Research & Clinical Trial Participant Forms

Human-subjects research lives or dies on participant trust. A subject who reads an information sheet, ticks a consent checkbox, and answers a screening questionnaire is granting access to data — often very sensitive data — under a specific, time-limited, withdrawable promise: it will be used for this study, by this team, for this purpose, with the option to walk away at any time. Yet many studies still capture that consent and that screening data through generic web forms whose vendor can read every answer before the principal investigator ever opens the file.

Schweizerform is built for that exact intake problem. Every submission — an electronic informed-consent form, a screening questionnaire, an eligibility checklist, a quality-of-life self-report, a serious-adverse-event notification, a withdrawal request — is encrypted in the participant's browser before it reaches our servers. We physically cannot read it. For Swiss academic medical centres, university research groups, sponsor-investigator IITs, and EU-regulated clinical trials, that property — combined with Swiss hosting and a posture aligned to ICH GCP, the Swiss Human Research Act, and EU Clinical Trial Regulation expectations — turns the participant-facing intake channel from a regulatory liability into a defensible technical control.

Why Generic Form Tools Fail Research and Clinical-Trial Workflows

Most online form tools — Google Forms, Typeform, generic SurveyMonkey-style platforms, even some "HIPAA-compliant" form vendors — operate on a conventional SaaS model: the participant's browser sends plain-text data over HTTPS, and the provider's server stores it. That server can read everything. So can the provider's staff, their integration partners, anyone who compromises their infrastructure, and any authority that serves a lawful order on the provider.

For low-sensitivity surveys — campus dining preferences, conference feedback — that model is fine. For a study collecting an informed-consent record paired with a medical-history screening, an HIV-status disclosure, a substance-use questionnaire, a paediatric mental-health PROM, or a genomic-research registration, it creates a very specific and avoidable problem: study-quality identifiable health data sits in plain text on a third-party server, typically outside Switzerland and the EEA.

• A consent form captures a wet-style electronic signature plus the participant's full name and date of birth; the vendor's database contains a readable identifier-to-study mapping before the PI has reviewed it
• A screening questionnaire records prior diagnoses, current medications, and family history; every answer sits on the vendor's infrastructure and is indexed by their analytics
• A behavioural-research instrument captures answers about substance use, sexual behaviour, mental-health symptoms, or domestic-abuse history; that content is backed up and often processed in US-hosted cloud regions
• An adverse-event self-report describes an unblinded clinical event — a hospitalisation, a side-effect narrative — and is searchable by the vendor's support staff
• A document-upload field accepts an ID copy, a referring-physician letter, or a prescription scan; the file is scanned by the vendor's antivirus, cached by a CDN, and stored in plain text in a US cloud region
• A subject withdraws consent under Art. 9 of the Swiss HRA / GDPR Art. 7(3); the study deletes the record from its own systems, but the vendor's backups and analytics still hold a readable copy

How Schweizerform Preserves Confidentiality Across the Study Lifecycle

Schweizerform is a zero-knowledge end-to-end encrypted form platform. The encryption happens in the participant's browser, before any data leaves their device. Only holders of the form's Access Code can decrypt submissions. We — the provider — cannot.

Concrete Research & Clinical-Trial Forms

Electronic informed consent (eConsent)

Informed consent is the foundational document of any human-subjects study. ICH GCP §4.8, the Swiss HRA, and the EU CTR all require it to be obtained freely, in writing, after adequate information, and with a copy provided to the subject. A Schweizerform eConsent flow renders the participant information sheet, captures the dated electronic signature, records the version of the consent template, and returns a confirmation to the participant — all encrypted end-to-end before a sponsor's intake server ever sees an identifier paired with a signature.

Screening, eligibility, and run-in questionnaires

Screening forms collect concentrated medical history: prior diagnoses, current medications, allergies, prior trial participation, family history. An encrypted form keeps that profile under the study team's control before formal enrolment, while still letting the team apply inclusion / exclusion criteria during decryption.

Patient-reported outcomes (PROs / PROMs)

Many studies depend on regular self-reports — pain scales, depression / anxiety scales (PHQ-9, GAD-7), quality-of-life instruments (EQ-5D, SF-36), symptom diaries. Recurring encrypted submissions keep longitudinal subject data out of the form vendor's plain-text storage and out of US-hosted cloud regions, while still allowing the study team to analyse the dataset after decryption inside their own environment.

Serious adverse events and safety self-reports

Subjects sometimes report safety events directly — through participant portals or via a study-supplied form — before the next site visit. A zero-knowledge form lets the study team capture an unblinded clinical narrative without exposing it to a third-party SaaS vendor's content scanners or analytics pipeline, while the team still meets ICH GCP and CTR safety-reporting obligations on its own infrastructure after decryption.

Withdrawal of consent and data-removal requests

Subjects retain the right to withdraw at any time (HRA Art. 9; GDPR Art. 7(3)). When the withdrawal request itself flows through an encrypted form, the study team can act on it and document it without the vendor retaining a readable record of who withdrew, when, and why. For data already in the encrypted store, key destruction provides a clean cryptographic-erasure pathway that complements deletion in the eCRF.

Patient registries and observational studies

Disease-specific registries and long-running observational cohorts collect identifiable health data over years. A Schweizerform intake channel ensures that the longitudinal record is encrypted at the boundary, even when the underlying registry sits in a research data warehouse — useful for cross-border registries that pool data from Swiss and EU sites.

Genetic and biobank consent

Biobank and genomic-research consent often layer multiple authorisations: storage, secondary use, future contact, return of results, withdrawal. Encrypting the consent layer keeps the granular authorisation choices and any associated identifiers out of the form vendor's read scope — particularly important for cross-border biobank cohorts and for HRA-governed Swiss biobank deposits.

Investigator-team forms: protocol deviations, source-data corrections

Internal study-team forms — protocol-deviation reports, monitoring findings, source-data corrections — also benefit from encrypted intake. They contain subject identifiers, narrative descriptions of incidents, and references to medical-record pages. Routing them through a zero-knowledge channel keeps audit-relevant detail away from a generic SaaS vendor's storage.

What Subjects, Sponsors, and Auditors See

Regulatory Context: HRA, ICH GCP, EU CTR, GDPR Art. 89, Common Rule, HIPAA

Swiss research on humans is governed by the Federal Act on Research Involving Human Beings (HRA / HFG / LRH, in force since 2014) and its implementing Human Research Ordinance (HRO / HFV / OClin) and Clinical Trials Ordinance (ClinO / KlinV / OClin), supervised by Swissmedic for clinical trials of medicinal products and devices, and by cantonal ethics committees (swissethics network) for ethical review. The HRA requires written informed consent, pseudonymisation, and proportionate data protection; cantonal ethics committees increasingly expect electronic-consent and electronic data-capture instruments to demonstrate confidentiality by design.

EU clinical trials of medicinal products fall under the Clinical Trial Regulation (Regulation (EU) No 536/2014), administered through CTIS, with confidentiality and data-integrity expectations layered on top of the GDPR. ICH GCP E6(R3) — the current good clinical practice baseline — sets out essential principles on data integrity, computerised systems, and audit trails (§3, §5.5). GDPR Art. 89 provides specific safeguards for processing for scientific-research purposes, but these depend on demonstrable safeguards including pseudonymisation. For US-funded or US-collaborating studies, the Common Rule (45 CFR 46) and, where covered entities are involved, HIPAA (45 CFR 164.514) apply — the latter requiring de-identification or a formal data-use agreement for limited datasets.

Features Relevant to Research Studies

• Zero-knowledge end-to-end encryption on every submission — no provider read access to consent, screening, PRO, or AE content
• Encrypted document and image uploads — referring-physician letters, prior records, ID copies, prescription scans, photographs of self-administered devices
• Multi-language forms (EN / DE / FR / IT) out of the box — essential for Swiss multi-cantonal sites and EU multi-country trials
• Per-form Access Codes — scope a form to a single study, a single arm, or a single site
• Swiss hosting with nFADP-aligned data-processing posture — response payloads do not leave Switzerland
• Audit log of decryption events (who opened a submission, when) without exposing content — useful for ICH GCP audit-trail expectations
• Structured data export after decryption, ready to feed into the study eCRF / EDC, the registry warehouse, or a statistical environment
• Free tier so a single sponsor-investigator can pilot an eConsent or screening form before site-wide or trial-wide rollout

Common Objections

"Our EDC vendor already provides eConsent."

Sponsor EDC platforms are well-suited to randomised, on-protocol participants who are already identified inside the trial system. They are usually poor at first-touch screening (a prospective subject before a screening number is assigned), at investigator-initiated trials run on academic budgets, and at observational or registry intake. A zero-knowledge form sits at the participant-facing entry point and complements rather than replaces the EDC.

"How does this fit with 21 CFR Part 11 and ICH GCP §5.5 expectations?"

Schweizerform provides a cryptographic confidentiality layer for intake; it is not a turnkey, validated eClinical system. For studies under FDA / Part 11 jurisdiction, sponsors typically use Schweizerform for participant-facing intake (eConsent, screening, PROs) and then transcribe verified data into a validated eCRF / EDC under their existing 21 CFR Part 11 / ICH GCP §5.5 framework, with documented procedures for data flow, audit trails, and source-data verification.

"If we lose the Access Code, we lose the submissions."

Correct, and deliberate. Recommended practice is documented key custody: a sealed Access Code held jointly by the principal investigator and a study coordinator, escrowed inside the institution's research-information-security policy, or split between the PI and the data manager with a hardware security module. The procedure avoids single-person failure while preserving the property that the vendor cannot be compelled to produce what it cannot read.

"Our IRB / ethics committee will want to know exactly what the vendor sees."

Good — that is exactly the question this architecture is designed to answer cleanly. The vendor sees encrypted blobs and high-level metadata (form ID, submission timestamp, encrypted payload size). It does not see field contents, signatures, identifiers, or document contents. This is straightforwardly documentable in the study's data-management plan and in an ethics-committee submission.

"Our participants are not technical — will they be able to use it?"

There is no participant-side install. The participant clicks a study-supplied link, reads the participant information sheet, ticks consent boxes, fills the questionnaire, and submits. The encryption happens automatically in the browser; the participant experience is the same as any web form, in their preferred language. Only the study team needs to learn anything new — typically a 30-minute walkthrough during site initiation.

Rolling Out a Schweizerform Intake Channel for a Study

The Bottom Line

Human-subjects research already promises participants a very specific kind of confidentiality — bounded by the protocol, the consent form, and the ethics-committee approval. A form vendor that can read every field of an eConsent, every screening answer, and every adverse-event narrative — however slick its UI, however reasonably priced — is an outsourcing dependency that ethics committees, sponsors, and inspectors will scrutinise harder every year, especially as ICH GCP E6(R3) and the EU CTR push studies toward demonstrably controlled data flows.

Schweizerform offers a direct answer: zero-knowledge end-to-end encryption on every form, Swiss hosting, and a posture aligned with the Swiss HRA, ICH GCP, the EU CTR, and GDPR Art. 89 expectations. No paid upgrade for security. No US-cloud dependency for response data. No third-party-readable copy of a participant's consent record, screening profile, or safety self-report on a server the study team does not control.