Data Retention Policy

Purpose of this Policy

The HRCDC are firmly committed to complying with our data protection obligations. In this context, and to achieve consistency and excellence of service, we believe that it is important to have a policy setting out how we manage document retention.
The General Data Protection Regulation (the “GDPR”) imposes obligations on us, as a Data Controller, to process personal data in a fair manner which notifies data subjects of the purposes of data processing and to retain the data for no longer than is necessary to achieve those purposes.

Under these rules, individuals have a right to be informed about how their personal data is processed. The GDPR sets out the information that we should supply to individuals and when individuals should be informed of this information. We are obliged to provide individuals with information on our retention periods or criteria used to determine the retention periods.

This notice sets out the basis on which any Personal Data we collect from you, or that you provide to us, will be retained by Us, where ‘Us, We, Our’ means the Secretariat and HRCDC either separately or together. Any reference to ‘Data Controller’, ‘Data Processor’, ‘Personal Data’ and ‘Data Subject’ shall have the meaning ascribed to in the General Data Protection Regulations (the ‘GDPR’).

The time periods for which we retain your information depends on the type of information and the purposes for which We use it. We will keep your information for no longer than is required or permitted.

Who we are

The Health Research Consent Declaration Committee (“HRCDC”) was established as part of the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (S.I. No. 314 of 2018 and S.I. No 188 of 2019), made under the Data Protection Act 2018. (For the purpose of this document, the Health Research Regulations, 2018 shall be referred to as ‘Regulations’).

The purpose of the Regulations is to support health research and promote necessary and desirable public confidence and trust in such research.

The Regulations make explicit consent the default position for processing personal data for health research. Specifically, a health researcher/data controller intending to use an individual’s personal information for health research must obtain the explicit consent of the individual to do so.

In limited situations, obtaining explicit consent may not be possible nor practical and the public interest in carrying out the research would significantly outweigh the need for explicit consent being obtained. The Regulations provide for a statutory consent declaration application process that enables a health researcher/data controller or ‘Applicant’ to apply for a consent declaration where explicit consent cannot be sought and the public’s interest outweighs the need for explicit consent (the “Application”).

Grounds for processing

Under the GDPR, the HRCDC are required to provide data subjects with the legal grounds or lawful basis that they are relying on for processing personal data.

The legal grounds for processing personal data are as follows:

  • Consent;
  • Performance of a contract;
  • Legal obligation;
  • Vital interest;
  • Public interest;

Explicit consent or an alternative limited lawful basis is required where special categories, also known as sensitive personal data, are being processed.

Further processing

Further retention of the personal data should be lawful only when it is compatible with the purposes for which it was originally collected. In this case no separate legal basis is required – it should be relied on where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims, the benefit of the owner of the personal data for post contractual obligations or requirements.

Right of erasure

Individuals have the right to have their personal data erased and no longer processed in the following circumstances:

  • where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed,
  • where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or
  • where the processing of his or her personal data does not otherwise comply with the GDPR.

That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing and later wants to remove such personal data, especially on the internet. The data subject shall be able to exercise that right notwithstanding the fact that he or she is no longer a child.

Document Retention Procedure

As an organisation or company, we are required to retain certain records, usually for a specific amount of time

We must retain certain records because they contain information that:

  • Serves as HRCDC’s organisational records.
  • Must be kept in order to satisfy legal, accounting or other regulatory requirements.

We must balance these requirements with our statutory obligation to only keep records for the period required and to comply with data minimisation principles. The retention schedule in the appendix sets out the relevant periods for the retention of HRCDC’s documents.

Types of Documents

This policy explains the differences among records, disposable information, personal data and confidential information belonging to others.

Records

A record is any type of information created, received or transmitted in the transaction of HRCDC’s business, regardless of physical format.
Therefore, any paper records and electronic files, that are part of any of the categories listed in the Records Retention Schedule contained in the Appendix to this policy, must be retained for the amount of time indicated in the Records Retention Schedule.
A record must not be retained beyond the period indicated in the Record Retention Schedule, unless a valid business reason (or a litigation hold or other special situation) calls for its continued retention.
Our Data Protection Officer is: The Director of Corporate Operations.

Disposable Information

Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a record as defined by this policy. Examples may include:

  • Duplicates of originals that have not been annotated.
  • Preliminary drafts of letters, memoranda, reports, worksheets, procedures and other similar relevant documents and informal notes.
  • Books, periodicals, manuals, training binders and other printed materials obtained from sources outside of HRCDC and retained primarily for reference purposes.
  • Spam and junk mail.

Personal Data

Personal Data is defined as any data which can identify an individual either on its own or when combined with other data which we possess. Some examples of personal data include names and addresses, email addresses. We have specific obligations relating to personal data.

Confidential Information Belonging to Others

Any confidential information that an employee may have obtained from a source outside of HRCDC, such as a previous employer, must not, so long as such information remains confidential, be disclosed to or used by HRCDC. Unsolicited confidential information submitted to HRCDC should be refused, returned to the sender where possible and deleted, if received via the internet.

The role of the Data Protection Officer in Records Management

The HRCDC’s designated data steward, in conjunction with our Data Protection Officer, the ICT department and senior management, are responsible for identifying the documents that HRCDC must or should retain, and determining the proper period of retention. The responsibilities include:

  1. Arranging for the proper storage and retrieval of records, coordinating with outside vendors where appropriate.
  2. Handling the destruction of records whose retention period has expired.
  3. Planning, developing and prescribing document disposal policies, systems, standards and procedures.
  4. Monitoring departmental compliance so that employees know how to follow the document management procedures and the Legal Department has confidence that HRCDC’s records are controlled.
  5. Ensuring that senior management is aware of their departments’ document management responsibilities.
  6. Developing and implementing measures to ensure HRCDC information is stored appropriately, that only authorised users have access to the information, and that HRCDC keeps only the information it needs.
  7. Identifying essential records and establishing a disaster plan to ensure maximum availability of HRCDC’s records in order to re-establish operations quickly and with minimal interruption and expense.
  8. Periodically reviewing the records retention schedules and legislation to determine if HRCDC’s document management program and its Records Retention Schedule is in compliance with legislation.
  9. In conjunction with the Legal Department, informing the various department heads of any laws and administrative rules relating to corporate records.
  10. In conjunction with the HR Department explaining to employees their duties relating to the document management program.
  11. Ensuring that the maintenance, preservation, computer disk storage, destruction or other disposition of HRCDC’s records is carried out in accordance with this policy, the procedures of the document management program and our legal requirements.
  12. Planning the timetable for the annual records destruction exercise and the annual records audit
  13. Evaluating the overall effectiveness of the document management program.

Storage

HRCDC’s records must be stored in a safe, secure and accessible manner. Any documents and financial files that are essential to our organisation’s operations are managed by the HRB, according to the HRB policies in this area.

Destruction

HRCDC secretariat are responsible, in conjunction with HRB facilities and/or ICT for the continuing process of identifying the records that have met their required retention period and supervising their destruction. The destruction of personal data, confidential, financial and personnel-related paper records must be conducted by shredding. The destruction of electronic records must be coordinated with the ICT Department.
The destruction of records must stop immediately upon notification from the Legal Department that a litigation hold is to begin because HRCDC may be involved in a litigation or an official investigation. Destruction may begin again once the Legal Department lifts the relevant litigation hold.

Questions about the policy

Any questions about this policy should be referred to secretariat@hrcdc.ie.

Retention Schedule

We must balance these requirements with Our statutory obligation to only keep records for the period required and to comply with data minimisation principles. The retention schedule below sets out the relevant periods for the retention of various HRCDC documents:

Categories of Personal Data/Documents Internal Retention Period Justification for Timeframe
Unsuccessful applications 5 years after the decision of the HRCDC or Appeal Panel, whichever is appropriate. For HRCDC record of decision made
Successful applications

(Including subsequent Annual Reviews)

5 years after the declaration is no longer required or the termination of a declaration For HRCDC record of decision made and ongoing compliance reporting purposes
Withdrawn Applications (applications that have been deemed withdrawn and are not considered by the HRCDC) 5 years after the application is deemed withdrawn For HRCDC record
HRCDC Logs (e.g., public logs) Indefinite For HRCDC record
HRCDC Meeting documents (e.g., meeting minutes) Indefinite For HRCDC record  & Statutory obligations of the Regulations
HRCDC appointed members details (non-financial e.g., CVs, contact details, letters of appointments etc.) 3 years after the end of their term of appointment For follow up queries by the Secretariat
HRCDC appointed members financial details 7 years after expiration of membership Revenue Requirements
HRCDC expense receipts 7 years Revenue Requirements
HRCDC Conflict of Interests 3 years after the end of member’s term of appointment For HRCDC record
Prospective HRCDC members (i.e., non-appointed members) & Expressions of Interest (EOI) 5 years following the year in which EOI was made For HRCDC record and follow up communications by the Secretariat for future HRCDC opportunities
Freedom of Information requests (e.g., name and contact details of requestor) 7 years following the year after the FOI request has been completed For HRCDC record

 

Categories of Personal Data Retention period when made public Justification for Timeframe
HRCDC member Bios & Photos Will be removed immediately once membership has expired No legal basis for retaining in public view
Minutes of HRCDC meeting Permanent

 

Statutory obligations of the Regulations
Decisions of HRCDC meetings Permanent Statutory obligations of the Regulations

Please see the HRCDC Standard Operating Procedures for more information on the application submission process.