Clinical Trials are vital to the research and development cycle in life sciences organisations, and the data gathered allows for innovative advances. However, the processing and storage of Information which relates to an identified or identifiable natural person. poses a number of risks, including data breaches, unauthorised access, and misuse. Here in Part 2 of our anonymisation blog series, we dive deeper into the steps that clinical trial stakeholders can take to reduce these risks by using pseudonymisation, and what questions they should be asking.
As discussed in Part 1, anonymisation is a useful technique to apply to clinical trial data, despite not always being an easy or available solution. Issues can arise with respect to certain limitations, as well as the handling of anomalies and jurisdictional differences affecting its application.
We previously outlined the various objective risk assessments that should be applied to anonymisation processes, including A technique used to release person-specific data such that the ability to link to other information using the quasi-identifier is limited. K-anonymity achieves this through suppression of identifiers and output perturbation. and A motivated intruder is a person who starts without any prior knowledge but wishes to identify an individual from whose personal data the anonymous information is derived. tests. These can help to quantify the effectiveness of anonymisation, but there are also additional factors to consider.
Collaboration between CROs, sponsors, and partners is crucial. But what other steps can stakeholders take to mitigate any data security risks?
What is pseudonymisation? This is a data protection technique whereby identifiable information is replaced, removed, or transformed with a pseudonym or code. Unlike anonymisation, where personal data is rendered irreversibly un-identifiable, pseudonymisation preserves the ability to re-identify individuals with a key code. The key must be kept separate and secure, and authorised personnel should only have access to the key, which reduces any processing risks.
For example, the pseudonymised data may show a patient numbered 123, who falls within the age bracket 25-30 years. Only the keyholder would be able to connect the data sources to identify patient 123 as Mr John Smith with a birth date of 1st January 1995.
It is important to note that pseudonymisation is a control technique, but it does not escape any of the GDPR regulations. Pseudonymised data is still classed as personal data.
Sponsor companies typically contract a CRO as a A third party processing personal data on behalf of a data controller., and frequently assign them the role of key holder. As convention has developed, however, we have seen a shift towards the site retaining the key, rather than the CRO. This provides a greater “arm’s length” approach to the ability of being able to re-identify the data.
It is unusual for a sponsor to hold the key, and any such request must be questioned and carefully assessed. There needs to be a practical or legal requirement, as the ability to re-identify the data at will (with the controller holding both the pseudonymised information and key) potentially renders the advantages of pseudonymisation null and void.
When implementing a pseudonymised data A series of actions or steps taken in order to achieve a particular end., it is essential to have robust technical and organisational measures (TOMs) in place to ensure its efficacy. These security procedures need to include, at the very least:
Third parties are often an essential factor in setting up a clinical trial, but working with them also creates vulnerabilities. Even with clear TOMs in place, organisations need to be aware of their liabilities and regulatory threats.
Assess what needs to be collected
The GDPR’s The third GDPR principle, requiring organisations to only collect the personal data that is truly necessary to fulfill each purpose for data processing. principle requires organisations to only process personal data that is “adequate, relevant, and limited to what is necessary”.
When working with partners, there is often pressure to overshare data, yet a third party may not actually require a full dataset for their purposes. A common example is to consider whether it is appropriate to collect and share a recipient’s full DOB (DD-MM-YYYY), or whether a YOB (YYYY) or even an age bracket (e.g. 50-60) would suffice for the purposes of the research.
Pseudonymised data without a key equals anonymisation
A single dataset may be pseudonymised personal data to one party and anonymous to another (i.e. Anonymised refers to data that has undergone a process of transformation to remove or alter personal data in such a way that individuals can no longer be identified from it, and it is impossible for that process to be reversed and the data to be re-identified. Anonymised data is considered non-personal and falls outside the scope of the GDPR.), only if the second party does not hold the re-identification key. By sharing only pseudonymised versions of datasets, therefore, it is possible, in the presence of suitable controls, to achieve effective anonymisation. Achieving effective anonymisation means that risks are reduced, helping data protection compliance for all parties involved.
Having said that, even when pseudonymised data is shared with third parties, with no way for re-identification to occur, it is still prudent to ensure contractual measures are in place. It is worth noting that even if a sponsor only receives pseudonymised data, the sponsor is still considered to be the An entity (such as an organisation) which determines the purposes and means of the processing of personal data. under the GDPR (due to their determination of the means and purpose of the processing activity). It has been mentioned before, but pseudonymised data is still classed as personal data according to the GDPR.
Have clear procedures regarding responsibility
In the context of the GDPR, this includes Joint Data Controller Data Sharing Agreements or Data Processing Agreements, depending upon the contractual relationship. These contracts should be explicit about the responsibilities of each party, particularly with regards to which party is responsible for pseudonymising or anonymising datasets, and how re-identification keys should be retained.
Clear messaging to data subjects
The GDPR also compels organisations to process Personal Data in a transparent manner. In the context of a clinical trial, this means implementing precise privacy notices within the trial’s Informed An unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. Forms (ICFs). It should be clear to participants what Personal Data is being collected and why it is necessary for achieving the stated purpose. Composing these notices and making them clear and concise is a difficult balancing act, which should be granted ample time and resources.
Data Controllers must also inform Data Subjects about the legal justifications for why their data is being processed. In practice, the lawful basis is often determined by the identity of the Data Controller, as well as the guidance of the applicable An authority established by its member state to supervise the compliance of data protection regulation., clinical trial regulator, and/or ethics board specific to each jurisdiction.
This blog series has explored various ways of reducing the privacy risks facing organisations setting up a clinical trial.
We have taken a close look at some of the frequently faced challenges that are often experienced as well as some of the limitations to bear in mind with certain techniques for dealing with them.
We have also outlined the ways of reducing risks when working with third parties, including pseudonymisation and pseudonymisation key holders.
To conclude our thoughts, we have put together a helpful checklist of questions for life sciences organisations to consider when setting up a clinical trial:
The DPO Centre offers flexible and tailored data protection support with professional advice and expertise specific to life sciences organisations. We provide outsourced data protection officers (DPOs) who work as an integral member of your team, as well as Data Protection Representatives (DPR) in both the EU and UK.
We will help you to quantify your anonymisation risks and support you with your wider data protection obligations, both before and after your trial begins. Our DPOs and EU/UK Representatives assist with privacy maturity reviews, Data Protection Impact Assessments (DPIAs), and dataflow mapping exercises. We review protocols, policies, Privacy Notices, Informed Consent Forms, and other clinical trial documentation, as required. We will also advise in greater detail as to which datasets may be subject to applicable Data retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed. periods, and therefore require specific anonymisation and archival techniques to be applied.
For more news and insights about The DPO Centre, follow us on LinkedIn
Need more information? See our full range of outsourced Data Protection support services
With thanks to James Boyle from Mishcon de Reya for content contributions. Discover more about risk reduction in the next blog, Anonymisation Part 2: Risk Reduction for CROs, Sponsors & Partners Conducting Clinical Trials.