Frequently Asked Questions

Under the Health Research Regulations (HRR), explicit consent from the study participant is a required safeguard to process their personal data for health research purposes. Where such explicit consent cannot be obtained, the HRR provides for a statutory mechanism where researchers can apply for a consent declaration, allowing the research to proceed in the absence of explicit consent.
A consent declaration is made by the Health Research Consent Declaration Committee (HRCDC) – where it is satisfied that the public’s interest in carrying out the health research significantly outweighs the requirement for the explicit consent of the data subject.
A consent declaration is made to the Data Controller(s) of the study – to process personal data for specified health research without the explicit consent of the participant i.e., the data subject.
The processing of personal data (See GDPR Article 4(2)) may include, but is not limited to; collecting, using, adapting, retrieving, storing, analysing, transferring/sharing, disseminating, anonymisation, recording etc.
A consent declaration maybe for a defined part of a project, not necessarily the entire project.
A consent declaration cannot be made where consent has been withdrawn by a data subject (i.e., a consent declaration cannot override the decision of a data subject to withdraw or not provide their consent).
Each Data Controller must determine whether they require a consent declaration or not.

It is important to note that personal data includes data that is pseudonymised/coded and therefore the processing of such data (collection, analysis, transfer/sharing between parties) falls under the Health Research Regulations Please see FAQ 6 on ‘Anonymised vs Pseudonymised data’.

Health Research is defined in Regulation 3(2) of the Health Research Regulations.

Personal data and data processing are defined in Article 4(1) and Article 4(2) of the GDPR, respectively:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The Health Research Regulations 2018 govern the processing of personal data for health research purposes conducted within the Republic of Ireland i.e., security of data, requirement for a DPIA etc.
Where an Irish data controller wishes to process personal data that has or will be collected from another jurisdiction outside of the Republic of Ireland, the Irish Data Controller that is processing this data should satisfy itself (to the extent reasonably possible) that the data was collected lawfully and fairly in that jurisdiction e.g., satisfied that any consent requirements are met in line with that country’s data protection requirements and international ethical standards in health research and therefore no necessity to obtain any further consent.
An application for a consent declaration cannot be made to process personal data that has been collected from outside of the Republic of Ireland.
Where the personal data from another jurisdiction was obtained lawfully, please note that all further processing of that data within Ireland falls under the scope of GDPR and the Health Research Regulations, and accordingly the other various safeguards and requirements must be met (e.g., data security, DPIA, data minimisation etc.)
A consent declaration may be required for the purpose of collecting and then sharing the personal data from Ireland with other non-Irish parties where consent could not be obtained. The provisions of the Health Research Regulations and GDPR will apply.
Please consult with your DPO for all GDPR queries are they may pertain to the roles and responsibilities of data processors and controllers.

Any data controller of the health research study, national or international, may apply for a consent declaration, if required, to process personal data of participants in Ireland; this includes personal data it already holds or will generate as a data controller, and personal data that it wishes to obtain from another party.
Where the data controller of the research study seeking a consent declaration is not based in Ireland, it is expected that there will be a party in Ireland that will be jointly responsible for implementation of and compliance with the consent declaration, if made.
A consent declaration is made to the data controller or joint data controllers of the research study in question; where the data controller of a study wishes to process personal data held by another party (i.e., another data source), the consent declaration is not made to that other party unless they are a data controller or joint controller of the study.

(i) Only a Data Controller(s), in consultation with their DPO, can determine whether the data is personal/pseudonymised data or if it has been fully anonymised – the HRCDC or Secretariat cannot address this matter for a particular study. It is important remember that pseudonymised/coded data is still considered personal data and accordingly the processing of such data (including access, collection, sharing/disclosure etc.) falls under the remit of the HRRs. This should be considered when determining if the data to be processed is personal data.
The Data Protection Commission (DPC) has comprehensive guidelines on this matter: https://www.dataprotection.ie/en/dpc-guidance/anonymisation-and-pseudonymisation.

(ii) Data that has been anonymised data falls outside the remit of GDPR and the Health Research Regulations 2018. Therefore the HRCDC do not accept applications to process data that has already been anonymised.
However, the process of anonymisation is, in itself, data processing and does fall under the remit of GDPR and may fall under the remit of the Health Research Regulations 2018 depending on its purpose.
If data subject consent was obtained for the personal data that has been collected, then consent is required for the anonymisation of that data. However, the data controller has another basis (other than consent) and, where relevant, meets at least one of the Article 9(2) conditions (other than explicit consent), then consent should not be required for anonymisation of the data.

(iii) No. Pseudonymisation is a data security measure that is strongly encouraged by the GDPR. Remember that pseudonymised is considered personal data and therefore remains subject to requirements of GDPR and, in the case of health research, to the requirements of the Health Research Regulations 2018.

A number of substantive amendments to the Health Research Regulations (HRR) were made in January 2021, following feedback and engagement with the research community.

The HRR amendments provides that explicit consent or a consent declaration may not be required on the following matters:

(i) Pre-screening activities
(ii) Low-risk retrospective chart review studies
(iii) Deferred consent in exceptional and specified circumstances.
(iv) Consent that was obtained during the time of, and in accordance with, the previous EU Data Protection Directive.

Please note that a research study/data controller may utilise these amendments only if it is fully satisfied that it applies to their specific study and only if specific criteria are met, and subject to meeting certain important safeguards that are outlined each of the amendments. It is the responsibility of the relevant parties in the study to determine if the amendments apply to their research study and to meet the safeguards outlined. Researchers are strongly advised to discuss this matter with the relevant Data Protection Officer.

On the low risk retrospective chart reviews or deferred consent in exceptional and specified circumstances: if a data controller wishes to invoke these amendments, then it is recommended that the controller has robust internal protocols in place when deciding if they wish to use these measures and record the rationale for their decision; this would help to ensures accountability and traceability for the decision to invoke the amendment for their study.

For more information of these substantive amendments, when they may apply and the criteria and safeguards to be met, please refer to the amendment legislation page here.

Guidance developed by the Department of Health, in co-operation with the Data Protection Commission, on each of the substantive amendments can be found on the ‘Do I need to apply’ section of this website here.

No.

For a health research study where a consent declaration is made, the declaration will cover data processing for that specific research study/activity only, as per the activities that were described in the application to the HRCDC.

Accordingly, the scope of a consent declaration, if made, will not cover matters such as the processing of personal data (including pseudonymised/coded data) in future unknown activities, such as transfer to or processing by future or unknown parties who were not named in the application, or using the data in other future, unknown research studies.

A data controller wishing to further use personal/pseudonymised data for other research purposes or if personal/pseudonymised data is be processed by another third party, may need to submit a separate consent declaration application form or an amendment request form, which is most appropriate. Please see FAQ 21 for more information on consent declaration amendments.

(i) Participant decision-making capacity is required for their explicit consent for data processing to be deemed valid. Health research studies that wish to process the personal data of adult participants who lack decision-making capacity to provide explicit consent will likely need to apply for a consent declaration to process the personal data of that cohort of participants.
Where a participant may lack decision-making capacity to provide consent, researchers and data controllers should have due consideration to the Assisted Decision-Making (Capacity) Act 2015. Please see FAQ 24.

Note #1: A participant’s lack of decision-making capacity may be permanent or temporary, depending on the scenario. A participant may lack decision-making capacity at the point of study enrolment but may later regain capacity and could be asked to provide explicit consent to continue. In such a scenario, a consent declaration would only be needed from the period of enrolment until the participant regains capacity and provides their own consent.

(ii) With regards personal data processing, obtaining ‘consent’ on behalf of the study participant from another proxy individual (e.g., a relative) is, in most scenarios, not considered valid ‘explicit consent’. In most scenarios a person cannot provide valid consent for data processing on behalf of another individual, including an individual who may lack decision-making capacity. The term ‘proxy assent’ (not ‘consent’) is used when seeking permission from a proxy individual on behalf of the study participant. Please see FAQ 10 for more informaiton.

Note #2: It is acknowledged that a proxy can, in some studies, provide valid consent for the participation of another individual in a research study. In particular, the Clinical Trial Regulations states that where an individual lacks decision-making capacity, a ‘legal representative’ (as defined under S.I. 190/2014) may provide consent on behalf of that individual to participate in the clinical trial. However, it is important to note that the same ‘legal representative’ as defined in the Clinical Trial Regulations cannot provide valid consent for the processing of the participants personal data. Accordingly, the clinical trial would still need to apply for a consent declaration from the HRCDC with regards the processing of the personal data in the trial.

Note #3: an amendment made to the Health Research Regulations provides for the use of deferred consent where a participant may lack decision-making capacity, but only in exceptional circumstances where the vital interests of the participants are engaged, and subject to meeting specific criteria and safeguards. Please see FAQ 7 for more information.

Permission from a proxy individual on behalf of an adult study participant who lacks decision-making capacity is not valid consent and a declaration would likely be required.

The term ‘proxy assent‘, not ‘proxy consent’, is used to describe seeking the permission from a proxy to process the personal data of another individual.

Proxy assent from a person who understands the participant’s will and preferences, can be considered an important additional safeguard. As part of the HRCDC application form, applicants are requested to outline any proxy assent process that may be implemented in the study.

Yes.

A Data Controller should take reasonable efforts to contact data subjects for the purpose of consenting or re-consenting. Where there has been no response from the data subject, then the Data Controller can apply to the HRCDC for a consent declaration.

The data controller can also apply to the HRCDC for a consent declaration if consent is considered by them to be impractical. It will be the responsibility of the Applicant/data controller to justify this in their responses.

No.

The processing of personal data of deceased individuals does not fall under the remit of the Health Research Regulations or the HRCDC.

However, when processing the personal data of deceased persons, other matters such as common law duty of confidentiality and ethical considerations will likely continue to apply and will need to be considered by the researcher.

The use of biological samples for health research does not fall under the remit of the Health Research Regulations or the HRCDC – however the processing of personal/pseudonymised data associated with biological samples is covered by the Regulations.

Please consider the following guidance notes when determining whether a consent declaration is required in the context of personal data for a Biobank.

Biobank guidance overview

A consent declaration cannot override the data protection rights of participants, including a participant’s decision to withdraw. Equally, the HRCDC cannot make a declaration to process data, where consent has been withdrawn by the data subject.

In a scenario where consent has been withdrawn or is refused, it is up to the data controller to ensure data protection compliance (e.g., delete the personal data, GDPR derogations etc.)

The following steps should be undertaken prior to submitting an application to the HRCDC:

Determine who is the Data Controller of the study and any data processors involved in the study. Also determine if any other party will receive data and why.
Determine if you are or will be processing personal data i.e., identifiable and/or pseudonymised/coded (Note: the HRCDC do not consider applications to process data that is already fully, irrevocably anonymised
Determine if you have explicit consent of the data subject (i.e., study participant) or if explicit consent can be obtained.
Determine what is the scope of the declaration being applied for if explicit consent cannot be obtained (i.e., what data processing activities with personal data will be undertaken without explicit consent).
Undertake a Data Protection Impact Assessment (DPIA).
Consult with the relevant Data Protection Officers on the DPIA, including the Data Controller of the research study.
Ensure research ethics approval or provisional approval has been granted for the project.
Consider if reasonable efforts can be made to contact the data subject to obtain explicit consent for the health research.
Alternatively, consider if you can make a case that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject together with a statement setting out the reasons why it is not proposed to seek the consent of the data subject for the purposes of the health research.
Consider what public and patient engagement activities has or will be undertaken with regards the specific study in question.
Where explicit consent cannot be obtained, consider what transparency measures will be implemented so that participants may be made aware of this study, their data protection rights and how to exercise their rights.

Please note that the HRCDC or Secretariat cannot determine or provide specific answers on the above for your research study. It is up to the parties involved in the study to address these matters.

For more informaiton please visit the Application guidance webpage here.

For details on the consent declaration application process, please visit here.

Yes.

As per Regulation 5 of Health Research Regulations, the HRCDC can only make a declaration once i) a Data Protection Impact Assessment (DPIA) has been carried out; and ii) research ethics approval has been received.

Therefore, ethical approval or provisional ethical approval from the relevant Irish REC / NREC, must be in place and confirmed in writing prior to submitting an application to the HRCDC.

A DPIA must also be completed and the Data Protection Officer (DPO) of the data controllers of the study must review and provide feedback on the DPIA. Note: DPO feedback from a data processor (e.g., a hospital site involved in the study) is not sufficient.

Where provisional ethical approval has been granted, the HRCDC may make a conditional declaration, where the condition attached is the requirement to ensure full ethics approval is obtained prior to the effective date of the declaration.

For a research study that involves multiple sites in Ireland (for example a multi-site clinical trial) and requires a consent declaration, a single consent declaration application should be submitted covering all the sites in the study; a separate application for each of the sites is not required.
It is acceptable for the single application covering all the study sites in Ireland, to be completed by the data controller of the study or by a ‘lead Irish site’. If completed by the lead Irish site, the HRCDC application form will still need to be signed by the data controller of the study and include the feedback of their data protection officer.

Guidance on Information Principles for Consent has been drafted by the Department of Health as a guide to assist researchers:
This is not a legally binding document, nor is it intended to be a complete and mandatory list of principles that must be addressed in patient information leaflet for the purposes of obtained consent.

The HRCDC has also drafted guidance on patient information leaflets to consider when seeking a consent declaration. document on PILs:

In addition to the Department of Health Documents, the HSE has produced their consent policy for health and social care research, which includes guidance on consent. This can be accessed on the HSE here.

Researchers should review existing consent and information documents to determine if the information is aligned with the guideline of information principles that reflect data protection compliance under GDPR and the Health Research Regulations.

Researchers should also consult with their Data Protection Officers (DPOs) or Research Ethic Committees (RECs), as appropriate.

Links to the above referenced Department of Health and the HRCDC guidance are available below.

Please see the ‘Application guidance’ webpage for more information on public interest in the context of the consent declaration process.

Under the GDPR, the processing of personal data requires that a lawful ground for the processing of personal data in Article 6 must be identified and that in the case of processing Article 9 type data (which includes health and genetic data), that a condition in Article 9 must be found.

These grounds and conditions are separate from the data protection safeguards, including the safeguard of obtaining explicit consent, as required the Health Research Regulations. For example, a study may wish to rely on Art 6(1)(e) ‘public interest’ and Art 9(2)(j) ‘scientific research’ as their GDPR legal basis and condition – however, explicit consent remains a required safeguard. An application seeking a consent declaration can then be submitted if explicit consent cannot be obtained.

NOTE: Public authorities, in particular, should be aware that the Recitals to the GDPR states that they should not rely on consent as an Article 6 ground given the disparity of power that exist between a public authority and a data subject.

NOTE: Article 6 prohibits public authorities from relying on “legitimate interests” as a lawful ground for processing.

The Data Protection Commission had published guidance on legal bases: https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data.

Where relevant changes have or will occur to the study that effects the consent declaration made, then an amendment request application form should be completed and submitted to the HRCDC for consideration. The amendment request form and accompanying guidance can be found on the the ‘Application and amendment form’ section of this website here.

Please refer to the amendment request guidance document which sets out example scenarios when an amendment to an existing consent declaration may be required.
Example scenarios include change in data controllership or data processors, a relevant change in the data processing activities, change in the purpose of the research beyond that outlined originally to the HRCDC, extension of the duration of the consent declaration etc.

It is up to the data controller(s) of the research study to determine whether an amendment is required and it is their responsibility to ensure that it is submitted in a timely fashion.

Please do not hesitate to contact the Secretariat if you have any questions.

IMPORTANT: Until the relevant changes have been approved by the HRCDC, they are not covered by the consent declaration

It is a standard condition of every consent declaration made, that an annual review is submitted on the anniversary date of the consent declaration.

The HRCDC/Secretariat may also request updates on the study and/or progress made on any attached conditions, outside the Annual Review process.

For more information on the Annual Process please visit the Annual Review webpage here.

Yes. All of the other suitable and specific measures to safeguard the fundamental rights and freedoms of the data subject described in Regulation 3(1)(a)-(d) must be in place, in addition to obtaining explicit consent or having a consent declaration in place.

A consent declaration refers only to the requirement to have obtained the suitable and specific measure of explicit consent (Regulation 3(1)e) from the data subject.

Please see the following document below that provides a summary of how the decision supports, as defined in the Assisted Decision Making (Capacity) Act, link with the Health Research Regulations and the operation of the HRCDC.

HRCDC and the Assisted Decision Making Capacity Act

Frequently Asked Questions

1 What is a consent declaration?

2 What is meant by health research?

3 What is personal data and data processing?

4 Jurisdiction: When do the HRR apply?

5 Who and what health research studies can apply for a consent declaration?

6 (i) Is data Anonymised or Pseudonymised?(ii) Do I need consent to anonymise a personal dataset for health research purposes?(ii) Do I need consent to pseudonymise personal data for health research purposes?

7 Are there data processing activities and/or certain health research studies where explicit consent or a consent declaration is not required? For example, do ‘retrospective chart review studies’ require a consent declaration?

8 Future Research: Can a consent declaration also cover processing of personal data for other unknown future activities (e.g., transfer to unknown third parties, use in future studies?)

10 Relative/Friend assent: What is meant by ‘proxy assent’ from an individual on behalf of an adult study participant.

11 Can I apply for a consent declaration where (i) reasonable efforts have been made to consent or re-consent data subjects, but there has been no response, (ii) or where it is not practicably feasible, for example, large participant numbers etc.

12 Do I need a consent declaration to process the personal data of deceased participants?

13 Biobanks: do I need a consent declaration for a biobank (whether establishing a research biobank, accessing personal data held by a biobank etc.)?

14 Withdrawal of consent: can I continue to hold and process data where consent is withdrawn?

15 What steps must be taken prior to submitting an application and what does the application process involve?

16 Ethics Approval and a Data Protection Impact Assessment (DPIA): Do I require a DPIA and REC approval prior to seeking a consent declaration from the HRCDC?

17 Multi-site studies in Ireland; do I submit one or multiple consent declaration applications to the HRCDC?

18 Information principles for consent

19 What is meant by ‘public interest’

20 Legal basis for processing: What is the legal basis for processing personal data for health research? What is the difference between ‘explicit consent’ as a legal basis versus a required safeguard.

21 Changes to the study: I have a consent declaration and there are changes to my research study - do I need to request an amendment from the HRCDC?

22 Annual Reviews: How are consent declarations reviewed or monitored by the HRCDC?

23 Do all the suitable and specific safeguards of the Health Research Regulations have to be in place, if I have explicit consent or a consent declaration?

24 How does the Assisted Decision Making (Capacity) Act 2015, interplay with the Health Research Regulations.