PII and Data Privacy in Human Trials

More Than a Legal Obligation

Protecting personally identifiable information (PII) in human trials is not just about regulatory compliance. It is about trust. When someone agrees to take part in a study, they are not just sharing data, they are giving up a piece of their privacy. In decentralised or digital trials, where more data is collected remotely and across systems, the responsibility to protect that data becomes even more important.

Privacy protocols should be designed to reflect how study teams actually work, not just to meet formal requirements. That means focusing on prevention, not just documentation.

‍

What Counts as Identifiable?

PII includes more than names, addresses, or phone numbers. Even indirect data points can identify someone when combined, especially in small or specific populations.

Examples include:

• Study site plus postcode and age
• Diagnosis with birth year and treatment date
• Comments mentioning workplaces, schools, or other details

These indirect identifiers often appear in places people forget to check, like free-text fields or investigator notes.

‍

Where the Risks Tend to Hide

Privacy risks are not always in the obvious places. They are often found in workflows, habits, and overlooked corners of study platforms.

Examples:

• Notes that mention family members, jobs, or specific routines
• Uploaded PDFs that were never anonymised
• Spreadsheets shared for analysis that still include full dates or locations
• Emails between study staff that mix IDs with sensitive details

Most of these situations are not caused by negligence, but by time pressure or familiarity. People stop double-checking, and small risks accumulate.

‍

Building Better Habits

To manage PII effectively:

• Collect only what is needed - avoid full addresses or detailed timestamps if not required
• Use consistent pseudonyms - avoid regenerating IDs across systems
• Limit access - ensure only those who need full data can view it
• Review free-text fields - check for names, locations, or personal references before export
• Refresh training - even experienced teams benefit from reminders on what counts as PII

Good data hygiene comes from structure, not just intention. Teams need time and tools to manage data properly.

‍

Participant Trust Is Not Assumed

Participants are more aware of privacy than ever. Many read consent forms closely, and some will ask detailed questions about data use, storage, and deletion.

That means study teams need to be ready with clear, honest answers. It also means that privacy processes should be visible. If a participant asks how their data is handled, there should be a straightforward explanation not a deflection to an internal policy.

Transparency is not only ethical, it also improves enrolment. People are more willing to participate when they feel respected.

‍

Learning from Mistakes

Breaches happen. A document goes to the wrong inbox. A file is uploaded unredacted. A comment box includes too much detail.

When that happens, the response should be both procedural and reflective. Log the incident, yes, but also ask what allowed it. Was the system confusing? Was there no time for review? Are there technical tools that could reduce manual steps?

Each issue is a chance to improve the process, not just patch it. And in decentralised trials, where many hands touch the data across locations, those improvements need to be built into the system itself.

‍