- What is the “personal data” that needs to be stored under the GDPR policies?
Simply put, personal data is any information relating to an individual that can be used to identify them. Examples include a name, identification number, location data, online identifier. Less obvious examples include information related to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. Pseudonymised data is also classified as personal data.
- How should GDPR personal data be stored?
The safest way to store GDPR-sensitive data is by encrypting it. Encrypting data makes the information unreadable without a secret key used to decrypt it. Data encryption should be applied to both stored data (on computer drives or removable media) and data transmitted over networks. Find out how to encrypt data.
- If an Imperial College staff member needs access to patient information from the NHS as part of a clinical study, how can it be accessed?
NHS patient clinical data is only accessible by NHS staff members. Imperial College staff without a contractual relationship with the NHS cannot access patient data. There are even serious issues around storing or processing any patient-derived data on any non-NHS Trust system.
- If consent is given by participants/patients and that information becomes part of a publication, what happens if the consent is later withdrawn?
Personal data must be pseudonymised and should be handled in aggregate before being included in a scientific publication. Data prone to re-identification should not be openly published but shared via secure system (e.g. EGA). Therefore, the withdrawal of consent should not affect the publication. However, any personal data linked to that consent which has been stored should be deleted. There are particular issues around publication of case reports involving ultra-rare diseases or publication of demographics so unusual that retrospective identification is possible.