Health Research Banner

‌The Health Research Regulations 2018 are formally called the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018. The Health Research Regulations 2018 govern the use of personal data for health research purposes. These important new regulations outline mandatory, suitable, specific measures that ensure that health research in Ireland is conducted using best practice principles of information governance in line with GDPR requirements. The regulations also, for the first time, introduce a legal mechanism that allows the processing of personal data for health research purposes in exceptional circumstances without the explicit consent of the individual concerned. Please note that as part of your Ethics Committee application, you will be likely required to complete a Data Protection Impact Assessment.  

The following resources will be of use to University of Galway Health Researchers. 

This checklist can be used to ensure your patient consent form is GDPR compliant:

Consent Checklist for Health Research

This checklist can be used to ensure your Patient Information leaflet has all the necessary detail to be GDPR compliant, and also contains the Department of Health Information Principles (with some modifications):

GDPR Information to be included in a Patient Information Leaflet 

You must carry out a written assessment of the data protection implications of the health research. Where the assessment conducted indicates a high risk to the rights and freedoms of individuals, you must complete a data protection impact assessment using this template:  [insert template] / using the template available here:

Data Protection Impact Assessments - University of Galway

HRDPN Data Protection Guide Document for Health Researchers is a practical guide on Data Protection for all involved in health research.

Health Research falls under scientific research in the GDPR where it is not defined. For the purposes of the Health Research Regulations 2018, Health Research is defined in Regulation 3(2) as follows:  

“Health research” means any of the following scientific research for the purpose of human health:

(i)                  research with the goal of understanding normal and abnormal functioning, at molecular, cellular, organ system and whole body levels;

(ii)                research that is specifically concerned with innovative strategies, devices, products or services for the diagnosis, treatment or prevention of human disease or injury;

(iii)              research with the goal of improving the diagnosis and treatment (including the rehabilitation and palliation) of human disease and injury and of improving the health and quality of life of individuals;

(iv)              research with the goal of improving the efficiency and effectiveness of health professionals and the health care system;

(v)                research with the goal of improving the health of the population as a whole or any part of the population through a better understanding of the ways in which social, cultural, environmental, occupational and economic factors determine health status;

Health research referred to in clause (i) to (v) of subparagraph (a) above may include action taken to establish whether an individual may be suitable for inclusion in the research.

http://www.irishstatutebook.ie/eli/2018/si/314/made/en/pdf

Consent - A project proposing to process personal data for health research purposes requires the explicit consent of any individual (data subject) whose data they are proposing to process, and in order for such consent to be valid and lawful it must be (a) informed and (b) appropriately recorded (thereby making it explicit).

Consent is defined in Article 4 of the General Data Protection Regulation (GDPR) as follows:

‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Informed consent means just that: namely that the individual concerned has enough information provided to him to her to allow them to make an informed decision. It is also important that they are allowed sufficient time to digest and assess that information before being expected to make a decision. Most importantly, they must be assured: (a) that consent is freely given and voluntary (and even if initially given can be subsequently withdrawn), (b) that only the minimum amount of personal data necessary for the study is being sought, and (c) that a decision not to consent will not impact on any care or treatment they receive.

Please carefully review the following HRB Guidance Note regarding consent for Health Research Projects: https://www.hrb.ie/funding/gdpr-guidance-for-researchers/gdpr-and-health-research/consent/ . Please in particular if you have an existing research project satisfy yourself that your "consent" obtained meets the required standard(see further details below).

What are “Suitable and Specific Measures”? 

Regulation 3(1)(a)-(e) of the Health Research Regulations 2018 specifies the mandatory "suitable and specific measures" that must be taken when the processing of personal data (including health data) is undertaken for the purposes of health research specifically.

  1. (1) A controller who is processing or further processing personal data for the purposes of health research shall ensure that the following suitable and specific measures are taken to safeguard the fundamental rights and freedoms of the data subject:

(a) arrangements are in place so that personal data shall be processed as is necessary to achieve the objective of the health research and shall not be processed in such a way that damage or distress is, or is likely to be, caused to the data subject;

(b) appropriate governance structures for the carrying out of the health research are in place, including— (i) ethical approval of the health research by a research ethics committee, (ii) specification of the controller involved, (iii) in the case of joint controllers within the meaning of Article 26, compliance with Article 26, (iv) specification of any data processors involved, (v) specification of any person who provides funding for, or otherwise supports, the project, (vi) specification of any person (other than a person in clause (iii) or (iv)) with whom it is intended to share any of the personal data collected (including where it has been pseudonymised or anonymised) and the purpose of such sharing, (vii) provision of training in data protection law and practice to those individuals involved in carrying out the health research;

(c) the following processes and procedures relating to the management and conduct of the health research are in place: (i) the carrying out of an assessment of the data protection implications of the health research; (ii) where the assessment carried out under clause (i) indicates a high risk to the rights and freedoms of individuals, the carrying out of a data protection impact assessment; (iii) measures that demonstrate compliance with the data minimisation principle; (iv) controls to limit access to the personal data undergoing processing in order to prevent unauthorised consultation, alteration, disclosure or erasure of personal data; (v) controls to log whether and by whom personal data have been consulted, altered, disclosed or erased; (vi) measures to protect the security of the personal data concerned; (vii) arrangements to anonymise, archive or destroy personal data once the health research has been completed; (viii) other technical and organisational measures designed to ensure that processing is carried out in accordance with the Data Protection Regulation, together with processes for testing and evaluating the effectiveness of such measures;

(d) arrangements to ensure that personal data are processed in a transparent manner are identified and in place; (e) explicit consent has been obtained from the data subject, prior to the commencement of the health research, for the processing of his or her personal data for the purpose of specified health research, either in relation to a particular area or more generally in that area or a related area of health research, or part thereof.

Please for further guidance see the Health Research Board GDPR Guide for Researchers which provides an invaluable video briefing, further explanation of terms and a Frequently Asked Questions Section: https://www.hrb.ie/funding/gdpr-guidance-for-researchers/gdpr-and-health-research

Consent Declaration

Health Research Regulations 2018, Regulations 5(2) and 6(5)

A consent declaration is a declaration made by the Health Research Consent Declaration Committee that the explicit consent of the data subject is not required.

When might a consent declaration apply?

A researcher may apply for a declaration that explicit consent is not required if:

  • the public interest of the research significantly outweighs the public interest in requiring the explicit consent of the individual whose data is being processed (Regulation 5(1))

Please see the Health Research Consent Declaration Committee website for details of how to make an application: HRCDC | Transparency – Confidence – Trust

Please note the following amendments have been made and must also be considered:

HRCDC | NEW: Amendments made to the Health Research Regulations - HRCDC