New data protection friendly eCommercial model clinical trial agreements now available

Updated versions of the UK model Clinical Trial Agreement (mCTA) and the Clinical Research Organisation model Clinical Trial Agreement (CRO-mCTA) have been published. Given the increasing importance of safe but swift clinical trials in the time of coronavirus, this post outlines the main changes introduced from a data protection perspective and what they mean for contracting parties.

The Association of the British Pharmaceutical Industry (ABPI), Health and Care Research Wales (HCRW), Health and Social Care Northern Ireland (HSC NI), the Health Research Authority (HRA, England) and NHS Research Scotland (NRS), have adopted March 2020 versions of the commercial model Clinical Trial Agreement (mCTA) and the Clinical Research Organisation model Clinical Trial Agreement (CRO-mCTA), which were first published in 2003 and 2007, respectively. These template model agreements were designed to streamline the approval process of commercial studies and they were therefore intended to be used without modification by sponsors performing clinical trials in NHS/HSC patients in hospitals throughout the UK Health Services.

Despite their intention, requests for changes to the mCTAs had been notably increasing over the past few years, primarily due to the outdated data protection provisions in the templates which did not fully take into account the application of the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA).

The revised mCTAs replace the 2018 versions and introduce GDPR and DPA compliant clauses for the processing and sharing of personal data between institutions, sponsors, and Clinical Research Organisations (CROs).

The adoption of this more robust documentation is particularly welcome in the current climate and an important step forward to address the need to streamline clinical trials relating to COVID-19. This need is also reflected in the fast-track approval process for COVID-19 studies, which is down to only 24-72 hours from around 80 days. Similarly to the 2018 templates, the HRA expects that the new mCTA and CRO-mCTA will be used without modification.

What remains the same?

The mCTA is entered into by the sponsor and the institution (i.e., Participant Organisation), while the CRO-mCTA is to be used when, in addition to these two parties, the sponsor contracts with a CRO which is responsible for aspects of trial management at site. The role ascribed to the parties keeps reflecting the position of the HRA and the business community, which considers the sponsor as controller of personal data and the Participant Organisation and the CRO as processors acting on behalf of the sponsor for the purpose of the clinical trial (Clauses 6.2.1 mCTA and CRO-mCTA).

What has changed?

The mCTA and CRO-mCTA have been generally updated to reflect the new data protection legislation (GDPR and DPA), by including provisions on sharing coded data, security, and data breaches.

In particular, Clause 6 (Data Protection) in both the mCTA and the CRO-mCTA has been substantially redrafted to align with the GDPR and the DPA, with some welcome changes including:

  • New Clause 6.2 incorporating an Article 28 GDPR-compliant data processing agreement between the sponsor (controller) and the Participant Organisation (processor).
  • New Clause 6.3 providing for the sharing of personal data and/or pseudonymised data of clinical trial participants and giving the Participant Organisation important assurances as to safeguards implemented by, and/or on behalf of, the sponsor to protect clinical trial data and/or pseudonymised data with an increased focus on security and appropriate responses to data breaches and related incidents.
  • The removal of previous Clause 6.4 – pursuant to which consent was collected by the sponsor and the CRO in order to process personal data of the principal investigator, sub-investigators and all personnel – to overcome the difficulties arising from consents which were likely to be regarded as not freely given (in a GDPR sense).

Some areas for further improvement

While the above changes offer a comfortable level of protection to the contracting parties, some issues that the business community encountered with the 2018 versions of the mCTAs have not been fully addressed in the updated templates.

For example, the Standard Contractual Clauses (SCCs), necessary in the context of clinical trials in the absence of other measures where it is relatively common that sponsors are based outside of the EEA and the UK, have not been included in the revised mCTA and CRO-mCTA.

Further, and in light of the UK departure from the European Union, it would have been desirable for the revised templates to include wording explicitly referring to the UK and UK law, thus providing adequate protection post-Brexit.

With respect to the data sharing under Clause 6.3, we could have expected more in-depth provisions to fully reflect the recently updated ICO Sharing Code of practice (you can read more on this in our Hogan Lovells blog post here).

Finally, while the new templates are Article 28 GDPR-compliant, the relevant processor obligations are made explicit only for the Participant Organisation, but not for the CRO, which is also a processor under the CRO-mCTA, thus leaving a question mark about how or where the controller-processor relationship with the CRO should be documented.

A positive step forward

Overall, the parties entering into the updated mCTAs and CRO-mCTAs can feel confident and protected by the new templates, which substantially improve the limited protection offered by the previous documentation.

The Guidance to the newly published templates states that it is anticipated that the mCTA and CRO-mCTA will be kept under ongoing review. We may therefore see some further desirable changes incorporated in the next version of the templates, and perhaps some novel changes in response to the challenges that the current circumstances bring to light.


Sara Marinoni, a trainee solicitor in our London office, contributed to this entry.



Authored by Lilly Taranto and Paula Garcia.


This website is operated by Hogan Lovells Solutions Limited, whose registered office is at 21 Holborn Viaduct, London, United Kingdom, EC1A 2DY. Hogan Lovells Solutions Limited is a wholly-owned subsidiary of Hogan Lovells International LLP but is not itself a law firm. For further details of Hogan Lovells Solutions Limited and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2022 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.