-identifiers).
Although these heightened measures offer additional protection, they are not watertight. A major area of concern is how to protect the identity of patients with rare conditions – given that if there is only a finite number of people in the world who are affected by a particular illness, it will be quite easy to establish who they are once a few basic characteristics are known about a clinical study. Radu Popescu from the EMA has indicated that “as long as it’s clear you have tried your best,” a company’s efforts will be accepted, which is less than helpful.
Quite apart from the risk of paying out huge fines in the event of a data breach, no pharma company wants the reputational damage associated with compromising patient confidentiality. Not surprisingly, there has already been a backlash as companies (including PTC Therapeutics, in relation to a treatment for Duchenne’s muscular dystrophy) have challenged the EMA’s demands via the courts.
The interchangeable use of the terms ‘de-identification’ and ‘anonymisation’ isn’t helping. De-identification – preferable to preserve the value or utility of clinical study results – involves using some form of ‘key’. This keeps track of how identifiers have been changed, so that subjects could be re-identified if required for further clinical purposes. Anonymisation, on the other hand, would mean removing any chance at all of a patient being identifiable from clinical study notes.
Although the EMA would like to be able to insist on 100% anonymization to avoid any chance of a breach of confidentiality, it has not gone down this road. Rather, it has arrived at a numerical value for what it considers to be a tolerable level of risk: a 0.09% chance of re-identification. This is somewhat obscure, especially as no parameters have been specified to determine what the population needs to be.
Meanwhile some countries have stricter laws on patient privacy than others, which could result in companies leaving those countries (such as France) out of the public versions of their clinical study reports, because of the increased risk. This in turn could compromise the validity of graphs, or averages being cited.
Many pharma companies understandably feel caught between a rock and a hard place. Even now, as the first marketing authorisation submissions with de-identified CSRs are published, the majority of organisations are hanging back, waiting to see how this pans out - and how trailblazers such as GlaxoSmithKline and Sanofi manage the process.
The early signs are that this is a process best handled internally, using software that can take original CSR content and produce a compliant, disguised study report in parallel – either by highlighting affected text so it can be changed, or by automating the scan-and-replace according to the rules or key the company has devised.
In all of this pharma companies, large and small, need to weigh up what is going to hurt them more: risk of data breach vs that of seeming to evade public scrutiny; risk of devaluing clinical findings vs that of exposing patient identity; risk of being first to comply and potentially making wrong choices vs risk that of falling behind and being shamed for non-compliance. Where there’s a will, there’s likely to be a way to mitigate all of those risks – as long as you take the right advice, and keep control.