GETTING PERSONAL WITH ‘PERSONAL DATA’

GDPR – or the General Data Protection Regulation – came into force in the European Union on the 25th of May 2018. It is a complex framework that governs the way that Personal Data is used within the boundaries of the European Union. In the labyrinth of legal jargon, navigating the complexities of GDPR feels at times like wading through treacle. Let’s break it down and unravel some of the basics, starting with: what is personal data?

To begin with, under Article 4(1) of the Regulations, Personal Data is defined as:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”[1]

In simple terms, any information that can be linked to a natural person inside the EU is considered personal data for the purposes of GDPR. However, to go further, we will look at each critical aspect of Article 4(1) below.

Natural Person: Living individuals matter and personal data on the departed doesn't count. This definition would also exclude data on companies (who are legal persons.) Thus, it is personal data if it relates to an individual human being.

Any Information: Consider objective details like an individual’s height, weight and age or subjective information like a university student’s report card. It spans various formats, from video to numerical data. The following are examples specific to Clinical Research:

• Demographic Information: Names, addresses, phone numbers, email addresses, and other contact details;
• Health Information: Medical history, current health conditions, treatment records, and details of medication;
• Biometric Data: DNA samples, fingerprints, and other unique biological markers;
• Clinical Test Results: Laboratory results, diagnostic images, and other test outcomes;
• Genetic Information: Details related to an individual's genetic makeup;
• Psychological and Behavioural Information: Information on mental health, behavioural patterns, and cognitive assessments;
• Research Identifiers: Any codes or identifiers assigned to participants for the purpose of the study;
• Sensitive Information: Information about sensitive topics like sexual health or substance abuse.
• Informed Consent Records: Documents detailing the participant's agreement to participate in the research;
• Financial Information: Any financial data relevant to the study, such as information related to insurance or compensation;
• Location Data: Information about the participant's geographical location.

Directly Identifiable Individuals: If you can distinguish someone from the crowd, it’s game on. Simply, can you identify a person with only the information provided? If so, then they are directly identifiable and said information is personal data.

Indirectly Identifiable Individuals: can you identify someone with other information you hold, or information that is available to the general public? If so, they are indirectly identifiable and it is personal data. The crux being that through a combination of their personal data in your possession and other information available to you, you were able to identify them.

Is Anonymised or Pseudonymised Data considered Personal Data?

Under GDPR, anonymised data refers to information processed in a way that renders it no longer attributable to a specific individual. It is the process of irreversibly removing or modifying personal identifiers from the information to prevent the identification of said individual. Naturally, anonymised data is not considered personal data for this very reason.

In contrast, pseudonymisation is the process of replacing any information which could be used to identify an individual with a pseudonym, the result being pseudonymised data. The pseudonym can be a series of letters and or numbers which do not allow the individual to be identified. To re-identify the individual, the code or key for such pseudonymisation must be used. This key is a document that can determine the personal data from the letters or numbers of the pseudonym.

How this data is treated hinges on whether or not the key is shared in the data sharing process.? As pseudonymised data can be considered anonymised if – and only if – the party receiving said data does not have the key to enable them to re-identify the data subjects and has no legal means available to access such.

[1] Article 4(1) of the General Data Protection Regulation https://gdpr-info.eu/art-4-gdpr/