Research data, coding and privacy
Section 12 of the Medical Research Involving Human Subjects Act (WMO) states that the person responsible for carrying out the study must ensure that the privacy of the participating subject is protected to the highest possible degree. Part of this is ensuring that registration of research data must in principal take place anonymously, in such a way that no personal information is stated during the gathering of data.
If it is necessary to trace back research data to a person, then a unique fictive code must be used. This code must prevent the data being traced back to the person involved. Initials and/or date of birth as part of or in addition to the code are detrimental to the aim of the code, so much so that the CCMO has deemed this to be principally non-acceptable. The encryption key must be secure. The protocol must state who has access to the key.
Processing personal information
Data which can be traced back to a person can only be used in order to determine the age of a participant if this is necessary for the specific research or if using this data is necessary for controlling the accuracy of the data. This may be part of the date of birth together with the unique code number on research forms. It concerns situations whereby a different coding is not sufficient and the importance of controlling the data on the basis of the date of birth is so great, that this cannot be sufficiently solved in another manner.
Using the full date of birth is not necessary. Using a part of the date, such as the year of birth, is then sufficient. And even then this is only allowed for the sake of gathering data and not for use in all documentation – otherwise personal information would always form part of the coding.
If the use of initials may lead to the direct identification of a research subject, they should not be used. However, there might be cases in which the omission of initials may increase the risk of failures in the data collection. In that case the use of initials is acceptable, provided this is mentioned explicitly in the informed consent.
The General Data Protection Regulation (GDPR) applies to the handling of personal details.