Home > Applying data protection principles to patient and public involvement in guideline development > Examples of guideline development activities in which data protection principles, including informed consent, apply

In this section, we describe several examples of how data protection can be applied in guideline development processes when involving patient and public members.

Collecting personal data from individuals

When collecting survey responses, interview data or case studies from patients, carers or members of the public, data protection applies if the data can directly or indirectly identify individuals. Informed consent is needed unless another lawful basis applies, such as it being a public task (processing necessary for work carried out in the public interest) or a legitimate interest (processing necessary for an organisation’s legitimate activities, provided this does not override the rights of the rights and freedoms of individuals). These principles may also apply when recruiting patient and public members for involvement activities.

Public involvement activities

Data protection and informed consent apply when involving people in focus groups, committee meetings, or consultations, specifically when collecting patient views in a way that could lead to identifying the patient. It is important to:

  • Inform participants how their data will be used and handled. If data are identifiable, specifically state when any names are pseudonymised or data redacted.
  • Obtain informed consent to ensure the patient and public members understand how their data will be used.
  • Provide privacy notices in line with data protection requirements.

Stakeholder contributions

When stakeholders (for example, patient organisations) submit evidence or feedback, they must ensure that any personal data included are lawfully shared. For example, the National Institute for Health and Care Excellence (NICE) typically expects anonymised data unless explicit consent has been obtained. Any sensitive information should be redacted before circulating documents to other guideline development group members or making them publicly available.

Committee membership and conflicts of interest

Informed consent is needed when handling committee membership and statements of conflicts of interest. This is particularly important if lists of committee members’ conflicts of interest and guideline membership are published with the final guideline product in the public domain.

At WOREL, for example, the core committee discusses the declared conflicts of interest when necessary. Members also give permission for their names and roles to be published in relation to the guideline. Similarly, at NICE, committee members must usually declare interests, and their names and roles may be published in the public domain. This is typically done under the GDPR lawful basis of ‘public task’, meaning that the processing is necessary either for a task carried out in the public interest or for the exercise of official authority. ‘Official authority’ refers to statutory duties or legal powers given to the organisation, for example, NICE’s mandate to ensure transparency in guideline development. This lawful basis is distinct from ‘legitimate interests’, which applies mainly to non‑public bodies. Patient and public members are still informed and provide consent to publication as part of their role.

Ethics committee approval

For PPI in developing guidelines, an ethics committee might need to approve the process for certain circumstances and depending on your organisation’s local information governance procedures. For example, in England, NICE does not have to get ethics approval to involve patients and the public in guideline committees or surveys collecting the views of patients for a consultation. But, if NICE identifies an important gap in research evidence that prevents a specific recommendation from being developed, it will commission research through a university. Official ethics approval from that university will be needed before the research is carried out.

If you are unsure about whether you need ethical approval for your involvement methods, it would help to get advice from your organisation’s information or data controller. This depends on national regulations, institutional policies, and the nature of the involvement. These requirements must be checked and adapted to the specific context in which the guideline development takes place.

Data Protection Impact Assessments

In some countries and organisations, when a project involves sensitive personal data processing or when the planned data use may pose a high risk to the rights and freedoms of individuals, it will need a Data Protection Impact Assessment (DPIA). A DPIA is a structured process that helps organisations identify, assess, and mitigate potential risks to privacy before data collection begins. Guideline development activities involving patient and public contributors, particularly when health information, lived‑experience accounts, or recordings of meetings are gathered, may meet the threshold for a DPIA depending on local laws and organisational policies. See the Information Commissioner’s Office website for further guidance on what and when a DPIA is needed.

Carrying out a DPIA, even when it is not legally needed, can support good practice. It should ensure that risks are considered early, appropriate safeguards are put in place, and contributors are informed about how their information will be protected. Guideline developers should therefore consider their national legislation and institutional policies, and check with their information governance teams to determine if a DPIA is needed in their specific context. Further information and an example template of how to conduct a DPIA is included on the Information Commissioner’s Officer website.

Case study: GDPR compliance in the context of PPI in WOREL’s guidelines

How are patients involved in WOREL?

Before we explore how WOREL applies GDPR, we provide a brief overview of how patients are involved in the organisation.

* Patients and experts with lived experience are involved in WOREL’s guideline development through consultation or active participation:
– Consultation refers to involvement in meetings and discussions with the PPI team to provide feedback. Participants may also be supported individually before, during and after these interactions. Their perspectives can be gathered through interviews or written input and then fed back to the development group.
– Active participation includes meetings and discussions with the PPI team as well as participation in meetings with stakeholders and the Guideline Development Group. Patients and experts with lived experience contribute directly to discussions and decision-making in these meetings.
* Patients are involved through consultation and active participation throughout the process of recruitment and selection, preparation and training, ongoing support, and evaluation of participants’ experiences.

Which data is processed?
In 2024, WOREL’s PPI approach was approved by the Ethics Committee for the Social Sciences and Humanities of the University of Antwerp and is applicable in Belgium. This approval applies to adults aged 18 and over. People under 18 are explicitly excluded from the approval.

When developing guidelines in WOREL, we process the following data from participating patients and lived experience experts:
* Identification data: Each participant is given a personal code so that they are pseudonymised for WOREL employees. The codebook that allows access to the identification data is stored separately. Only researchers who need to have contact with participants will be granted access.
* Medical and paramedical data about current and past conditions, symptoms, diagnoses, and treatments may be collected, and, when relevant to the guideline topic, information about coping, functioning, and wellbeing. This data can be recorded in a structured manner as far as possible (for example, in some contexts, organisations may use classifications such as ICPC-2). Structuring data in this way can support grouping, minimisation, and aggregation, limiting patient-level recognition to what is strictly necessary.*
* cope of care data is provided by professional groups involved in a patient’s treatment.
* Administrative data is collected for financial processing.
* Social data is given by informal caregivers involved in a patient’s treatment.

What is this data be used for?
* Personal and health data (such as name, contact information, and relevant health information) is only used for recruitment, selection, and remuneration of the PPI contributors involved in our organisation’s guideline development.
* All other data (including medical, paramedical, administrative, and social data) is processed in pseudonymised format for the purposes of guideline development.

What measures is WOREL taking to protect and preserve data?

Protection
* All those involved in WOREL (including experts) are aware of the GDPR and its implications.
* Personal data (name, contact information, condition) will only be used for recruitment, selection and reimbursement of patients and lived-experience experts, who will actively participate in guideline development.
* The director of WOREL can show that participants have given informed consent for the data to be used (see Worel’s Informed Consent Form in Resource 1).
* The guideline developers have signed a confidentiality agreement and are bound by professional secrecy.
* All data is adequately protected and is only passed on to recipients entitled to see it (that is, the coordinators of WOREL’s PPI team).
* The data stored on the servers and computers is secured so that unauthorised persons cannot access it. WOREL uses two-factor authentication for this purpose. Screens are not left open but are locked when people leave the workstation. The data is stored within Microsoft Teams’ secure environment.

Retention and storage
* WOREL identifies and records which data is being kept, where it comes from, and with whom it is shared. This fulfils WOREL’s obligation to maintain a data processing register and supports the GDRP principle of accountability.
* According to section 1e of Article 5 in the GDPR (Regulation (EU) 2016/679), personal data may not be kept in a form that permits identification of data subjects (whether encrypted or not) for longer than is necessary for the purposes for which they are obtained or further processed.
* The maximum retention period for the information is 20 years. Proof of work delivered, and financial records are kept for 7 years.

The GDPR requires some companies and organisations to designate a DPO. For example, public authorities or processors whose core function is the large scale, regular and systematic observation of data subjects or large-scale processing of sensitive data. WOREL’s guideline development activities do not fall into this category because we process data on a very small scale and the risk of harm to participants is virtually non-existent. So, there is small-scale processing of special categories, but with a very low risk.

Skip to topics:

Adapting data protection principles for global use > GDPR > Terms relating to personal data protection of patients and people involved in guideline development > Examples of guideline development activities in which data protection principles, including informed consent, apply > Acknowledgements > References >
< Previous Topic
Home
Next Topic >