knowledge | 30 August 2018 |
New Data Protection Regulations for Health Research
New Regulations have been made under the Data Protection Act 2018 that will have a significant impact on the processing of personal data in Ireland for health research purposes.
They impose a number of obligations that apply in addition to generally applicable requirements under the GDPR and the Data Protection Act 2018, including most notably that explicit consent must be obtained from individuals whose personal data is processed for health research purposes (even if this would not be required under the GDPR), except in limited circumstances where a declaration that such consent is not required is made by a committee to be established under these Regulations. All organisations involved in health research in Ireland will need to consider these Regulations and their implications carefully, both for ongoing health research and for intended research in the future.
Scope of the Regulations
The Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 were made by the Minister for Health, following consultation with the Data Protection Commission, on 7 August and came into effect on 8 August,. They apply to the processing of personal data for the purposes of ‘health research’, which is defined as “scientific research for the purpose of human health”. Regulation 3 sets out an exhaustive list of examples of research within the scope of this definition, which indicate that it is to be construed broadly.
Obligations of controllers under the Regulations
Where a controller is processing personal data for health research purposes, it must ensure certain specified “suitable and specific measures are taken to safeguard the fundamental rights and freedoms of the data subjects”. These overlap with, and in some cases go beyond what is explicitly required under the GDPR and Data Protection Act 2018 and include:
- having arrangements in place so that personal data will not be processed in a way that causes, or is likely to cause, damage or distress;
- having appropriate governance structures in place for carrying out the health research, including: ethical committee approval; specifying who is providing funding for or otherwise supporting the research; specifying what third parties will receive any personal data collected; and providing training in data protection law and practice to those involved in the research;
- having specified processes and procedures in place, including: carrying out an initial assessment of the data protection implications of the health research and, where required under the GDPR, a data protection impact assessment; limiting and logging access to the personal data; and having processes to test and evaluate the effectiveness of security measures adopted to ensure compliance with data protection law.
Most notably, the ‘suitable and specific measures’ required to be taken in these circumstances include a requirement that “explicit consent” is obtained from the relevant data subjects; except where an application is made to a committee established by the Minister for Health under these Regulations and that Committee issues a declaration that the public interest in carrying out the research significantly outweighs the public interest in requiring the explicit consent of the data subjects. This requirement for the collection of explicit consent subject to a limited exception is unusual. In the absence of this requirement, which will apply as a matter of Irish law, controllers might otherwise be permitted to process personal data for the purposes of health research in compliance with the GDPR without having collected such explicit consent (if they could rely on alternatives to consent under Articles 6 and 9 of the GDPR).
Peculiarly, for the purpose of these Regulations ‘explicit consent’ is defined to mean consent obtained in accordance with Article 4 of the GDPR. This is anomalous since Article 4 of the GDPR sets out the definition of ‘ordinary’ consent (rather than explicit consent).
Health research yet to be commenced
Any organisation that intends to engage in health research to which these Regulations apply that is considering seeking a declaration that explicit consent is not required will be required to make a detailed written application to the Committee (which has yet to be established), that must include among other things a data protection impact assessment; confirmation that a data protection officer has been appointed in relation to the research; and confirmation that ethical approval from a recognised research ethics committee has been obtained.
Health research already underway
In respect of on-going health research which started before 8 August 2018, the Regulations provide for a transition period for resolving any absence of explicit consent “as soon as practicable and no later than 30 April 2019”. This may be done either by collecting the required consents from the relevant data subjects or by applying to the Committee for a declaration that such consents are not required either: (a) because the public interest in obtaining explicit consent is significantly outweighed by the public interest in carrying out the research; or (b) because the controller obtained consent to the processing of the relevant personal data for health research purposes before 25 May 2018 in compliance with the requirements of Directive 95/46/EC and the Data Protection Acts 1988 and 2003, and such consent was not withdrawn.
This transition period relates to the requirement to have explicit consent (or a declaration from the Committee) only; the Regulations do not provide for any grace period for compliance with their other requirements which came into effect on 8 August.
Any organisation that is subject to the Irish Data Protection Act 2018 and is or intends to be involved in health research should consider whether these Regulations apply and, if they do, review existing measures to ensure that they comply with these new requirements. Any gaps in this regard should be addressed as soon as possible or, in the case of the requirement to obtain explicit consent (or a declaration from the Committee) in respect of research that is already under way, by no later than 30 April 2019. The Health Research Board has published some helpful guidance regarding the application of these Regulations which can be accessed here.
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.