In this guidance we use ‘GDPR’ to refer to requirements in both the EU General Data Protection Regulation and the UK Data Protection Act 2018 (ratified 23 May 2018).
The term ‘personal data’ is defined as in the above regulations. This guidance only relates to personal data of research participants or potential participants.
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Note that personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. Data that have been anonymised are considered to be out of scope of GDPR. It is worth noting that the act of anonymisation is processing personal data.
The term ‘confidential patient information’ is defined in law. It includes patient information to which a duty of confidentiality is owed under common law. Personal data including any health related information (including where health related information can be derived from context) or health related information in a context from which personal data can be identified, would be confidential patient information.
The term ‘legal basis’ used in this guidance should be interpreted to mean the same as the term ‘lawful basis’ used in other guidance, eg published by the Information Commissioner’s Office.
A ‘controller’ determines the purposes and means of processing personal data. A ‘processor’ is responsible for processing personal data on behalf of a controller.