Close
Where can I find information about the GDPR on the JRO website?
Please see Regulatory Approvals including GDPR and GDPR Updates.
Where can I find the general sponsor's statement referred to on the HRA website?
You can find this on our About Us page - see our 'Data Protection Statement.'
What should I put in the square brackets at the end of the general paragraph?
This should read as follows: 'You can find out more about how we use your information here and/or by contacting [insert name].'
The contact name given should be someone from within your study.
We are told that the GDPR covers genetic information - what does this mean?
The GDPR covers identifiable information. It only covers genetic information if it can be considered as relating to an individual and provides unambiguous and unique identification of a person. Certain types of whole genome sequencing should be considered as coming under the GDPR.
Who would be the data controller in a study conducting secondary analysis form a national database?
When the data is transferred or accessed by the sponsor i.e. the investigators for the purposes of the study then the sponsor becomes the data controller. And if you have accessed identifiable information then it your responsibility, i.e. the data controller's responsibility, to issue a transparency statement within one month of obtaining the information. For more information about what constitutes identifiable information see the ICO website.
Is there any flexibility on the transparency statements to make them more applicable to specific studies?
Not at the moment. The JRO is pressing to HRA to be less rigid.
Is the privacy notice the same as the transparency notice and should researchers amend their existing patient documents?
The HRA does not want to be overwhelmed by amendments. It has designed the wording on their website to be used instead. However, if you are putting a substantial amendment to the PIS for another purpose, please do update patient documents to be GDPR compliant.
The wording on the statements - "rights are limited" - can cause unnecessary concerns to potential and current participants. Can this statement be omitted?
No. We are aware that some studies have ethically approved documents where participants have granted considerable more control over their data than in the HRA wording. We are consulting the HRA about this.
What about questions which have been raised regarding retrospective studies where patients/participants cannot be reached?
The situation regarding historic datasets is complex. On the one hand data storage is considered processing and therefore is subject to requirements for transparency i.e. providing the required information to data subjects. But there are get-out clauses - for example if it's impossible to contact the subjects or involves disproportionate effort. However, the latter does not apply if the data has been collected face to face. The other point to consider is whether data is identifiable but even this is not simple as this now depends not only on removing identifiable information but also on the risk of re-identification. If you have no access to the contact details of the data subjects then contacting them is impossible. At the moment, our advice is to just keep a watchful eye on how the requirements in relation to historic data are developing.
What happens to studies requiring access to anonymised biological data in a database or access to raw datasets in order to enable them to publish? In the case of accessing raw data in order for a study to be published, what is the risk of re-identifying patients from the raw data?
This is very complex area and one where we have little expertise. Suffice to say that it is not in the publisher's interest to publish data which can be identified, so it is likely that they will have systems in place to prevent this.
What is the advice on using video recordings as these are identifiable even from voice recordings?
These should be considered identifiable information but it depends on your intent. If you are looking at crowd behaviour then it is not identifiable information. There is information on the ICO website about what counts as identifiable information.
In an instance where consent was initially given to use information from MRI scans en masse, does the research team need to contact all the participants for transparency given that in order to contact these participants, the researchers would need to refer back to clinical information?
It depends whether the scans contain identifiable information or are being linked to information which render them identifiable. There is a software app that can remove identifiers from medical images and in some systems this is done automatically.
In cases where NGOs or funders are the data controller, what would be the best structure for the PIS with regards to transparency and the HRA statements?
It would be best for follow the HRA wording as far as possible - but clearly stating that the NGO is the data controller.
In a scenario where information is contained within a Biobank and the information is anonymised for a UCL student, would a researcher need to go back and contact the participants even when all the dataset is contained within UCL?
If the information is de-identified for the student then the student does not need to contact the donors and cannot do so. However, the biobank will need to consider the extent which it is allowing researchers access to identifiable information and what further information it may need to give to participants given the implementation of GDPR.
What sources of information apart are available to get a better understanding of the GDPR?
The best source for further information is the ICO website.
For an in depth understanding, see the EU Article 29 working party documents on Transparency, children, DPIA and more.
The UCL website also has information.
Finally, the MRC has produced guidance which explains the consent issue.
