Anonymisation Part 2: Risk Reduction for CROs, Sponsors & Partners Conducting Clinical Trials

Outlining risk reduction for CROs, sponsors & partners conducting clinical trials

Clinical Trials are vital to the research and development cycle in life sciences organisations, and the data gathered allows for innovative advances. However, the processing and storage of personal dataInformation which relates to an identified or identifiable natural person. poses a number of risks, including data breaches, unauthorised access, and misuse. Here in Part 2 of our anonymisation blog series, we dive deeper into the steps that clinical trial stakeholders can take to reduce these risks by using pseudonymisation, and what questions they should be asking. 

As discussed in Part 1, anonymisation is a useful technique to apply to clinical trial data, despite not always being an easy or available solution. Issues can arise with respect to certain limitations, as well as the handling of anomalies and jurisdictional differences affecting its application. 

We previously outlined the various objective risk assessments that should be applied to anonymisation processes, including k-anonymityA technique used to release person-specific data such that the ability to link to other information using the quasi-identifier is limited. K-anonymity achieves this through suppression of identifiers and output perturbation. and motivated intruderA motivated intruder is a person who starts without any prior knowledge but wishes to identify an individual from whose personal data the anonymous information is derived.  tests. These can help to quantify the effectiveness of anonymisation, but there are also additional factors to consider. 

Collaboration between CROs, sponsors, and partners is crucial. But what other steps can stakeholders take to mitigate any data security risks? 

Pseudonymised Data 

What is pseudonymisation? This is a data protection technique whereby identifiable information is replaced, removed, or transformed with a pseudonym or code. Unlike anonymisation, where personal data is rendered irreversibly un-identifiable, pseudonymisation preserves the ability to re-identify individuals with a key code. The key must be kept separate and secure, and authorised personnel should only have access to the key, which reduces any processing risks. 

For example, the pseudonymised data may show a patient numbered 123, who falls within the age bracket 25-30 years. Only the keyholder would be able to connect the data sources to identify patient 123 as Mr John Smith with a birth date of 1st January 1995. 

It is important to note that pseudonymisation is a control technique, but it does not escape any of the GDPR regulations. Pseudonymised data is still classed as personal data. 

Sites, CROs and sponsors: who should hold the key?

Sponsor companies typically contract a CRO as a data processorA third party processing personal data on behalf of a data controller., and frequently assign them the role of key holder. As convention has developed, however, we have seen a shift towards the site retaining the key, rather than the CRO. This provides a greater “arm’s length” approach to the ability of being able to re-identify the data.  

It is unusual for a sponsor to hold the key, and any such request must be questioned and carefully assessed. There needs to be a practical or legal requirement, as the ability to re-identify the data at will (with the controller holding both the pseudonymised information and key) potentially renders the advantages of pseudonymisation null and void. 

Fundamental security measures for key holders

When implementing a pseudonymised data processA series of actions or steps taken in order to achieve a particular end., it is essential to have robust technical and organisational measures (TOMs) in place to ensure its efficacy. These security procedures need to include, at the very least: 

• Highly restricted access with regular third-party security assessments, including vulnerability assessments and internal audits 
• Data protection and privacy training for staff who have access to the data 
• Confidentiality agreements between any contractors and the organisation 

Working with partners to reduce the risk

Third parties are often an essential factor in setting up a clinical trial, but working with them also creates vulnerabilities. Even with clear TOMs in place, organisations need to be aware of their liabilities and regulatory threats. 

Assess what needs to be collected
The GDPR’s data minimisationThe third GDPR principle, requiring organisations to only collect the personal data that is truly necessary to fulfill each purpose for data processing. principle requires organisations to only process personal data that is “adequate, relevant, and limited to what is necessary”.
When working with partners, there is often pressure to overshare data, yet a third party may not actually require a full dataset for their purposes. A common example is to consider whether it is appropriate to collect and share a recipient’s full DOB (DD-MM-YYYY), or whether a YOB (YYYY) or even an age bracket (e.g. 50-60) would suffice for the purposes of the research. 

Pseudonymised data without a key equals anonymisation
A single dataset may be pseudonymised personal data to one party and anonymous to another (i.e. anonymised), only if the second party does not hold the re-identification key. By sharing only pseudonymised versions of datasets, therefore, it is possible, in the presence of suitable controls, to achieve effective anonymisation. Achieving effective anonymisation means that risks are reduced, helping data protection compliance for all parties involved. 

Having said that, even when pseudonymised data is shared with third parties, with no way for re-identification to occur, it is still prudent to ensure contractual measures are in place. It is worth noting that even if a sponsor only receives pseudonymised data, the sponsor is still considered to be the data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data. under the GDPR (due to their determination of the means and purpose of the processing activity). It has been mentioned before, but pseudonymised data is still classed as personal data according to the GDPR. 

Have clear procedures regarding responsibility
In the context of the GDPR, this includes Joint Data Controller Data Sharing Agreements or Data Processing Agreements, depending upon the contractual relationship. These contracts should be explicit about the responsibilities of each party, particularly with regards to which party is responsible for pseudonymising or anonymising datasets, and how re-identification keys should be retained.

Clear messaging to data subjects
The GDPR also compels organisations to process Personal Data in a transparent manner. In the context of a clinical trial, this means implementing precise privacy notices within the trial’s Informed ConsentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. Forms (ICFs). It should be clear to participants what Personal Data is being collected and why it is necessary for achieving the stated purpose. Composing these notices and making them clear and concise is a difficult balancing act, which should be granted ample time and resources. 

Data Controllers must also inform Data Subjects about the legal justifications for why their data is being processed. In practice, the lawful basis is often determined by the identity of the Data Controller, as well as the guidance of the applicable supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation., clinical trial regulator, and/or ethics board specific to each jurisdiction.  

Conclusion: The questions you need to ask 

This blog series has explored various ways of reducing the privacy risks facing organisations setting up a clinical trial. 

We have taken a close look at some of the frequently faced challenges that are often experienced as well as some of the limitations to bear in mind with certain techniques for dealing with them. 

We have also outlined the ways of reducing risks when working with third parties, including pseudonymisation and pseudonymisation key holders. 

To conclude our thoughts, we have put together a helpful checklist of questions for life sciences organisations to consider when setting up a clinical trial: 

1. What are the main goals of the project?
2. What are the potential risks of the project and processing of the personal data? 
3. Which anonymisation and pseudonymisation techniques are most appropriate for the specific context and processing circumstances? 
4. What are the potential implications of data breaches, and how can they be mitigated using pseudonymisation and anonymisation? 
5. In cases of sharing pseudonymised datasets with third parties, how can the project ensure the data remains effectively anonymised from the recipient’s perspective? 

Finding the right support for life sciences data protection

The DPO Centre offers flexible and tailored data protection support with professional advice and expertise specific to life sciences organisations. We provide outsourced data protection officers (DPOs) who work as an integral member of your team, as well as Data Protection Representatives (DPR) in both the EU and UK. 

We will help you to quantify your anonymisation risks and support you with your wider data protection obligations, both before and after your trial begins. Our DPOs and EU/UK Representatives assist with privacy maturity reviews, Data Protection Impact Assessments (DPIAs), and dataflow mapping exercises. We review protocols, policies, Privacy Notices, Informed Consent Forms, and other clinical trial documentation, as required. We will also advise in greater detail as to which datasets may be subject to applicable data retentionIn data protection terms, a defined period of time for which information assets are to be kept. periods, and therefore require specific anonymisation and archival techniques to be applied. 

For more news and insights about The DPO Centre, follow us on LinkedIn

Need more information? See our full range of outsourced Data Protection support services

With thanks to James Boyle from Mishcon de Reya for content contributions. Discover more about risk reduction in the next blog, Anonymisation Part 2: Risk Reduction for CROs, Sponsors & Partners Conducting Clinical Trials.