I think we may be looking at this from the wrong perspective.

Look at the MHRA GCP Guide (2012) and other replies on this forum.
For instance you asked a similar question on 7th May 2022 about ePRO system - not GCP/ MHRA compliant? See reply to that.

We have to think about the flow of data; who has “control” of that data; what explicit consent has been given for that data (& whether that data includes Personally Identifiable Information (PII) or not) ; GDPR; etc

Your question about the protocol does not really touch the issue.

If you read the MHRA GCP Guide you will see that the MHRA (Unlike some EU inspectorates) does allow personally identifiable information (PII) to be held by others than the investigators, provided that there is explicit consent of the subjects; that the IRB/IEC has explicitly approved of this process; and that Data Protection legislation & guidelines are complied with.

If you look on the EMA IWG GCP webpages you will see that they are much more conservative about allowing PII data to be held by the sponsor or the sponsor’s agent (CRO or vendor).

In fact a whole book could be written about this topic, but I lack the time.

Best to be on the conservative side in my opinion.
Your job is to comply with GCP and DP requirements. So generally it is the investigator who should have “control” and oversight of the subjects PII (Obviously with the full consent of the subject). Generally the Sponsor and the sponsors agents (Vendors etc) may provide the finance and logistics for these systems, and receive anonymised or psydoanomised data from those systems, but they never have their hands on the PII.