Checklist for clinical research projects
Some things to keep in mind when conducting clinical research
Research principal
The research principal (huvudman) is defined in section 2 of the Ethics Review Act as "a state authority or a natural or legal person in whose premises the research is carried out".
In research projects where certain parts of the research are performed on patients in healthcare, the care provider is the research principal for that part of the research project. The care provider is thus responsible for ensuring that the rules of the Ethical Review Act are followed in research, while being responsible at the same time for the patients’ care.
Other research principals are responsible for the elements of the research project that are carried out under their auspices. According to the provision in section 2, it is clarified that the research principal's responsibility according to the Ethical Review Act applies to its own activities (Bill 2018/19: 165, p. 40 f.5).
In research projects where research is carried out both at KI and e.g. caregivers, the different parties are responsible for the part of the project that is carried out by each party. It is therefore important that all parties are stated as the research principals in the application to the Swedish Ethics Review Authority and that it is clearly stated which parts of the research are to be carried out by each party.
When several research principals participate in one and the same research project, they must jointly instruct one of them to apply for an ethics review on behalf of all. The party who receives this assignment must then inform the others of the Ethics Review Authority's decision.
Each research principal is still responsible for the part of the research that is conducted in their own premises. However, the ethics review covers the entire project and all participating research principals .
The fact that the application is made by a research principal presupposes that they receive an assignment from each of the other research principals to apply for an ethics review.
In order to not risk conducting research in violation of the Ethics Review Act, it is important that the de facto research principal is stated in the ethics application. An incorrect statement of who the research principal is can have legal consequences both for the individual researcher and for the research principal.
In the event of a possible change of at who is responsible for the application, it is important to add those who no longer have the task of applying as a participating research principal if that organisation is to continue to participate in the research.
Who is the research principal governs, among other things:
- which agreements are to be drawn up and on what terms,
- who is responsible for registration and reporting of the clinical trial,
- the sorting of personal data responsibility,
- conditions for forwarding biobank samples to other partners.
Below are examples of situations where KI must be stated as research principal (alone or with other research principals) because KI is responsible for:
- drawing up collaboration agreements for research projects conducted in collaboration with other universities or actors,
- registration and reporting of clinical study,
- processing of sensitive personal data,
- transfer of biobank samples and personal data to other partners,
- the research documentation.
KI, together with Region Stockholm, has drafted a joint document called “Guidance – appointing a responsible research principal for the ethical application for research where Karolinska institutet collaborates with health care providers in Region Stockholm”. The aim of the document is to provide guidance and basis for discussion when appointing the “responsible” research principal.
Collaboration Agreement
When two or more parties collaborate, a Clinical Trial Agreement or a Research Collaboration Agreement where the parties roles and responsibilities are described needs to be signes.
Anchoring the project at the clinic
Projects that affect patients at the clinic must before the start be anchored at the clinic activities where they are to be carried out.
It is important to contact the relevant healthcare authorities at an early stage to discuss the project and their role and responsibilities.
Ethical application
The Ethics Review Act requires approval from the Ethics Review Authority for research conducted in Sweden on research that:
- involves a physical intervention on a research person (living or deceased person),
- is performed with a method that aims to affect a person physically or mentally or involves an obvious risk of harming the study participant physically or mentally,
- is performed on biological material from a living or deceased person and can be traced to that person, or
- includes the processing of sensitive personal data or of data on certain offenses.
The ethical application is sent to the ethics review authority via Ethix.
It is important to list all principals participating in the study (responsible research principal and other research principals).
Consent from the study participants
Research may as a rule only be carried out if the study participant has consented to the research that concerns him or her.
The consent must have been given before the person can be included in the research.
In addition, the consent only applies if the participant has received information before the start of the research.
According to section 16 of the Ethics Review Act, study participants must be informed about:
- the overall plan for the research,
- the purpose of the research,
- the methods that will be used,
- the consequences and risks that the research may entail,
- who is the principal investigator,
- their voluntary participation in the research, and
- their right to suspend their participation at any time.
The responsibility for personal data
The personal data controller is the organisation that alone or together with others determines the purposes and means for the processing of personal data.
The personal data processor is the organisation that processes personal data on behalf of the personal data controller.
Registration of personal data processing is reported to the respective principal of the research . At KI, registration takes place through registeranmalan.ki.se
If two or more data controllers together decide the purpose and means of a certain processing, they are jointly responsible for personal data.
In determining whether an organization is to be considered a personal data controller or personal data processor, an assessment must be made on the basis of the actual circumstances.
When personal data is transferred from one organization to another, such as from a care provider to KI, the relationship between the organisation transferring the data and the organisation receiving the data can be defined in three different ways:
1. Transfer between two independent data controllers
This situation arises if one organization processes the personal data for its own purposes until the transfer to another organization which, after receipt, processes the data on the basis of its own independent purposes.
This relationship between the parties may exist, for example, when a research project conducted at KI requests access to information that is already being processed for another purpose by a care provider.
Disclosure to KI is preceded by a formal decision.
If data disclosed to KI will be processed / stored by a third party, a personal data processing agreement must be drawn up with KI as the data controller and the third party as the data processor.
2. Joint data controller
Joint personal data liability arises when two or more organisation jointly determine the purposes and means of the processing, for example for processing in research projects where both KI and care providers are covered by the ethics review.
When there is a joint personal data responsibility, the parties shall determine among themselves who is responsible for fulfilling the various obligations in an agreement on joint personal data responsibility.
3. Personal data controller and personal data processor
If a party only processes personal data on behalf of someone else and does not have any purpose of its own with the processing, it is the personal data processor. Here, one of the parties is solely responsible for personal data and has sole control over the purpose and means of the processing. The personal data processor only processes data on the instructions of the personal data controller and has no decision-making power or significant influence over the processing of personal data.
For a processor situation, a personal data processing agreement (PUBA) must be drawn up. A PUBA presupposes that there is also a formalized assignment through an assignment agreement or other main agreement between the parties. Both parties must review the agreement before signature
- If SLSO is the research principal, requests for templates and questions can be addressed to gdpr.slso@regionstockholm.se.
- If KI is the research principal, requests for templates and questions can be addressed to is sent to avtal@ki.se.
Researchers at KI who wish to use UU (UPPMAX) for analyses can use the PUBA template provided by UPPMAX. Before signing the agreement, the researcher must contact dataskyddsombud@ki.se in order for the data protection officer to approve that the agreement is signed. The Data Protection Officer checks that KI is responsible for personal data for the relevant personal data, alternatively if KI is a personal data assistant that KI may use UU services and that there is an ethical approval from EPM to share the data with cooperating higher education institutions.
When transferring personal data between KI and another organization, an agreement may be needed.
Biobank samples
An application for the establishment of a new biobank is needed if new biological samples will be used in the study
Biobank samples can be handed out from SMB or KI biobank and for this an application is required from SMB / KI biobank and a biobank agreement.
For advice and more information, please visit https://biobanksverige.se/
If biobank samples will be forwarded outside KI for e.g. analyses, MTA is also required.
Application for imaging technology
If position emission tomography (PET) will be used in the study, an application for a permit must be sent to the Swedish Radiation Safety Authority.
Application for drug study
In the case of drug testing study, the application needs to be made to the Medical Products Agency.
Patient insurance
In studies with patients, it is important to ensure that there is the right protection for the study participants, and at KI this is ensured with the help of a few different insurances.
Depending on the type of study, it may be one or more of the insurances that are needed.
The insurances cover research that takes place in Sweden. All insurance is paid for with central funds.
For more information, please see insurance for research subjects.
Documentation and archiving
The part of the research carried out by / at KI must be documented in KI ELN (eg study protocol, SOPs, meeting minutes, decisions, other agreements, analyses, results) and archived at KI.
Data management plans are required by some financiers and recommended by KI.
If the hospital / region is the responsible principal, you must comply with the documentation / archiving requirements set by the hospital / region.
Registration and reporting of results
If the study meets the criteria for a clinical trial, registration in CTIS is required.
If the study meets the criteria for a clinical study, registration in the ClinicalTrials.gov or similar approved clinical registry is required.
For more information, please see Clinical trial registration and reporting at KI.
For questions please contact compliance@ki.se