In our previous article, we looked at the specific roles under the General Data Protection Regulation (GDPR) when conducting a clinical trial. And the responsibilities and obligations of the different parties in a clinical trial. But whatever role you may have under the GDPR, each party should be able to assess and protect personal data. In this article, we will explain how to assess personal data within the rules of the GDPR and how you can protect it.

Assessing personal data

The GDPR has defined personal data as ‘any information relating to an identified or identifiable natural person [1]. This means that information such as the name, address and telephone number of the data subject is regarded as personal data, but also information such as an IP address. The definition of personal data also extends to clinical trials, as during a clinical trial you have access to a database containing information such as the site, diagnosis of the clinical participants, and the results from the clinical trial. This is considered personal data as it is easy to identify a person based on this information. Thus, the definition of personal data is very broad as it can apply to both direct and indirect identification of an individual.

Regular & special categories of personal data

The personal data that is collected can be divided into two categories. The first category contains regular personal data, and the second category contains special categories of personal data. Regular personal data are, for example, name, address and age. Special categories of personal data are more sensitive in nature as they include, but are not limited to, racial or ethnic origin, genetic data, biometric data for the purpose of uniquely identifying a data subject and health data. [2]

The GDPR has given genetic data, biometric data and health data specific definitions, which all include personal data. Genetic data has been defined as ‘the inherited or acquired genetic characteristics of a natural person and which result, in particular, from an analysis of a biological sample from the natural person in question [3]. Biometric data has been defined as ‘specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data [4]. And health data has been defined as ‘the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status [5].

The processing of special categories of personal data is in principle prohibited. This prohibition on the processing does not apply if the data subject has given explicit consent that his or her personal data may be processed.

It is clear that during a clinical trial, both regular and special categories of personal data are collected and processed. The data that is collected and processed ranges from the clinical participant’s name and address to the samples collected during physical examinations. Therefore, a combination of health data, genetic data and regular data is collected from the clinical participant and processed.

How to protect data

One of the most important obligations and responsibilities within a clinical trial setting is that all parties involved in a clinical trial must ensure that personal data is adequately protected.

This is especially relevant with regard to special categories of personal data. It can be said that this category requires a higher level of protection, as the effect of mismanagement of special categories of data can be much larger than that of regular data. If special categories of personal data is mismanaged or misused, it can have a ripple effect ranging from the clinical participant’s health insurance being revoked or monthly premium increasing drastically. Or it can have an impact on the clinical participant’s career. Therefore, all parties must ensure that all personal data is adequately protected.

Pseudonymization

The most common way to achieve this is through pseudonymization. Pseudonymization is the modification of personal data so that the data subject cannot be directly identified without further information, which is stored separately. Pseudonymization comes in various forms, which can be implemented by the different parties within a clinical trial environment. Pseudonymization can occur in the form of:

• encryption with a secret key;
• hash and salted-hash function;
• keyed-hash function with a stored key;
• deterministic encryption or keyed-hash function with deletion of the key;
• tokenization.

It is also important to note that the GDPR still applies to personal data that is pseudonymized, as it is still possible to identify a person with that data.

Anonymization

Anonymization is also mentioned as a way to ensure that personal data is sufficiently protected. However, this is not correct. Anonymization prevents re-identification and allows a much wider use of the information. In principle, anonymization boils down to the deletion of the personal data. If you want to re-identify the personal data after anonymization, different datasets must be combined to try to re-identify the data. It is also very important to note that the GDPR does not apply to personal data that has been anonymized.

A clinical trial involves different parties, each having certain obligations and responsibilities that must be fulfilled. You must not only determine per role and per party what kind of data you will process, but you must also adequately protect that data. That is perhaps even more important in a clinical trial than anywhere else, because you work with medical data from people, which is sensitive in nature. Therefore, careful thought should be given to assessing and protecting personal data. We strongly recommend performing an analysis with each clinical trial to determine each parties’ obligations and responsibilities and how the personal data can be sufficiently protected.

Also read our white paper for a complete overview of the responsibilities and obligations of the different parties in a clinical study.

[1] Article 4(1) General Data Protection Regulation, EU 2016/679
[2] Article 4(13) General Data Protection Regulation, EU 2016/679
[3] Article 4(14) General Data Protection Regulation, EU 2016/679
[4] Article 4(15) General Data Protection Regulation, EU 2016/679
[5] Article 29 Data Protection Working Party Opinion 05/2014 on Anonymization Techniques