Who is the data controller for research under GDPR?

It is the sponsor who determines what data is collected for the research study through the protocol, case report form and/or structured data fields in a database. The sponsor therefore acts as the controller in relation to the research data.

In many cases, participants will be patients/service users and the same information may also be provided to the care organisation. The care organisation therefore acts as the controller in relation to the data provided for care purposes. This means that there may be two controllers for the same information – but for two different purposes.

This distinction between the purpose for which data is collected is important in determining whether the sponsor is collecting personal data directly from the data subjects (ie participants) or indirectly. If the purpose of the collection at the time it was obtained was only to support the delivery of care and the individual was not participating in the study, then the controller is the care organisation. If that personal data is then transferred to a separate research sponsor, the sponsor has obtained the data indirectly, and becomes the controller for the processing of that data for research purposes.

It is important that you understand for your study whether personal data is collected indirectly from a third party or directly; when information is personal data; and who the controller is, as these determine the actions you will need to take.

In all scenarios you should consider:

  1. what stages of the research involve processing personal data of a living individual,
  2. who is the controller for each processing activity, ie whether the purpose of the activity is research and/or clinical care, and
  3. whether the controller is obtaining directly from the data subjects or indirectly from a different controller.

You need to understand these three key aspects of your study in order to determine which organisations have controller responsibilities, and what information should be provided about the data processing activities.