GDPR Guidance > What the law says >
It is the sponsor who determines what data is collected for the research study through the protocol, case report form and/or structured data fields in a database. The sponsor therefore acts as the controller in relation to the research data.
In many cases, participants will be patients/service users and the same information may also be provided to the care organisation. The care organisation therefore acts as the controller in relation to the data provided for care purposes. This means that there may be two controllers for the same information – but for two different purposes.
This distinction between the purpose for which data is collected is important in determining whether the sponsor is collecting personal data directly from the data subjects (ie participants) or indirectly. If the purpose of the collection at the time it was obtained was only to support the delivery of care and the individual was not participating in the study, then the controller is the care organisation. If that personal data is then transferred to a separate research sponsor, the sponsor has obtained the data indirectly, and becomes the controller for the processing of that data for research purposes.
It is important that you understand for your study whether personal data is collected indirectly from a third party or directly; when information is personal data; and who the controller is, as these determine the actions you will need to take.
The examples below illustrate some common research scenarios:
Example 1 – indirectly obtaining personal data from a third party
Where a sponsor (B) obtains personal data collected previously for research purposes by a different sponsor (A), then sponsor B is obtaining the personal data indirectly. In this scenario, sponsor A is controller for the first research activity and sponsor B is the controller for the second research project.
If a sponsor obtains personal data previously collected for clinical purposes by another controller, for example a GP practice, the information is also obtained indirectly from another party.
Example 2 – obtaining personal data directly from the data subject
In some cases, particularly interventional research, information will be collected from participants and recorded in both the medical records for care purposes and in the Case Report Form or equivalent for research purposes. In this situation the sponsor is obtaining the data directly from the data subject and is the controller for processing for research (with the care organisation being a processor acting in accordance with the instructions of the sponsor),. The care organisation is also a controller for processing the data for care purposes.
If a sponsor re-uses for research purposes personal data that the sponsor previously obtained directly from a data subject, even if the original purpose was different, the personal data is still classed as being obtained directly, because it is the same controller.
During interventional studies, participants may have tests undertaken. Any information from such tests would be personal data for the sponsor, even if the test results are not identifiable to those analysing the test, since the results would be associated with an identifiable individual by the sponsor or site. This personal data would be classed as being obtained directly, whether the test was undertaken at the site or a subsidiary site, since they would be acting as processors on behalf of the sponsor.
Example 3 – processing personal data
The sponsor is processing personal data if any of the data collected into case report forms, data collection tools, questionnaires, surveys, databases or other tools relates to identified or identifiable living individuals. In health and care research it is common practice to apply a unique number to each participant in a study, in order to restrict access to confidential patient information. The code list showing the participant’s name or other identifying information is then stored separately from the research data.
As the site will have access to the code list as well as the research data, it will be processing personal data. While participants are taking part in the study, the sponsor may have access or has the possibility of access to the code or to personal information eg for monitoring, and is therefore processing personal data.
Example 4 – no longer processing personal data
It is common practice for the analysis of research data to be undertaken by staff who are not permitted access to the code list, in order to preserve the confidentiality of the patient information. This processing therefore does not involve personal data, if there is no other means to identify the individuals either by the combination of the data collected or by combining the data with other information held by, or accessible to, the staff undertaking the analysis.
This separation of access to the code list and the coded research data must be managed through documented policies and procedures or agreements (eg the model non-commercial agreement). The stage in the study life cycle may therefore determine whether personal data is being processed by the sponsor. In this example, the sponsor as controller is no longer processing personal data once participants have finished, analysis of non-identifiable data is underway, and the sponsor no longer has access or the possibility of access to the code list.
Example 5 – identifying the controller
Research databases, research tissue banks and other biorepositories do not have a research sponsor. The controller will be the organisation responsible for the management and oversight of the resource.
In all scenarios you should consider:
- what stages of the research involve processing personal data of a living individual,
- who is the controller for each processing activity, ie whether the purpose of the activity is research and/or clinical care, and
- whether the controller is obtaining directly from the data subjects or indirectly from a different controller.
You need to understand these three key aspects of your study in order to determine which organisations have controller responsibilities, and what information should be provided about the data processing activities.