implement “reasonable security practices and procedures.” Non-compliance leading to wrongful loss or gain can trigger civil liability and compensation claims.

SPDI Rules, 2011

The Ministry of Electronics and Information Technology (MeitY) notified the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.” These rules define SPDI to include health information such as medical history, physical, physiological, and mental health conditions, sexual orientation, biometric information, etc.—all routinely collected during clinical trials.

SPDI rules require entities to obtain explicit consent for data collection and disclosure, ensure transparency about data use, and allow individuals to review or correct their data. These obligations make SPDI rules highly applicable to GCP-governed clinical trials in India.

Digital Personal Data Protection (DPDP) Act, 2023

The DPDP Act 2023 represents a comprehensive and modern legal framework governing personal data protection in India. It applies to any entity (Data Fiduciary) processing digital personal data of individuals within India and even applies extraterritorially in some cases. For clinical research, this includes sponsors, CROs, technology vendors, and clinical trial sites.

Key highlights of the DPDP Act relevant to clinical trials include:

• Consent-Based Processing: Explicit, informed, and freely given consent is a cornerstone of lawful data processing.
• Purpose Limitation: Data can only be used for the purpose it was collected.
• Data Principals’ Rights: Subjects have the right to access, correct, and erase their data.
• Obligations on Data Fiduciaries: Mandatory data security, data breach notifications, and recordkeeping.
• Cross-Border Data Transfer: May be restricted by government notification; currently permitted unless specifically prohibited.

Core Clinical Trial Implications

1. Informed Consent and Data Processing Authorization

Indian GCP and ICMR guidelines already require robust informed consent processes that include explanation of data collection and confidentiality. With the DPDP Act, trial consent forms must now also meet the standard for data processing consent, covering specifics such as data recipients, storage location, transfer mechanisms, retention period, and rights of data principals.

Sample language should clearly state the data fiduciary (sponsor or CRO), how the data will be used, and provide a means for participants to withdraw consent, consistent with Section 5 of the DPDP Act.

2. Role of the Data Protection Officer (DPO)

While not mandatory for all entities, appointing a DPO is highly advisable for clinical research sponsors and CROs conducting large-scale data collection. The DPO is responsible for overseeing data governance, breach management, data access requests, and policy training—all critical in trials involving multiple stakeholders and systems.

3. Anonymization and Pseudonymization of Data

The DPDP Act excludes anonymized data from its scope but does not define anonymization rigorously. Clinical trial data must either be anonymized (non-reidentifiable) or pseudonymized (key-coded). While anonymization may not always be feasible for monitoring and pharmacovigilance, strict access controls and de-identification protocols should be documented and Ethics Committee-approved.

4. Clinical Trial Agreements (CTAs) and Data Sharing Contracts

Contracts between sponsors, CROs, and sites must now incorporate DPDP-aligned clauses, including:

• Legal basis for data sharing
• Data access levels by role (monitor, auditor, lab vendor, etc.)
• Data localization or transfer terms
• Breach notification mechanisms

5. Data Security Infrastructure

Under Section 43A and the DPDP Act, entities must implement “reasonable security practices.” Sponsors and vendors must conduct periodic security audits, use firewalls and encryption, establish role-based access control, maintain audit logs, and document business continuity plans. For trial-related systems (EDC, eTMF, RTSM), compliance with ISO/IEC 27001 is highly recommended.

6. Data Breach Notification Requirements

The DPDP Act requires that any data breach compromising personal information must be reported to the Data Protection Board of India and impacted individuals “as soon as possible.” For clinical trials, this includes unauthorized access to subject data, loss of devices, or hacking of clinical trial management systems.

7. Cross-Border Data Transfers

Many sponsors, especially multinational companies, transfer trial data to global databases or use cloud services with offshore storage. Currently, the DPDP Act allows such transfers unless specific countries are blacklisted. However, stakeholders must be vigilant and document safeguards, especially when transferring health data out of India.

8. Data Retention and Archiving

Per Indian GCP and NDCTR 2019, clinical trial records must be retained for at least 5 years from trial completion or marketing authorization (whichever is later). The DPDP Act does not override this but emphasizes that data should not be retained longer than necessary. A reconciled approach—based on GCP plus privacy law—is recommended.

Best Practices for Sponsors and CROs

• Update informed consent forms with DPDP-compliant language.
• Train all site and vendor staff on data protection protocols.
• Conduct data protection impact assessments (DPIAs) for high-risk trials.
• Appoint a DPO or data governance officer with trial oversight.
• Establish SOPs for breach response and data access request handling.
• Document anonymization or pseudonymization methods in protocols.
• Review CTAs and data sharing agreements for legal adequacy.

Scientific and Regulatory Evidence

• ICH E6(R2) GCP: Emphasizes confidentiality and secure handling of participant information.
• WHO GCP Guidelines: Require data protection as a fundamental ethical requirement.
• ICMR Ethical Guidelines (2017): Include participant privacy safeguards and digital consent standards.
• ISO 27001: Gold standard for data security compliance.
• MeitY Guidelines: Define reasonable security practices under Section 43A.

Special Considerations

1. Mobile App-Based Data Collection

Digital health trials involving mobile apps must ensure app privacy policies, encryption, and authentication methods align with DPDP expectations. If using third-party apps, contractual data flow mapping is essential.

2. Pediatric and Vulnerable Populations

For children, data processing requires guardian consent under both GCP and DPDP. Trials involving HIV, mental illness, or genetic testing must follow heightened sensitivity protocols and obtain Ethics Committee pre-approval for data handling measures.

3. Public Sector vs Private Sector Trials

DPDP applies to both public hospitals and private CROs. Public sector trials must follow both institutional data protection norms and the broader DPDP obligations. Awareness campaigns for institutional review boards (IRBs) are encouraged.

When Sponsors Should Seek Regulatory Advice

• When conducting multinational trials requiring data export from India.
• When planning digital or app-based data capture requiring participant geolocation or biometric data.
• For trials with minors or mentally incapacitated subjects.
• If a serious breach occurs or a complaint is received from a data principal.
• When drafting new CTAs, vendor agreements, or site contracts involving third-party data processors.

FAQs

1. Does the DPDP Act apply to clinical trial data?

Yes. The DPDP Act applies to all personal digital data, including health data collected in clinical trials.

2. Are there specific data protection rules for clinical trials under CDSCO?

While CDSCO does not have stand-alone privacy guidelines, it requires compliance with GCP, informed consent processes, and applicable national laws such as the IT Act and DPDP Act.

3. Can clinical data be transferred outside India?

Yes, unless specifically restricted. However, sponsors must ensure that adequate safeguards are in place and that participants are informed in the consent form.

4. How is consent for data use different from trial consent?

Trial consent covers participation risks and procedures. Data processing consent—now mandated under DPDP—covers who processes the data, for what purpose, and how it’s protected.

5. Who is responsible for data protection compliance in a trial?

Primary responsibility lies with the sponsor and any appointed CROs. Sites and investigators also bear responsibility as data handlers.

6. What happens if a data breach occurs?

The breach must be reported to the Data Protection Board of India and affected individuals. Records of remediation must be maintained.

7. How long can clinical trial data be stored?

As per NDCTR 2019 and GCP, minimum 5 years. However, DPDP advises data should not be stored longer than necessary for the defined purpose.

Conclusion

India’s data protection landscape is evolving rapidly, and clinical trial stakeholders must align their operations with both regulatory and ethical expectations. By harmonizing Good Clinical Practice (GCP) with the provisions of the IT Act and the DPDP Act, sponsors and CROs can safeguard patient confidentiality, ensure trial compliance, and avoid significant legal and reputational risks. Proactive planning, staff training, and robust documentation are essential to stay ahead of India’s maturing data protection enforcement regime.