Work-related Breach

20th August 2025

Initial Report

In 2024, a client was contacted by a major French CRO who had been supporting a clinical trial with a potential data breach notification. The study was a phase 2b, covering several EU member states; the study enrolled 170 patients. The notification was made after the study ended but before completion of the Clinical Study Report. The sponsor/controller was an SME based in the US and we were acting as Data Protection Representative and providing a DPO service by contract.

This initial report was communicated to my client in accordance with the Data Protection Agreement appended to the MSA with the CRO, which stated that “potential breaches should be notified to the controller as soon as possible but at least within 48 hours of becoming aware of them.” The initial report stated that a potential data breach had occurred, that my client’s data as controller may be affected, and that we would be informed of the outcome of an internal investigation.

Investigation

After 10 days the CRO sent my client a more detailed breach notification and requested a teleconference. The breach notification described the following scenario.

A member of staff at the CRO had been sending work related emails and files, including clinical data, to a personal gmail address on a regular basis, but often on a Friday. These transfers were picked up by a system in the CRO corporate IT infrastructure which monitored file transfers. The system flagged transfers that seemed suspicious for various reasons, in particular size, format, time of day and various other patterns. In this instance files were zipped and emails were transferred in an open format.

The CRO carried out an initial investigation which determined that significant amounts of personal data were being transferred. This included:

• Site monitoring data

• Laboratory test results

• Contractual and other client and vendor information

Specifically monitoring data identifying patients in relation problems with MRI visits, some of which was pseudonymised and some open, encoded laboratory test results, and contractual information including records of teleconferences and other meetings, relating to my client were involved. The CRO noted that a large amount of other content such as policies and SOPs was sent.

Further details emerged in the teleconference involving legal counsel, Data Protection Officers, and other senior technical, clinical and medical staff from both sides. On foot of this a further report was provided to the controller listing specific data breached. It also emerged that the person responsible for the breach had been a data entry specialist who had been recently promoted to a role coordinating site visits, and that the person was sending the data to their gmail address so that they could catch up on work at home. The French working week limit of 35 hours was also mentioned, as well as the fact that the person had not undergone GDPR training. This was supported by interviews and an examination of all computers and media affected. It was also noted that

Determination

The controller ultimately determined that the breach had been adequately contained and remediated, and that there was no risk to the rights and freedoms of clinical data subjects, using the EDPB April 2023 guideline “Guidelines 9/2022 on personal data breach notification under GDPR”. In relation to contractual/vendor information, and personal information relating to controller staff contained in emails, only controller staff located in the US were involved.

The main lesson learned from this was the importance of monitoring data transmissions from controller IT systems, and the importance of ensuring that anyone exposed to personal data, including pseudonymised data, should undergo GDPR training.