Groundbreaking approach to patient privacy protection fuels expansion of medical device business line

Groundbreaking approach to patient privacy protection fuels expansion of medical device business line

Novel uses of synthetic data help to bring life-saving treatments to more vascular disease patients

After more than a year of discussions with a data protection authority to approve two post-marketing medical device studies and to determine how best to respect patient privacy, W. L. Gore & Associates Inc called upon Privacy Analytics for help. How could the trial sponsor demonstrate sufficient anonymization on data that did not yet exist? Privacy Analytics met the statistical challenge through a sophisticated use of synthetic patients and data, completing an analysis that resulted in swift regulatory approval allowing the studies to proceed.

The Challenge

Protecting the privacy of patients in future data generation

W. L. Gore & Associates Inc (Gore), a global materials sciences company, was launching two retrospective studies on marketed peripheral vascular devices. The first study was in support of an application to expand the device’s approved range of medical uses. The second was a post-market follow-up registry, mandated by the European Medical Device Regulation (MDR). In both cases, the trial participants had already received the devices being studied, and data on each participant would be collected for a total of five years after the procedure.

Having satisfied authorities across eight European countries that it had sufficient procedures in place to protect the data during the course of the studies (in compliance with the General Data Protection Regulation, or the GDPR), the sponsor had begun to enroll participants who had received the types of devices being studied.

The Italian Privacy Code, however, presented a snag when it came to using data from deceased patients for research purposes. As part of the study, Gore was collecting real-world data about patients who had received the devices in question and some of these patients were already deceased. To include deceased patients, the data privacy team at Gore needed an informed consent waiver from the Italian Data Protection Authority (the Garante). The company also needed to demonstrate to the Garante that the data could be anonymized after the 15-year data retention period to protect patient privacy.1

"Our customers have added assurance that we comply with privacy regulations and take the necessary steps to protect sensitive clinical trial data in the most responsible way."

Giulia Rigodanza,

Medical EMEA Data Privacy Lead and Italian Data Protection Officer at W. L. Gore

Without the waiver, the trials could not proceed, and protracted exchanges with the Garante had stalled progress for well over a year. Gore turned to Privacy Analytics to find a solution to the impasse, so that more patients could ultimately benefit from the potentially life-saving treatment afforded by the devices.

Privacy Analytics is typically given existing data when assessing the possibility of identifying patients and recommending anonymization approaches. Gore’s situation was unusual because it involved demonstrating in advance how future data would be anonymized. Much of the data for the studies still needed to be generated because participants were still being enrolled and, even for enrolled participants, the studies needed five years of data to meet protocol objectives. This posed a statistical challenge for Privacy Analytics to show how the data would be anonymized.

The Solution

Cutting-edge use of synthetic data

To show how the privacy of study participants could be protected through anonymization, Privacy Analytics examined the data collected thus far on enrolled participants and modeled what might be expected in the future. This entailed:

  • Demographic Analysis: Develop a demographic profile for currently enrolled participants and use this, along with regional census data, to predict the demographics of future participants.
  • Synthetic Data Creation: Generate synthetic subjects matching the identified demographic profiles for better data modeling.
  • Health Event Modeling: Estimate future serious adverse events (SAEs) and mortality for both real and synthetic participants based on existing participant data and published medical rates, ensuring consistency with available studies.

In the second phase of the project, Privacy Analytics assessed the likelihood that participants could be identified in the database, which now consisted of a mixture of actual and projected data on enrolled participants and projected data on synthetic participants.

Privacy Analytics and Gore staff were in frequent communication as the project evolved. “The W. L. Gore team was very engaged throughout the process,” said Michael Shelton, Privacy Analytics’ Senior Technical Lead and Advisor within Clinical Trial Transparency Solutions. “They wanted to understand our methodology and were intellectually curious throughout.”

Privacy Analytics produced a report of findings along with suggestions for any data transformations that would be necessary to ensure the data remains anonymized according to regulatory requirements. Giulia Rigodanza, Medical EMEA Data Privacy Lead and Italian Data Protection Officer at W. L. Gore, was optimistic that the solution would satisfy regulators. “It conformed to best practices, and our outside legal counsel blessed it, so we were confident that we would, at last, be able to resume the studies,” she said.

The Results

Swift regulatory approval and resumption of clinical trials

Gore’s study team presented Privacy Analytics’ anonymization solution to the Garante for each of the studies in succession. Approval from the authority came swiftly and painlessly within a matter of months, without the need for any additional information to support the regulatory approval.

Information from both retrospective studies will be used to evaluate safety and performance of the devices, so resuming the trials will lead to more positive results for patients requiring treatment for life threatening conditions. And by resuming the mandated study, the company is ensuring that the other product line complies with its post-marketing surveillance requirements.

The work has had other benefits internally and externally for Gore. “Our customers,” said Rigodanza, “have added assurance that we comply with privacy regulations and take the necessary steps to protect sensitive clinical trial data in the most responsible way. And there’s increased awareness throughout our company on the importance of turning to experts for help with anonymization. Certainly, throughout the company, this is a well-known success story. Should we have a similar need in the future, we will entrust this type of work to Privacy Analytics again.”


1Article 110 of the Italian Privacy Code has since been modified through recent legislation. Sponsors no longer must confer with the Garante in advance of processing personal data for scientific research purposes. Instead, they are now required to publish their Data Protection Impact Assessment (DPIA) on their website and make it available to the Garante.

Archiving / Destroying

Are you unleashing the full value of data you retain?

Your Challenges

Do you need help...

OUR SOLUTION

Value Retention

Client Success

Client: Comcast

Situation: California’s Consumer Privacy Act inspired Comcast to evolve the way in which they protect the privacy of customers who consent to share personal information with them.

Evaluating

Are you achieving intended outcomes from data?

Your Challenge

Do you need help...

OUR SOLUTION

Unbiased Results

Client Success

Client: Integrate.ai

Situation: Integrate.ai’s AI-powered tech helps clients improve their online experience by sharing signals about website visitor intent. They wanted to ensure privacy remained fully protected within the machine learning / AI context that produces these signals.

Accessing

Do the right people have the right data?

Your Challenges

Do you need help...

OUR SOLUTION

Usable and Reusable Data

Client Success

Client: Novartis

Situation: Novartis’ digital transformation in drug R&D drives their need to maximize value from vast stores of clinical study data for critical internal research enabled by their data42 platform.

 

Maintaining

Are you empowering people to safely leverage trusted data?

Your Challenges

Do you need help...

OUR SOLUTION

Security / compliance efficiency

CLIENT SUCCESS

Client: ASCO’s CancerLinQ

Situation: CancerLinQ™, a subsidiary of American Society of Clinical Oncology, is a rapid learning healthcare system that helps oncologists aggregate and analyze data on cancer patients to improve care. To achieve this goal, they must de-identify patient data provided by subscribing practices across the U.S.

 

Acquiring / Collecting

Are you acquiring the right data? Do you have appropriate consent?

Your Challenge

Do you need help...

OUR SOLUTIONS

Consent / Contracting strategy

Client Success

Client: IQVIA

Situation: Needed to ensure the primary market research process was fully compliant with internal policies and regulations such as GDPR. 

 

Planning

Are You Effectively Planning for Success?

Your Challenges

Do you need help...

OUR SOLUTION

Build privacy in by design

Client Success

Client: Nuance

Situation: Needed to enable AI-driven product innovation with a defensible governance program for the safe and responsible use
of voice-to-text data under Shrems II.

 

Join the next 5 Safes Data Privacy webinar

This course runs on the 2nd Wednesday of every month, at 11 a.m. ET (45 mins). Click the button to register and select the date that works best for you.