From the Quality Standards & Controls Workship in Sheffield October 2017:
Legislation protecting personally identifiable information is being developed in many jurisdictions worldwide, including for example, the recently amended Act on the Protection of Personal Information in Japan, or the newly signed Regulation on Data Protection in the EU . Such instruments give strict instruction on how data sourced from patients, or material biopsied from them can be taken and used (including whether or not these can be shared with third parties. If such data is shared with third parties, its use must frequently be monitored and managed. Adherence to statutes recording where data has gone, and who has used it, are potentially burdensome for cell therapy developers, particularly when personal information is being export from other countries into EU. An individual must frequently be nominated for managing compliance and such requirements do not reflect the usual access rules with which cell therapy developers. For example, with the EU Regulation, individual donor consent does not overrule the specified information compliance requirements and pseudonymized or “coded link” data is not considered anonymized in the EU apparently.
This highlights that checks of the legislation as well as the strength of the donor consent are required..
Pseudonymized = coded link – not considered anonymized in the EU Data Protection Directive apparently.