© 2024 IQVIA - All Rights Reserved
Supporting GDPR 'right to erasure' requests of volunteer data
- Alex Quail
- Pavel Babich
- Toma Holtzer
- Steffan Stringer (Unlicensed)
- 1 Introduction
- 2 Scope
- 3 Summary
- 4 Role Action
- 5 Action Menu Item
- 6 Warning and Confirmation
- 7 Updated Attributes
- 8 Accessing ‘privacy removed’ volunteers
- 9 Audits
- 10 Recruitment Impact
- 11 Study Conduct Impact
- 11.1 Cohort Assignments
- 11.2 Volunteer Integration Forms
- 11.3 Over-Volunteering
- 11.4 eConsent
- 12 Labels
- 13 Dashboards and Reports
- 14 Volunteer Monitoring Data
- 15 Limitations
Introduction
Under the General Data Protection Regulation (GDPR) articles 17 and 19, volunteers with contact details in ClinSpark have the right to request that their personal data be deleted. Historically these requests have been handled through support tickets raised via service desk, where an engineering team member would need to get involved.
Starting in ClinSpark version 22.3, a feature is available on Volunteer records allows customers the ability to address these requests without the reliance of IQVIA support engineers. This article explains how the feature works, some implications for use, and outcomes of the action.
Scope
This is applicable to customers using ClinSpark version 22.3 or greater. This change is attributed in the Release Notes to development ticket CLINSPARK-3199.
Customers on prior versions should reach out via service desk to discuss GDPR related requests for removal of volunteer data.
Summary
The ‘Privacy Remove’ action allows a qualified user to permanently alter the current volunteer database record and prevent access to volunteer attributes through the user interface.
The action impacts volunteer attributes and future access to that volunteer record; data is not removed from audit tables in the database. The action does not impact study data that may have been already been imported from the volunteer record.
When initiated, ClinSpark will provide a warning message to users and confirm intent, as the action is not reversible. Once confirmed, ClinSpark modifies the volunteer date of birth, name, and sex to obfuscate prior values. Additionally, it archives the volunteer and prevents access to areas showing basic demographic details, health, correspondence, notes, files, recruitment, study participation history, and audits.
These changes will be immediate and visible anywhere that volunteer record is referenced. For example, if referencing demographics for a study participant in the Study > Subjects component, the volunteer details will present with updated messaging instead of date of birth, sex, and initials.
Details about the impact this action has to current study participants is explained later in this article.
Given that the action is non-reversible, it could have significant impact on operational workflows and potentially patient safety if used improperly. To help mitigate these risks, a specific role action enabling use and warning dialogues have been implemented to ensure the actions are taken appropriately.
If customers expect further alterations or actions be taken against volunteer records in the database as a response to ‘right to erasure’ requests, a service desk ticket must be opened to engage with the support team to clarify what changes are necessary and expected outcomes.
Role Action
Users must have the ‘Volunteers Manage Privacy Remove’ role action assigned to an active role on their account in order to access the functionality.
A brief description of this role action can also be viewed within the ‘Role Action Overview’ modal.
Action Menu Item
With role action coverage, qualified users will be able to access the ‘Privacy Remove’ action menu item for a given volunteer record.
Warning and Confirmation
When initiated, ClinSpark will first provide a warning message and confirm intent. The warning message will inform users that the action is not reversible.
Once a user confirms they want to proceed with the action, they will be presented with the Electronic Signature modal.
Users must complete the electronic signature workflow and provide a reason for change to successfully complete the ‘privacy remove’ action.
This completes the action and brings users back to the volunteer record with an updated message alerting to the change.
Updated Attributes
The action will update several volunteer attributes.
Volunteer name will be replaced with a message stating ‘removed for privacy reasons’. This messaging will be visible throughout all areas of ClinSpark that reference the volunteer name.
Volunteer photo is removed.
Volunteer date of birth value will be changed to the date of the removal.
Volunteer sex will be set to female.
All contact, health basic, reproduction, race, ethnicity, nationality, language, contact source, and employment statuses will be removed.
All volunteers that have gone through ‘Privacy Remove’ action will be placed into an Archived state. They can be located in advanced searches, but otherwise are subject to the same logic as archived volunteers across the application.
Accessing ‘privacy removed’ volunteers
Volunteers that have gone through the Privacy Removed workflow no longer show up in standard Volunteer search workflows, as they’re treated like archived volunteers.
Users can still perform a basic search on the immutable volunteer ID and view the record in results listings.
Within a given volunteer, users will no longer have a UI path to access basic details, health data, correspondence, notes, files, current/past study participation (including recruitment identification, appointments, cohort assignments, study forms, and lab data), or audits. These navigational areas and features are no longer accessible on the volunteer profile.
Audits
There is no action menu item for users to access audit history for privacy removed volunteers. Access to audits can only be done (if necessary) through the immutable ID of the volunteer and a specific URL path.
For example, if a privacy removed volunteer ID was 1, this would be the URL path to audits:
customer.clinspark.com/secure/volunteers/manage/audits/1
Within audit views, users can review the comment captured on the Electronic Signature modal stored as the Reason for Change. This is visible in the audit history with a type of ‘Privacy Remove’.
Recruitment Impact
Privacy Removed volunteers are subject to the same logic as archived volunteers. Their visibility in search queries is suppressed, unless using specific advanced search logic. Additionally, they cannot be added to new calendar appointments or cohort assignments.
However, they will still exist in workflows where the volunteer may have been previously identified for recruitment in a study, present on a calendar appointment, or added to an existing cohort assignment. In these instances, their visibility in those areas of ClinSpark will indicate that the volunteer has gone through privacy removal. Prior contact details will be removed, so they cannot participate in future correspondence.
Study Conduct Impact
Throughout the context of a study there will be reference links between the subject record and volunteer record. Given that, it’s helpful to understand the impact of privacy remove actions depending on how a subject may be progressing through a study.
Cohort Assignments
Privacy removed volunteers cannot be added to new cohort assignments or activated on existing cohort assignments. A warning message will inform users of the privacy removed state.
If privacy remove occurs after cohort activation, most study data collection activities can still take place against that subject record. Privacy removed volunteer present on a cohort assignment can also still complete an assignment swap, or, synchronization with an versioned activity plan.
Volunteer Integration Forms
Studies commonly rely on Volunteer Integration forms with the purpose of pulling in data from volunteer records to study forms. The most common are demographics, concomitant medications, and substance use.
If a privacy removal occurs, any existing study forms that previously pulled details from the volunteer record will remain as-is. However, use of these forms after a removal has occurred may not yield expected results.
Demographic forms will no longer pull in valid demographic data from the volunteer record, as DOB and other values are obfuscated.
Concomitant Medications and Substance Use forms may still attempt to reference historical data from the volunteer record on import. However, it is not guaranteed that imported values will be accurate, given that there is no area within privacy removed volunteer records to manage Substance Use, Medications, and Medical Conditions.
Over-Volunteering
Privacy removed volunteers can no longer participate in over-volunteer workflows in the Subject component that rely on the VCT integration. This is because the VCT workflow requires a check against demographic details to verify the volunteer, which will no longer be available.
eConsent
Using eConsent features, users can review and approve inbound requests across studies that would come by way of Medidata. However without demographic data, automatic matches to existing volunteers/subjects will no longer occur. Additionally, users cannot generate or rely on unique 2d barcodes for automatic matching against volunteers that are privacy removed.
Users will still be able to manually match volunteers to eConsent requests, despite the lack of automatic matching.
Labels
Item and Subject labels that rely on the reference of volunteer data (via merge tags) will properly display obfuscated values on printed labels. Volunteer data is correctly transferred to new printed labels to show *** or ‘removed’ messaging accordingly.
Dashboards and Reports
Dashboard components that reference volunteer data will consider privacy removed volunteers the same as ‘archived’ volunteers. Similarly, existing reporting logic that accounts for archived volunteers will treat ‘privacy removed’ volunteers the same way. Reports that reference obfuscated or removed volunteer data will consider that in outputs that contain those values.
Customers that encounter issues with privacy removed volunteers and dashboard/reporting outputs should reach out via service desk.
Volunteer Monitoring Data
For environments configured to support volunteer monitoring device workflows, monitoring sources can still be accessed on privacy removed volunteers for support purposes. This can be done using the immutable ID of the volunteer and a specific URL path.
For example, if a privacy removed volunteer ID was 1, this would be the URL path to monitoring devices would be:
customer.clinspark.com/secure/volunteers/monitoring/manage/list/1
Limitations
Historical Study Information
Once a participant is ‘Privacy Removed’ users do not have the ability to review historical study participation data - such as recruitment and study/lab data - via the volunteer record. Specifically, this means the Studies tab on a given volunteer profile, and subsequently the Recruitment, Appointments, Cohort Assignments, Study Data and Lab Data areas are no longer accessible. These may be important functions to certain users depending on various needs.
Access to Privacy Removed Data via a Read Replica Database
After the privacy removal process has been performed, previously existing audit records associated with the underlying volunteer record are not affected, nor are any free text fields (e.g. communications).
This information is not accessible through the user interface, but it's available in the database if a customer chooses to access audits via custom queries in the Read Replica.
Browser Caching
Due to browser caching behavior, it may be observed that after the Privacy Remove action has been successfully completed that the volunteer picture may still be visible to the user who performed the remove action in certain places until browser cache is cleared. Browser cache clearing typically will occur automatically after a short period of time, or, can be forcibly cleared by the user to address the issue immediately.
This issue may be observed by clicking on the picture icon to display the volunteer picture:
The picture will disappear after browser cache refresh or if using different browser.
Exported and Printed Copies Are Uncontrolled