HRCDC Logo Title

Application Guidance

Colleagues collaborating The HRCDC or Secretariat cannot provide researchers or organisations with data protection guidance or legal advice, including guidance or advice on specific health research studies.

The following is general information and guidance to Applicants/data controllers on the consent declaration process, in particular, guidance when completing the HRCDC application form and information on some common pitfalls to watch out for.

An incomplete or unclear application and/or missing supporting documents may result in the application being deemed invalid or may delay the processing of the application.

Applicants/data controllers are advised to consult with their data protection officer (DPO) throughout the consent declaration application process.

Full Completion

Please ensure that all questions and sections in the HRCDC application form are fully considered and are completed, where applicable. In addition, all the required supporting documentation (i.e., confirmation of research ethics approval, data protection impact assessment, DPO feedback, study information leaflets and assent/consent forms etc.) must also be submitted.

Consistent information

The information provided to the HRCDC in the application form and the accompanying documents must be clear and consistent throughout; it should not be the case that supporting documents outline study or data processing activities (e.g., inclusion of other data processors, use of other datasets) that are then omitted or do not align with the responses in the HRCDC application form.

Accurate information

It is important that the activities outlined to the HRCDC provides an accurate picture of the study and data processing involved, for example the responses should not omit information on the parties involved in the study or omit details on the type of data to be used and the processing activities to be undertaken. The HRCDC makes its decision based on the information submitted to it; if material information is not provided to the HRCDC at the time of its decision then such activities that are not described would not be covered by a consent declaration that is made.

Data Controllers

It is important to ensure that applications to the HRCDC are clear on who is the controller (or joint data controllers) of the research study.

When identifying who is the data controller of the study, each study is different, and it is a matter for the parties involved in the study to identify the data controller(s). The definition of a data controller/joint data controller as outlined in Article 4 and Article 26 of the GDPR should be used when determining who are the data controllers of the study.

Data Processors

A data processor in a research study is different to the data controller; data processors are processing personal/pseudonymised data on behalf of/on the instruction of the data controller(s) for the purpose of this study.

The HRCDC needs to be aware of all the known data processors who will process personal data as part of the research study; a consent declaration cannot cover the transfer/processing of personal data to unknown data processors. All data processors must therefore be referenced in the HRCDC application, including processors in Ireland or outside of Ireland. Data processors who are not noted in the replies to the HRCDC will not be covered by the consent declaration.

If new data processors are added to the study after the consent declaration is made, then an amendment request form will likely have to be submitted for consideration. More information on seeking an amendment can be found by reviewing FAQ #21 on the FAQ page of this website or by reading the Amendment request guidance material on the Application form page. 

Consent/proxy assent process

A research study seeking a consent declaration, may also be implementing a process to obtain proxy assent on behalf of a study participant who lacks decision-making capacity; such proxy assent may be sought from a person who understands the participant’s will and preferences, for example a relative. While such proxy assent from a relative is not valid consent for data processing, it may provide an important additional safeguard. The study may also be implementing a process of deferred participant consent i.e., it may be possible to obtain the participant’s consent at a later point in the study.

Where a process for seeking proxy assent and/or deferred participant consent will be implemented, it is important that such processes are clearly detailed in your application.

For more informaiton on participants who lack decision-making capacity and proxy assent, please see FAQ #9, FAQ #10 and FAQ #24 on the Frequently Asked Questions page of this website. 

Transparency & Public and patient involvement (PPI)

Transparency (i.e., informing participants and the public about the study, the use of personal data and their right to withdraw) remains a core data protection principle even if a consent declaration is made. Accordingly, Applicants/data controllers seeking a consent declaration, need to outline what measures will be implemented to inform participants and the public about the study, the use of personal data and their data rights.

Separate to transparency, PPI is another important data protection safeguard that is considered by the HRCDC as part of its deliberation. Please refer to the separate PPI page on this website for more information on this important matter.

Public interest

The Health Research Regulations do not define what is meant by ‘public interest’, nor does it set out a specific public interest test. When deciding if a consent declaration should be made, the HRCDC reviews each submitted application on a case-by-case basis, balancing public interest with the fundamental rights and freedoms of individuals. The following points, among others, are considered by the HRCDC when determining if a consent declaration should be made.

  • What area/areas is the research study focusing on? Is the study looking at a topic that may be viewed as more sensitive?
  • What questions is the research study is seeking to address and what is the potential impact of the study?
  • Who are the participants whose personal data will be processed? Do they include groups who are traditionally excluded from research, do they include groups considered to be more ‘vulnerable’?
  • How many participants will be included in the study?
  • What is the extent and type of personal data to be processed.
  • Why has consent not been sought and why is it not considered possible to seek and/or attempt to obtain particiapnt consent?
  • Has the researcher engaged with patient groups in terms of pre-research consultation, ongoing partnership and/or patient involvement with the research governance?
  • In the absence of explicit consent, what safeguards are proposed or will be implemented
Skip to content