personal data

Subscribe to personal data via RSS

Research participants must identify which data sets constitute personal data to ensure compliance with the GDPR.

By Frances Stocks Allen and Mihail Krepchev

The UK Medical Research Council (MRC) has published a useful guidance note on the identifiability, anonymisation, and pseudonymisation of personal data in the context of research activities (the Guidance). The Guidance reminds research organisations that the General Data Protection Regulation (GDPR) applies to health data used in research and contains a number of recommendations that participants in the research process, particularly clinical trial sponsors, should bear in mind. The Guidance has been developed with the participation of the UK privacy regulator, the Information Commissioner’s Office (ICO).

UK data protection regulator demands companies in the RTB ecosystem re-evaluate privacy notices, use of personal data, and lawful basis.

By Robert Blamires, Calum Docherty, Laura Holden, and Lucy Tucker

The UK Information Commissioner’s Office’s (ICO’s) latest report into adtech and real time bidding (RTB) (the ICO Report) provides a stark assessment of the adtech sector’s use of personal data in RTB scenarios. The ICO Report notes widespread compliance concerns that, in some cases, the ICO does not consider “will be addressed without intervention.” Organizations in this field should expect potentially more vigorous investigations and enforcement action if the ICO’s concerns are not addressed.

RTB is an online ad-buying process by which advertising space on websites is bought and sold via an instantaneous “programmatic” auction. During the auction process, a wide range of data (mostly originated from cookies) can be shared with multiple advertisers who place real time bids for relevant ad space. 

Sponsors outside the European Union conducting clinical trials in the EU should consider current guidelines and the Breyer case to understand whether GDPR requirements will apply to them.

By Gail Crawford and Frances Stocks Allen

Many sponsors of clinical trials believe that companies based outside the EU who sponsor clinical trials conducted in the EU through clinical research organisations (CROs) and/or clinical sites do not themselves need to comply with the General Data Protection Regulation (GDPR). Sponsors believe the GDPR does not apply to them as they do not conduct the research directly but only receive results in key-coded form, and only their CROs and/or clinical sites will have access to the raw data and/or the key that connects the key-coded data to individual patients. However, sponsors need to reconsider this presumption in light of current guidelines and the Breyer case. Similar issues arise in other fields, for example, data and market research, in which only key-coded data is received by the organisation commissioning the research. But following the GDPR and the Breyer decision these organisations may still be subject to the requirements of the GDPR.

Is Key-Coded Data Personal Data?

The GDPR defines “personal data” broadly to include any information relating to an identified or identifiable natural person. For this purpose, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (Article 4(1) GDPR).