Pseudonymisation Clause Samples

Pseudonymisation. Pseudonymisation is not currently applied. The application of pseudonymisation procedures is the responsibility of the client.

Pseudonymisation. Every processing operation is to be assessed as to whether its purpose can also be realised without direct personal reference. If this is the case, the processing of personal data is to be performed in a manner such that these data can no longer be associated to a specific data subject without reference to additional information. This additional information is to be stored separately and is itself subject to technical and organisational measures intended to ensure that the personal data cannot be associated to an identified or identifiable natural person.

Pseudonymisation. Pseudonymisation means processing personal data in such a way that the data can no longer be attributed to a specific data-subject without the use of additional information, (e.g. a dataset linking trial identifiers to identified or identifiable persons) provided that such additional information is kept separately and under controlled access, to prevent the data being identifiable in isolation. Though theoretically such information could be used to match against a clinical trial dataset and identify individuals, this would be very difficult in practice and could only occur if there was a major breach of security. Sharing of pseudonymous data is recommended and should be the normal expectation. Clinical trial data is pseudonymous when collected, or can be easily turned into pseudonymous data within the research unit, by processing of the data set and splitting off the identifying data points. It would be rare for trial data to become fully anonymised, or at least not until many years have elapsed after data collection. There are legal obligations on sponsors to maintain the pseudonymised dataset, as collected, for many years, the exact time depending on national regulations. In addition, the original investigators, or their institution, may want to use the pseudonymising key in case they wish to return to the same participants to carry out further investigations (assuming they have the ethical approval and / or explicit consent to do so). The advantage of sharing pseudonymised data is that, if the secondary user discovers good reasons for clarifying, expanding or matching some of the data, or even for further investigations with some of the source population, they can contact the holders of the pseudonymous data and discuss if and how this might be achieved, because the individual participants are still (indirectly) identifiable. This does not mean that identifiable or identifying information would be transferred to a secondary user, unless there was explicit consent from the participant for this to happen (though this seems unlikely to be given). It only means that if a case can be made for identifying the individuals in the data set it is at least possible to discuss the possibilities of doing this, including possibly returning to the individuals concerned to request additional consent.

Pseudonymisation. Pseudonymisation is replacement of identifying data with made up values. Pseudonyms can be irreversible, where the original values are properly dis- posed and the pseudonymisation was done in a non-repeatable fashion, or re- versible (by the owner of the original data), where the original values are securely kept but can be retrieved and linked back to the pseudonym, should the need arises. • How to use it: replace the respective attribute values with made up values. One way to do this is to pre-generate a list of made up values, and randomly select from this list to replace each of the original values. The made up values should be unique, and should have no relationship to the original values (such that one can derive the original values from the pseudonyms). For reversible pseudonyms, the identity database cannot be shared with the recipient; it should be securely kept and can only be used by the organisation to resolve any specific queries (however, the number of such queries must be controlled, otherwise they can be used to “decode” the entire pseudonymisa- tion). • ICSM performed reversible pseudonymisation. It is used when data values need to be uniquely distinguished and where no character or any other implied information of the original attribute shall be kept.

Pseudonymisation. Aliaxis Deutschland GmbH observes the principle of data minimisation. If there is no specific purpose for processing a personal data record, the data record is pseudonymised.

Pseudonymisation. As far as possible, the data will be processed in such a way that it can no longer be assigned to a natural person without the use of additional information. The collection of IP addresses is avoided in system administration and any recorded IP addresses are made anonymous via shortening. Possibility of anonymisation / pseudonymisation by the client

Pseudonymisation. If the Personal Data is used for evaluation purposes which can also be fulfilled with pseudonymised data, then pseudonymisation techniques will be used. For each data field, it will be pre-defined whether pseudonymisation needs to be used or not, in order to avoid it being traced back to a particular person. The pseudonymisation key will be stored in a data safe, in order to restrict access as far as possible.

Pseudonymisation. Assessments must be pseudonymised if the personal reference to the result is not absolutely neces- sary.

Pseudonymisation a. The Processor is obliged to process personal data primarily pseudonymized, provided that the provision of services remains possible and is not impaired. This effort must be proportionate to the level of protection that is to be achieved. b. Pseudonyms must be created in such a way that personal data is replaced by unique artificial indexes, scrambles or random character strings. c. The information to dissolve the pseudonyms shall be encrypted and access shall only be granted to authorised persons of the Processor.