This question has been discussed heavily since the issue of the EU Data Protection Directive 95/46/EC back in October 1995. Over the years, there has been a concensus of opinion that patient records should be regarded as coming within the jurisdiction of data protection legislation because, even though the record is anonymized by the use of an abstract identifier, there exists the ability – via the subject log – to determine who the record relates to. However, I wonder whether recent EU proposals may open up this debate again?
The European Council has recently outlined some revisions to the initial draft Data Protection Regulation that was made available in January of this year. The revisions change the definition of personal data such that if it is deemed to be too burdensome to identify the individual, then the data should not be regarded as personal data. The proposed definition states that “if identification requires a disproportionate time, effort or material resources, the natural living person shall not be considered identifiable”. I can imagine that some might argue it would be too burdensome to follow the pathway from an anonymous case report form held by a clinical trial sponsor, through to the investigational site and then from the subject log to a natural person, that the CRFs should not be considered to hold personal data. Let’s watch this space!!