Pseudonymisation of data in clinical trials and its implications for sponsors
In clinical trials, a standard practice is that the sponsor, i.e. the entity responsible for undertaking the clinical trial, managing it and arranging for its funding, does not have access to data directly identifying the study participants. Typically, the patients’ data reach the sponsor in pseudonymised form. Thus sometimes sponsors assume that since they are only processing pseudonymised data of clinical trial participants, they are not subject to the GDPR. Nothing could be further from the truth. Indeed, pseudonymisation poses additional challenges for sponsors as data controllers.
Pseudonymised data is personal data subject to the GDPR
Typically, the personal data of clinical trial participants is pseudonymised, either by the principal investigator or by a trusted third party employed by the sponsor (e.g. a contract research organisation—CRO) before it reaches the sponsor.
Art. 4(5) of the EU’s General Data Protection Regulation defines “pseudonymisation” as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures [i.e. a ‘key’] to ensure that the personal data are not attributed to an identified or identifiable natural person.” In its simplest form, pseudonymisation can involve replacing the patient’s name with an identifier code. For clinical trials, the key to reverse pseudonymisation is usually held by the investigator or a trusted third party.
It should be stressed that pseudonymised data do constitute personal data and are subject to protection under the GDPR. As stated in Recital 26 GDPR, “Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person”—that is, personal data. Therefore, the sponsor’s processing of pseudonymised personal data of clinical trial participants is subject to the GDPR.
“Pseudonymisation” should not be confused with “anonymisation,” which is the processing of personal data in such a way that the data subjects cannot be identified at all or are no longer identifiable. This is an important distinction, because:
- Pseudonymisation is reversible (hence pseudonymised data qualify as personal data)
- Anonymisation is irreversible, meaning that anonymised data do not constitute personal data and are not subject to GDPR protection (see Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, WP216).
In principle, in the practice of clinical trials, participants’ data are not anonymised. Indeed, in exceptional situations, it may be necessary to disclose a patient’s identity (e.g. if there is a threat to the patient’s life, health or safety, or when necessary to provide the patient with adequate healthcare). If a study participant’s data were anonymised, this would be impossible. In effect, the reversibility of pseudonymisation plays an additional role in protecting study participants.
Pseudonymisation and rights of data subjects (study participants)
Pseudonymisation carries certain consequences for the sponsor, which is the controller of personal data of participants in the clinical trial it manages. Since it does not have access to data allowing it to identify the participants, it may have trouble carrying out such individuals’ rights under the GDPR (e.g. right to access, erasure, rectification or restriction of processing)—the sponsor is unable to independently identify the person asserting their rights under the GDPR and determine whether it is actually processing that person’s data. This presents an unusual situation under the GDPR where the controller, i.e. the sponsor of the clinical trial, cannot independently carry out the data subject’s request and fulfil its obligations under the GDPR.
Additional information to identify the study participant—the “key” to reverse the pseudonymisation—is usually held by the investigator, the research centre, or a trusted third party. Only with this additional data can the study participant be identified, and their rights as a data subject realised.
What can the sponsor do?
For this reason, it is essential that early on, at the stage of obtaining informed consent within the meaning of the Clinical Trials Regulation, the investigator provide the study participants (data subjects) with the sponsor’s information clause. In addition to the information required under the GDPR (Art. 13 or 14), the information clause should indicate that:
- Although the sponsor processes the personal data of clinical trial participants in its role as data controller, the sponsor does not have access to data identifying individual study participants (i.e. it processes pseudonymised data)
- Such identifying information is held exclusively by the investigator, research centre or third party, who must be contacted in the first instance if the data subject wishes to exercise their rights.
In this case, it is worthwhile to contractually regulate the issue of assistance in implementation of the patients’ rights as data subjects (e.g. in a tripartite agreement between sponsor, investigator and research centre). However, it should be remembered that it is the responsibility of the sponsor, as the data controller, to execute the data subjects’ rights.
If despite providing the relevant information in the information clause, study participants continue to contact the sponsor, in each case the sponsor should inform them that they should first contact the investigator (or research centre or third party, as the case may be) who holds the key for identifying the study participants, allowing them to exercise their rights as data subjects.
Iga Małobęcka-Szwast, attorney-at-law, New Technologies practice, Wardyński & Partners