Controllers and personal data in health and care research

Where a sponsor (B) obtains personal data collected previously for research purposes by a different sponsor (A), then sponsor B is obtaining the personal data indirectly. In this scenario, sponsor A is controller for the first research activity and sponsor B is the controller for the second research project.

If a sponsor obtains personal data previously collected for clinical purposes by another controller, for example a GP practice, the information is also obtained indirectly from another party.

In some cases, particularly interventional research, information will be collected from participants and recorded in both the medical records for care purposes and in the Case Report Form or equivalent for research purposes. In this situation the sponsor is obtaining the data directly from the data subject and is the controller for processing for research (with the care organisation being a processor acting in accordance with the instructions of the sponsor),. The care organisation is also a controller for processing the data for care purposes.

If a sponsor re-uses for research purposes personal data that the sponsor previously obtained directly from a data subject, even if the original purpose was different, the personal data is still classed as being obtained directly, because it is the same controller.

During interventional studies, participants may have tests undertaken. Any information from such tests would be personal data for the sponsor, even if the test results are not identifiable to those analysing the test, since the results would be associated with an identifiable individual by the sponsor or site. This personal data would be classed as being obtained directly, whether the test was undertaken at the site or a subsidiary site, since they would be acting as processors on behalf of the sponsor.

The sponsor is processing personal data if any of the data collected into case report forms, data collection tools, questionnaires, surveys, databases or other tools relates to identified or identifiable living individuals. In health and care research it is common practice to apply a unique number to each participant in a study, in order to restrict access to confidential patient information. The code list showing the participant’s name or other identifying information is then stored separately from the research data. 

As the site will have access to the code list as well as the research data, it will be processing personal data. While participants are taking part in the study, the sponsor may have access or has the possibility of access to the code or to personal information eg for monitoring, and is therefore processing personal data.

It is common practice for the analysis of research data to be undertaken by staff who are not permitted access to the code list, in order to preserve the confidentiality of the patient information. This processing therefore does not involve personal data, if there is no other means to identify the individuals either by the combination of the data collected or by combining the data with other information held by, or accessible to, the staff undertaking the analysis. 

This separation of access to the code list and the coded research data must be managed through documented policies and procedures or agreements (eg the model non-commercial agreement). The stage in the study life cycle may therefore determine whether personal data is being processed by the sponsor.  In this example, the sponsor as controller is no longer processing personal data once participants have finished, analysis of non-identifiable data is underway, and the sponsor no longer has access or the possibility of access to the code list.

Research databases, research tissue banks and other biorepositories do not have a research sponsor. The controller will be the organisation responsible for the management and oversight of the resource.