Robert Morris and Koko are Violators of International Standards

The Declaration of Helsinki is the bedrock of international principles in human research, and the foundation of governmental practices, including the ICH E6 Good Clinical Practice. The core principle is respect for the individual (Article 8), their right to self-determination and the right to make informed decisions (Articles 20, 21 and 22) regarding participation in research, both initially and during the course of the research. Principles that Dr Robert Morris violated when his firm, Koko, used artifical intelligence to engage in medical research on uninformed participants. The man, and his company, deserves the full force of international censure, including disbarment by the NHS and all other international bodies with even a shred of oversight on healh practices.

I’m infuriated by this. AI is already an ethically ambigious area full of concerns, and for this callous individual and his company to waltz in and break a fundamental principle of human research is unconsciouable.

Another reason why we need serious regulatory oversight of AI. We won’t see this from the US, so hopefully the EU gets their act together and pushes forward. GPDR may not be perfect but we are in a better place with something rather than nothing, and as the actions of callous companies like Koko show we are in desperate need for protection when it comes to the ‘promises’ of AI.

Also, shame on Stonybrook’s Institutional Review Board. While not a case of IRB shopping, they sure did their best to avoid grappling with the issues behind the study.

I am pretty sure this AI counts as software as a device, in which case a whole lot of regulations were broken.

“Move fast and Break Things” is a horrible mantra, especially when health and well being is involved. Robert Morris, like Elizabeth Holmes, are examples of why we need a strong oversight regime when it comes to scientific research and why technology on its own is never the solution.

European Guideline on Data Integrity in GCP Studies

The EMA has published “Guideline on computerised systems and electronic data in clinical trials.”

Anyone familiar with Annex 11 of Eudralex Annex 4 won’t be surprised by the content, but frankly I expect a lot of folks who have primarily experience on the clinical side will be scratching their heads. The fact that the authors felt the need to have an entire paragraph dedicated to unique user names is telling.

This is a great resource for sponsors who need to figure out just what to evaluate at investigators sites, a requirement this guideline repeats multiple times.

I’ll be very curious how effective sponsors are in ensuring this requirement is met “The investigator should receive an introduction on how to navigate the audit trail of their own data in order to be able to review changes.”

EMA Publishes 2021 GCP Compliance Report

The EMA has published the Annual Report of the Good Clinical Practice (GCP) Inspectors Working Group (IWG) 2021.

Beyond wishing for an 11 month cycle of writing and approval on my annual reports, there is some valuable information there.

In 2021, three CHMP GCP inspections were conducted entirely remotely, and three inspections were conducted in a hybrid setting. A total of 286 deficiencies, comprising 24 critical, 152 major and 110 minor findings were recorded for the 27 CHMP requested inspections conducted in 2021. This represents an average of 10-11 findings per site inspected. The three top categories were: “General”, “Trial Management” and “Computer System”. An increase in findings related to computer systems (e. g. Audit Trail and Authorized Access, Computer Validation, Physical Security System and Backup) is noted compared to the last reports.

More information is available at EMA´s Good Clinical Practice Inspectors Working Group website.

Under organisation and personel we see “Delegation of tasks to inappropriate team members.” This reinforces the needs for strong cv and job descriptions, and linking to both hiring and personnel qualification.

The computer systems observations are the greatest hits of data integrity, and should be a wakeup call to any company that treats GCP and GMP computer systems differently.

Let the 2022 annual GCP training development begin. And make sure you get that training done on time!

Requirements on Privacy in Clinical Trials

Been thinking a lot recently of privacy in regard to clinical trials. As you do, I started with gathering some requirements together. Here is what I have:

Brief Standard IdentifierDescription of Industry StandardRegulation/Guidance/ Source
Subject Identification in Data SystemsThe business has SOPs to ensure that data collection instruments and databases utilize an unambiguous subject identification code that allows identification and linkage of all the data reported for each subject. Data tools and systems do not contain personally identifiable information, except the unique subject identification code to link data across the study.GCDMP – Data Privacy; ICH 5.5.5
Patient Diaries ReviewThe business has and utilizes SOPs to ensure that the Investigator site personnel review paper-based patient diaries prior to sending the diaries to Data Management to confirm that no personal identification information is present.MHRA 8.2.7
Confidentiality of Subject RecordsThe business utilizes formal procedures and practices to ensure that the confidentiality of records that could identify subjects is protected in accordance with the applicable regulatory requirement(s).ICH 2.11
Informed Consent Prior to Data CollectionThe business has a process to establish expectations with the site and confirm that informed consent is obtained from every subject prior to clinical trial participation and prior to processing clinical data. The process should provide direction for withdrawal and revocation of consents.ICH 2.9, 4.8.8, 6.5.3 21 CFR 50
Privacy and Personal Data Protection PolicyThe business has a Privacy and Personal Data Protection Policy and a Chief Privacy Officer/ Data Protection Officer to ensure compliance with EU GDPR and other country, local, and Independent Ethics Committee-required privacy, and data protection practices.US HIPAA EU 1995 Data Protection Directive 1995/45/EC EU GDPR 2016/679 Japan 2016 Act on the Protection of Personal Information- US Privacy Act
Privacy and Personal Data Protection Documented PracticesThe business has documented procedures, standards, documentation requirements, and responsibilities for defining and ensuring confidentiality, protection, and security of personal data (including but not limited to employee, client, investigator, and patient data) and applying Privacy by Design requirements into procedures that include: definitions of personally-identifying information descriptions of personal information collected the purposes for which it is collected the lawful basis (in the EU) for its collection/use the types of persons to whom it will be released the countries to which it may be transferred privacy and security safeguards the rights of individuals with respect to their personal information compliance monitoringUS HIPAA EU Data Protection Directive 1995/45/EC EU GDPR 2016/679 Japan’s Law Concerning the Protection of Personal Information – 2005; Japan Act on the Protection of Personal Information- 2016
 The business has documented procedures, standards, documentation requirements, and responsibilities for conducting Privacy Impact Assessments, including when they are implemented, or documentation regarding why they are not applicable.EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Personal Data Processing, De-identification and PseudonymizationThe business has documented procedures, standards, documentation requirements, and responsibilities for enhancing privacy and protecting personal data, both at the time of determining the means for processing data and at the time of actual processing, by adherence to the data minimization principle (i.e., ensuring that only data needed for a clinical trial are collected from clinical trial subjects’ records), encryption at rest and during transit, de-identification and pseudonymization.   Where pseudonymization is deployed, the business has appropriate technical (e.g., encryption, hashing, or tokenization) and organizational (e.g., agreements, policies, privacy by design) measures in place to separate pseudonymous data from identification keys.EU GDPR 2016/679
Personal Data Capture and Data Flow ProceduresThe business has written procedures for documenting the data flow for the organization/for individual projects. The data flow comprises what personal data the organization holds, where it came from, and with whom they share it.EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Individual Privacy Notice or ConsentEnsuring that individuals are informed of all required privacy provisions in Privacy Notice or Consent, including: their right to confirm if and how their data are processed, including the right to object to (or limit use of) processing and the right of erasure; plans for data retention; the right to receive a copy of their personal data and to have them transmitted to other organizations; and the complaint process.US HIPAA EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Support for Personal Data Subject RequestsReceiving, processing, and responding to Personal Data Subject Requests submitted by Data Subjects per their rights under GDPR, and/or assisting the Client to fulfill Client’s obligation to do so: right of access right to rectification restriction of processing erasure (“right to be forgotten”)data portability objection to the processing, or the right not to be subject to automated individual decision makingEU GDPR 2016/679 Directive 1995/45/EC
Privacy and Personal Data Breach ProceduresDetecting, reporting, and investigating personal data breaches, and communicating confirmed data breaches to impacted parties within timelines dictated by applicable regulations (72 hours for regulatory authority reporting) and agreements. Sponsor will be notified of any data breach in association with sponsor projects, including breaches at subcontracted vendors, according to pre-defined timing.EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Privacy and Personal Data Protection TrainingThe business trains all individuals who have access to personal data on the policy and practices that ensure confidentiality, protection, and security of personal data.EU Data Protection Directive 1995/45/EC EU GDPR 2016/679

Remote Inspections and Computer Systems

The US FDA recently changed the Investigations Operations Manual to allow Investigators direct access to a company’s databases during a BIMO inspection (See Section

As the conduct of clinical and non-clinical trials increasingly moves toward 100% electronic data capture, to include electronic case report forms, medical records, patient-reported outcomes, informed consent systems and other electronic study records, it has become necessary for bioresearch monitoring investigators to have access to these electronic systems and databases in order to successfully perform inspections. Overseeing the firm’s personnel while they access their system is not always practical in BIMO inspections, as this can result in the firm having to dedicate an individual to this task.

FDA Investiations Operations Manual section

Obviously, if you haven’t, you should be updating your GCP Inspections SOP, especially since they have a few interesting requirements, such as “While you may complete a form needed by the firm in order to obtain read-only access, such as an account request form, you will not sign such form as per section You may acknowledge via email that you have completed any required training necessary for access.”

I think for many in the GCP world this change is sort of a sleeper change. We have been used to giving access to EMA inspectors for years, who often know more about your TMF than you do by the time they walk in the door.

The real interesting thing is how this spells a shift in attitude at the agency that has been a long-time coming. And how it fits into recent trends in the increase in remote inspections.

Remote inspections are here to stay. Set aside the FDA’s current view that a remote event is not an inspection. And one of the big things that stand out about remote inspections is they do not work well to find data integrity issues, as we’ve seen from the decrease in observations that is not proportionate to the overall size of inspections. I think what we are seeing here is a recognition of that, and the first shift in mindset at the agency.

I’d expect to see the FDA change their approach on the GMP side as they continue to absorb the lessons learned from remote inspections. It is a trend that I would be paying attention to as you continue your digital journey. It is always important to think “how will an inspector view this data”. Usually, we think in terms of printouts. You should also be thinking about read-only access in the near future.