Page History

The overall process of protecting the privacy of data subjects, including clinical study participants, and reducing the risk of re-identification by 1) modifying (e.g. suppressing, obscuring, aggregating, altering) identifiable information in structured data and documents, 2) assessing and controlling the residual risk of re-identification and 3) considering the context of the data release.

Data and documents that have been produced as the output of an anonymisation process.

In respect of a person to whose business or affairs the information relates, means – subject to the regulations – business information: that is not publicly available, in respect of which the person has taken measures that are reasonable in the circumstances to ensure that it remains not publicly available, and that has actual or potential economic value to the person or their competitors because it is not publicly available and its disclosure would result in a material financial loss to the person or a material financial gain to their competitors. (In reference to clinical reports submitted to Health Canada, as defined in Canada’s Section 2 of the Food and Drugs Act.)

Any information contained in the clinical reports submitted to the European Medicines Agency (EMA) by the applicant/MAH which is not in the public domain or publicly available and where disclosure may undermine the legitimate economic interest of the applicant/MAH.

An identified or identifiable natural person to whom a particular piece of data relates.

A general term for any process of removing the association between a set of identifying data and a data subject present in data/documents. The association between data and subject is removed by modifying (e.g. removing, obscuring, aggregating, altering) identifiable information in structured data and documents.

Data and documents that have been produced as the output of a de-identification process.

Data that can be used to uniquely identify an individual (e.g. study participant ID, social security number, exact address, telephone number, email address, government-assigned identifier) without additional information or cross-linking other information that is in the public domain.

The person-specific data separately recorded for each data subject in a clinical study.

Subject-level data that can be linked to data subject directly or indirectly, in particular by reference to details such as name, identification number, location data or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.

A type of de-identification that both removes the association with a data subject and adds an association between a particular set of characteristics relating to the data subject and one or more pseudonyms. Typically, pseudonymisation is implemented by replacing direct identifiers (e.g. a name, a subject ID) with a pseudonym, such as a randomly generated value.

Data and documents that have been produced as the output of a pseudonymisation process.

Data, which in connection with other information, can be used to identify an individual with high probability, e.g. age at baseline, race, gender, medical information, events, specific findings.

Definition adapted from PHUSE: Protection of Personal Data in Clinical Documents – A Model Approach, Version 1.0, 10 June 2019, available from https://phuse.s3.eu-central-1.amazonaws.com/Deliverables/Data+Transparency/Protection+of+Personal+Data+in+Clinical+Documents+A+Model+Approach.pdf (last accessed 18 March 2021); PHUSE: A Global View of the Clinical Transparency Landscape – Best Practices Guide, Version 1.0, 22 May 2020, available from https://phuse.s3.eu-central-1.amazonaws.com/Deliverables/Data+Transparency/Clinical+Trials+Data+Transparency+Toolkit+Best+Practices+Guide.pdf (last accessed 18 March 2021);

PHUSE: De-Identification Standard for CDISC SDTM 3.2, Version 1.01, 20 May 2015, available from https://phuse.s3.eu-central-1.amazonaws.com/Deliverables/Data+Transparency/De-identification+Standard+for+SDTM+3.2+Version+1.0.xls (last accessed 22 March 2021); El Emam K. Guide to the De-Identification of Personal Health Information, Auerbach Publications 2013; PHUSE: Data Anonymisation and Risk Assessment Automation, Version 1.0, 9 June 2020, available from https://phuse.s3.eu-central-1.amazonaws.com/Deliverables/Data+Transparency/Data+Anonymisation+and+Risk+Assessment+Automation.pdf (last accessed 18 March 2021).

Re-establishment of the association between a set of identifying data and the data subject found in data or documents.

Definition adapted from Garfinkel SL. De-Identification of Personal Information, National Institute of Standards and Technology Internal Report 8053, October 2015, available from http://dx.doi.org/10.6028/NIST.IR.8053 (last accessed 18 March 2021);the Information and Privacy Commissioner of Ontario: De-identification Guidelines for Structured Data, June 2016, available from https://www.ipc.on.ca/wp-content/uploads/2016/08/Deidentification-Guidelines-for-Structured-Data.pdf (last accessed 18 March 2021); the National Institute of Standards and Technology: Computer Security Resource Center Glossary, available from https://csrc.nist.gov/Glossary (last accessed 22 March 2021).

The probability that re-identification could occur.

The risk of re-identification that remains on data or documents that have been produced as the output of an anonymisation process.