Guidance

• A consent declaration is a declaration that can be made by the Health Research Consent Declaration Committee – where it is satisfied that the public’s interest in carrying out the health research significantly outweighs the requirement for the explicit consent of the data subject.
• A consent declaration is made to the Data Controller(s) of the study – to process personal data for specified health research.
• Processing of data (See GDPR Article 4(2)) may include, but is not limited to, for example; collecting, using, adapting, retrieving, storing, disseminating, pseudonymisation, anonymisation, sharing, recording etc
• A consent declaration maybe for a defined part of a project, not necessarily the entire project.
• NOTE: A consent declaration does not cover the transfer of personal data for third party use, for separate projects. ie  a third party Data Controller wising to further use personal data for their own purpose, may need to seek a separate consent declaration.
• NOTE: A consent declaration can not be made where consent has been withdrawn by a data subject.
• NOTE: The HRCDC cannot corroborate a Data Controller’s view as to whether require a consent declaration or not. Each Data Controller must determine whether they require a consent declaration.

• Any data controller, national or international, may apply for a consent declaration to process personal data it requires for their health research study – this includes personal data it already holds and personal data that it wishes obtain. i.e., the consent declaration is made to the data controller seeking to process personal data for their research study.
• Where the data that is requested to be processed for the health research study is held/controlled by another data controller, than that data controller should not be a party to the application process, unless they are a Joint-Controller in a study.
• NOTE: A declaration is not made to the data controller that already possess (data source) the personal data.

Regulation 14 states: Nothing in these Regulations shall be construed as imposing an obligation on a person to disclose personal data to a person who processes personal data for the purpose of health research under these Regulations but, where a declaration is made, any disclosure made by the first mentioned person shall not be in breach of any requirement to obtain consent under these Regulations provided that the disclosure is in accordance with the declaration or any condition to which it may be subject.

The Health Research Consent Declaration Committee (HRCDC) have the authority to grant a consent declaration.

• Determine who is the Data Controller and any data processors.
• Determine if you are processing identifiable or pseudonymised data i.e. determine if you are processing personal data.
• Determine if you have explicit consent.
• Determine what is the scope of the declaration being applied for if explicit consent has not been obtained.
• Undertake a Data Protection Impact Assessment.
• Consult with the Data Protection Officer of the Data Controller.
• Ensure research ethics approval or provisional approval has been granted for the project.
• Consider if reasonable efforts can be made to contact the data subject to obtain explicit consent for the health research.
• Alternatively, consider if you can make a case that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject together with a statement setting out the reasons why it is not proposed to seek the consent of the data subject for the purposes of the health research.

The transition period has now expired.

The EU Council and EU Parliament signed off on the GDPR in April 2016 with a two year period before it became effective on 25 May 2018.  That was the transition period for preparing for GDPR compliance.

During that period, health researchers should have ensured that the processing of personal data for health research that was ongoing after 25 May (whether it was commenced before or after that date) was in line with the GDPR.

In the context of the Health Research Regulations 2018, an additional transitional period (up to August 7 2019) was incorporated to allow health research involving the use of personal data that was ongoing on 8 August 2018 to become compliant with the requirements of GDPR and the new Regulations. See Amendment No. 1(S.I.188) for further details on the transition period.

Researchers should make immediate steps to address gaps in data protection compliance.

Researchers should avoid destroying valuable data or bio-samples without further consultation with their relevant organisation authorities such as their Research Ethics Committee and Data Protection Officer. Engagement should begin immediately.

Under the GDPR, the processing of personal data requires that:

• a lawful ground for the processing of personal data in Article 6 must be identified; and
• that in the case of processing Article 9 type data (which includes health and genetic data) that a condition in Article 9 must be found.

NOTE: These grounds and conditions are separate from the safeguards, including the safeguard of obtaining explicit consent, as required the Health Research Regulations.

NOTE: Public authorities, in particular, should be aware that the Recitals to the GDPR states that they should not rely on consent as an Article 6 ground given the disparity of power that exist between a public authority and a data subject.

NOTE: Article 6 prohibits public authorities from relying on “legitimate interests” as a lawful ground for processing.

The collection of personal data for health research is bound by the legislation of the country in which it was collected.

The Health Research Regulations 2018 govern all processing of personal data for health research purposes conducted within the Republic of Ireland.

Where consent is obtained by an international third party in line with their country’s data protection requirements, and international ethical standards in health research, there should be no necessity to obtain any further consent. However, should the Irish institution have concerns that consent has not been obtained this should be interrogated further prior to the processing of personal data

Example: An Irish Data Controller processing data from another jurisdiction, should satisfy itself (to the extent reasonably possible) that the data was collected lawfully and fairly in that jurisdiction.

ie In this scenario, where data was obtained lawfully, a consent declaration is not required. However, all further processing of that data within Ireland falls under the scope of GDPR and the Health Research Regulations.

Example: Where multiple data controllers are involved in a multi-site, international collaboration, the Irish data controller collecting personal data must ensure compliance with the Health Research Regulations and GDPR.

i.e The Irish data controller may require a consent declaration for the purpose of sharing personal data with other non-Irish data controllers, where consent could not be obtained. The provisions of the Health Research Regulations and GDPR will apply.

Please consult with your  DPO for all GDPR queries are they may pertain to the roles and responsibilities of data processors and controllers.

The GDPR has a very broad territorial remit as it applies to all organisations (whether data controllers, joint-data controllers or data processors) that are processing of personal data of people who reside within the EU or who are EU Citizens, even if the organisation is not located in the EU.

Anonymised data fall outside the remit of GDPR and the new Health Research Regulations 2018.

However, the process of anonymisation is, in itself, data processing and does fall under the remit of GDPR and may fall under the remit of the Health Research Regulations 2018 depending on its purpose.  Therefore, if the legal ground that the personal data is being held is consent, then consent is required for the anonymisation of that data. However, if the data controller has another legal basis (other than consent) and, where relevant, meets at least one of the Article 9(2) conditions (other than explicit consent), then consent is not required.

No.

Pseudonymisation is a data security measure that is strongly encouraged by the GDPR.

However, pseudonymised data remain subject to requirements of GDPR and, in the case of health research, to the requirements of the Health Research Regulations 2018 – this includes the disclosure of pseudonymised data for health research purposes by one data controller to another data controller.

Only a Data Controller, in consultation with their DPO, can determine the level of anonymity of the personal data being processed.

The Data Protection Commission (DPC) has comprehensive guidelines that can be viewed here: DPC – Anonymisation and Pseudonymisation.

Yes. A consent declaration refers only to the requirement to have obtained the suitable and specific measure of explicit consent (Regulation 3(1)(e)) from the data subject.

All of the other suitable and specific measures to safeguard the fundamental rights and freedoms of the data subject described in Regulation 3(1)(a)-(d) must be in place.

Yes.

As per Regulation 5 of Health Research Regulations, the HRCDC can only make a declaration once i) a Data Protection Impact Assessment (DPIA) has been carried out; and ii) research ethics approval has been received.

Therefore ethical approval or provisional ethical approval, must by confirmed in writing prior to submitting an application to the HRCDC.

A Data Protection Officer (DPO) must review and provide feedback on the DPIA – which must be submitted as part of the application form.

Where provisional ethical approval has been granted, the HRCDC may make a conditional declaration, where the condition attached is the requirement to ensure full ethics approval is obtained prior to the effective date of the declaration.

Importantly, the role of the Research Ethics Committee (REC) should not overlap with the role of the HRCDC – they are distinct and complimentary to each other.

Retrospective chart review studies do fall under the Health Research Regulations, however amendments made to the Health Research Regulations provide that retrospective chart reviews do not require the safeguard of explicit consent, subject to certain criteria and safeguards being being met – please see the relevant Guidance on the Amendments to the Health Research Regulations that are available on this page. The amendment legislation (S.I. 18) can also be read here: https://hrcdc.ie/about-us/#Legislation 

If the data controller of the retrospective chart review study determines that the amendment does not apply, than consent or a consent declaration will be required.

The Guidance on Information Principles for Consent has been drafted by the Department of Health as a guide to assist researchers.

It is not a legally binding document, nor is it intended to be a complete and mandatory list of principles that must be addressed in patient information leaflet for the purposes of obtained consent.

Three key points are set out in the document;

• The onus is on the health researcher to (a) justify what information is or is not provided and (b) ensure that the data subject is not surprised by any use or disclosure of his or her personal health data by the researcher.
• The researcher must always ensure that the language used avoids jargon and is easy to comprehend by the data subject.
• The information provided should be written from the perspective of the data subject and not the researcher.
• The information provided should leave no room for misinterpretation by the data subject.

A researcher can further consult the WP29 guidance on transparency

A researcher can further consult the WP29 guidance on consent.

Researchers should review existing consent and information documents to determine if the information is aligned with the guideline of information principles that reflect data protection compliance under GDPR and the Health Research Regulations.

Researchers should consult with their Data Protection Officers (DPOs) or Research Ethic Committees (RECs), as appropriate.

NOTE: Researchers should always consult with their DPO and/or RECs when reviewing/revising consent documentation. The following points should not be viewed as legal advice;

Please consider the following;

• If the processing of data for health research has deviated from scope of the original consent, re-consenting is likely to be required.
• Re-consenting study participants may not be necessary in order to update on minor information changes to meet transparency requirements.
• Consider whether recontacting study participants is an appropriate measure to provide updated information regarding the research study.

Yes.

A Data Controller should take reasonable efforts to contact data subjects for the purpose of re-consenting. Where there has been no response from the data subject, then the Data Controller can apply to the HRCDC for a consent declaration.

The guidance from the Data Protection Commission on this item can be viewed through the Clinical Research Development Network ‘Q14  – Withdrawal’

A consent declaration cannot override the data protection rights of participants, including a participant’s decision to withdraw. Equally, the HRCDC cannot make a declaration to process data, where consent has been withdrawn by the data subject.

Researchers can further consult the WP29 guidance on consent.

Please consider the following guidance notes when determining whether a consent declaration is required accessing a Biobank :

Biobank Overview

Note: The use of biosamples for health research does not fall under the remit of the Health Research Regulations or the HRCDC – the processing of personal data associated with biosamples is covered by the Regulations.

Where relevant changes have or will occur to the study that effects the consent declaration made, than an amendment request application form should be completed and submitted to the HRCDC for consideration. Please refer to the amendment request guidance document which sets out example scenarios when an amendment to an existing consent declaration may be required.

Example scenarios include change in data controllership or data processors, a relevant change in the data processing activities, change in the purpose of the research beyond that outlined originally to the HRCDC, extension of the duration of the consent declaration etc.

The amendment request form and accompanying guidance can be found here.

Note: It is up to the data controller(s) of the research study to determine whether an amendment is required and it is their responsibility to ensure that it is submitted in a timely fashion.

Until the relevant changes have been approved by the HRCDC, they are not covered by the consent declaration

A number of substantive amendments to the Health Research Regulations were made in January 2021, following feedback and engagement with the research community.

Please refer to the amendment legislation (S.I. 18 https://hrcdc.ie/about-us/#Legislation) and the accompanying guidance (https://hrcdc.ie/guidance/) for details on when explicit consent or a consent declaration may not be required for certain types of health research studies that meet important specific criteria and subject to meeting certain safeguards.

Note: it is the responsibility of the relevant parties in the study to determine if the amendments apply to their research study and to meet the safeguards outlined. Researchers are advised to discuss this matter with the relevant Data Protection Officer.

With regards data processing, where a participant may lack decision-making capacity to provide explicit consent, obtaining ‘consent’ on their behalf from another proxy individual (e.g., family member) is not considered valid ‘explicit consent’ – a person cannot provide valid consent for data processing on behalf of another individual.

Research studies that wish to process the personal data of participants who lack decision-making capacity to provide explicit consent will likely need to seek a consent declaration to process the personal data of that cohort of participants.

Note: while consent from a proxy individual on behalf of someone who lacks decision-making capacity is not valid consent and a declaration would likely be required, it can be considered an important additional safeguard to help understand the study participant’s will and preferences.

With regards the consent declaration process, the term ‘proxy assent‘ (not ‘proxy consent’) is used to describe seeking the permission from a proxy to process the personal data of another individual.

The following document is a summary of how the decision supports, as defined in the ADMA, link with the Health Research Regulations and the operation of the HRCDC.

If you have any further queries,  please contact http://www.decisionsupportservice.ie/ or please email secretariat@hrcdc.ie

ADMA HRCDC information Version 1 November 2023 FINAL for website

https://hrcdc.ie/wp-content/uploads/2024/03/Study-information-leaflets-common-issues-FINAL-.pdf