Earlier this year, we saw updated guidance from the UK Information Commissioner’s Office (ICO) on anonymisation and pseudonymisation which may impact how studies are approached. This new guidance matters because it doesn’t just clarify regulatory expectations – it exposes divergence between the UK and EU positions.
The European Data Protection Board's (EDPB) view, as set out in their draft guidance, is that pseudonymised data remains personal data. In contrast, the ICO's guidance states that in some circumstances, pseudonymised data can be considered properly anonymised and therefore no longer subject to data protection law. The ICO sets out a "motivated intruder" test as a way to evaluate whether data can be linked back to specific individuals - it focuses on the practical possibility of re-identification, considering the resources and capabilities a motivated individual might employ (rather than attempts to re-identity by an educated guess).
This split in regulator approach has implications for clinical trial sponsors running cross-border studies, as well as those working with external international partners like CROs, technology providers or data analytics specialists.
What should clinical trial professionals consider?
Navigating evolving guidance demands a proactive reassessment of data governance - one that balances innovation, compliance and participant trust.
Clinical trial professionals should take a fresh look at their anonymisation strategies. With AI, advanced re-identification tools and ever-more detailed datasets in play, safeguards like tokenisation and masking need to prove they work in practice.
Good documentation is just as critical. Data Protection Impact Assessments (DPIAs), privacy notices and risk assessments should be updated to reflect today’s expectations – and show that identifiability risks have been properly weighed. Outsourcing data processing doesn’t outsource responsibility and accountability stays with the sponsor - if third parties are handling your data, you need clear, recorded evidence that due diligence has been done and that these practices are properly understood.
Equally, re-identification demands close attention. If pseudonymised data can be traced back to individuals, even in theory, sponsors need to know exactly how that could happen. Who controls the re-identification keys? How are they stored? Under what circumstances can they be accessed, and by whom? Without firm contractual agreements and technical safeguards, what looks like anonymised data may still be classed as personal – and that opens the door to regulatory scrutiny and reputational fallout.
If a study touches both the UK and EU, treat pseudonymised data as personal unless you can clearly prove otherwise under both regimes. Even where guidance appears aligned, enforcement can vary and the cost of getting it wrong is high.
Using anonymisation and pseudonymisation tools properly and ethically also creates an opportunity to strengthen the foundations of trust that clinical research depends on. Transparent, accountable data strategies not only reduce legal exposure, they also reassure participants, partners and regulators that research is legally compliant, ethical and robust.
This article was published in Health Tech World - read the original article here.
