Important Clarifications

Must each and every one of the Information Principles on consent be addressed exhaustively & are the guidance notes legally binding?

The Guidance on Information Principles for Consent has been drafted by the Department of Health as a guide to assist researchers.

It is not a legally binding document, nor is it intended to be a complete and mandatory list of principles that must be addressed in patient information leaflet for the purposes of obtained consent.

Three key points are set out in the document;

  • The onus is on the health researcher to (a) justify what information is or is not provided and (b) ensure that the data subject is not surprised by any use or disclosure of his or her personal health data by the researcher.
  • The researcher must always ensure that the language used avoids jargon and is easy to comprehend by the data subject.
  • The information provided should be written from the perspective of the data subject and not the researcher.

A researcher can further consult the WP29 guidance on transparency

A researcher can further consult the WP29 guidance on consent.

Researchers should review existing consent and information documents to determine if the information is aligned with the guideline of information principles that reflect data protection compliance under GDPR and the Health Research Regulations.

Researchers should consult with their Data Protection Officers (DPOs) or Research Ethic Committees (RECs), as appropriate.

For current research - should personal data and bio-samples be destroyed after the August 7th deadline, if I am not compliant with the Health Research Regulations?

Researchers should make immediate steps to address gaps in data protection compliance.

Researchers should avoid destroying valuable data or bio-samples without further consultation with their relevant organisation authorities such as their Research Ethics Committee and Data Protection Officer. Engagement should begin immediately.

The HRCDC offers a mechanism, through the consent declaration application process, to enable researchers to continue to use/process valuable data for health research that is of significant public importance.

Do I require research ethics committee (REC) approval (or provisional approval) prior to seeking a consent declaration from the HRCDC?

Yes.

As per Regulation 5 of Health Research Regulations, the HRCDC can only make a declaration once i) a Data Protection Impact Assessment (DPIA) has been carried out; and ii) research ethics approval has been received.

Therefore ethical approval or provisional ethical approval, must by confirmed in writing prior to submitting an application to the HRCDC.

A Data Protection Officer (DPO) must review and provide feedback on the DPIA – which must be submitted as part of the application form.

Where provisional ethical approval has been granted, the HRCDC may make a conditional declaration, where the condition attached is the requirement to ensure full ethics approval is obtained prior to the effective date of the declaration.

Importantly, the role of the Research Ethics Committee (REC) should not overlap with the role of the HRCDC – they are distinct and complimentary to each other.

Frequently Asked Questions

What is a consent declaration?
  • A consent declaration is a declaration that can be made by the Health Research Consent Declaration Committee – where it is satisfied that the public’s interest in carrying out the health research significantly outweighs the requirement for the explicit consent of the data subject.
  • A consent declaration is made to the Data Controller(s)  – to obtain and use personal data for specified health research.
  • NOTE: A consent declaration does not cover the transfer of personal data for third party use. ie  a third party Data Controller wising to further use personal data, may need to seek a separate consent declaration.
  • A consent declaration maybe for a defined part of a project, not necessarily the entire project.
Is there a transitional period for current research?

The EU Council and EU Parliament signed off on the GDPR in April 2016 with a two year period before it became effective on 25 May 2018.  That was the transition period for preparing for GDPR compliance.

During that period, health researchers should have made sure that the processing of personal data for health research that was ongoing after 25 May (whether it was commenced before or after that date) was in line with the GDPR.

In the context of the Health Research Regulations 2018, an additional transitional period (up to August 7 2019) was incorporated to allow health research involving the use of personal data that was ongoing on 8 August 2018 become compliant with the requirements of GDPR and the new Regulations. See Amendment No. 1(S.I.188) for further details on the transition period.

When is the deadline for submitting a consent declaration application for current research that commenced prior to August 8th, 2018?
  • For current research, researchers must submit an application for consideration to the Health Research Consent Declaration Committee no later than August 7th 2019 (refer to transitional arrangements below).
  • Applications submitted after August 7th 2019 can not be considered by the HRCDC.
  • Applications submitted on of before July 7th 2019 will be considered pending until a decision is made by the HRCDC. The Data Controller will not be considered in breach of the Regulations during this time.
  • An explanatory note provided by the Dept. of Health can be viewed here.

 

Who grants a consent declaration?

The Health Research Consent Declaration Committee (HRCDC) have the authority to grant a consent declaration.

I have a consent waiver from my REC, is this the same as a consent declaration under the Health Research Regulations 2018?

No. A consent waiver issued by a Research Ethics Committee under the HSE’s National Consent Policy 2017 is not the same as a consent declaration granted under the Health Research Regulations 2018.

Consent waivers do not have, and never had, any legal standing in the context of the previous Data Protection Directive nor in the context of GDPR and the new Health Research Regulations 2018.

What are the steps that need to be addressed before submitting an application for a consent declaration?
  • Determine who is the Data Controller.
  • Determine if you are processing identifiable or pseudonymised personal data.
  • Determine if you have explicit consent.
  • Determine what is the scope of the declaration being applied for is explicit consent has not been obtained.
  • Undertake a Data Protection Impact Assessment.
  • Consult with the Data Protection Officer of the Data Controller.
  • Ensure research ethics approval or provisional approval has been granted for the project.
  • For current research, determine if you have consent and whether or not the consent meets the standard of the previous Data Protection Directive 95/46/EC.
  • If yes, make reasonable efforts to contact the data subject who previously provided consent for the health research for the purposes of re-consenting from that data subject.
  • Alternatively, consider if you can make a case that the public interest in continuing to carry out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject together with a statement setting out the reasons why it is not proposed to seek the consent of the data subject for the purposes of the health research.
  • For new research, consider if you can make a case that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject together with a statement setting out the reasons why it is not proposed to seek the consent of the data subject for the purposes of the health research.
Is data Anonymised or Pseudonymised?

Only the Data Controller in consultation with their DPO can determine the level of anonymity of the personal data being processed.

The Data Protection Commission (DPC) has comprehensive guidelines that can be viewed here: DPC – Anonymisation and Pseudonymisation.

Do all suitable and specific measures to safeguard the fundamental freedoms and rights of individuals have to be in place, if I have a consent declaration?

Yes. A consent declaration refers only to the requirement to have obtained the suitable and specific measure of explicit consent (Regulation 3(1)(e)) from the data subject.

All of the other suitable and specific measures to safeguard the fundamental rights and freedoms of the data subject described in Regulation 3(1)(a)-(d) must be in place.

Do Retrospective Chart review fall under the Health Research Regulations?

The Data Protection Commission (DPC) has agreed that the requirement for explicit consent for retrospective chart review studies carried out in a data controller’s organisation by;

(a) a health practitioner employed by the data controller (including students studying, in the data controller’s organisation, to be health practitioners who are under the supervision of the health practitioner); or

(b) an employee of the data controller (other than a health practitioner in (a)) who, in the course of his or her duties for the data controller, would ordinarily have access to health record information held by the data controller and who, in the circumstances, owes a duty of confidentiality (that includes specified penalties for any breach of that duty) to the data subject that is equivalent to that which would exist if that person were a health practitioner,

– that are low risk with high transparency arrangements in place, will continue to be deferred.

This arrangement is pending the conclusion of discussions between the Department of Health and the DPC  on this matter and the introduction of a more formalised arrangement through an amendment to the Health Research Regulations.

Again, it is important to note that all other safeguards required by the GDPR, the Data Protection Act 2018 and the Health Research Regulations, 2018 must be in place, including approval by a research ethics committee.

The Consent Declaration Process

Prior to Health Research Regulations, there was no mechanism in Irish law to address a situation where consent can not be obtained from a data subject, for health research. Previously some Research Ethics Committees (RECs) may have granted consent waivers. However, those waivers had no legal standing. The requirements in the Regulations to establish a lawful consent declaration process is a clear indication of just how rigorous the consent declaration process has to be to be lawful.

The new statutory mechanism set out in the Health Research Regulations allows for use of personal data for health research that is of high public importance, and where obtaining consent from the data subject is not possible.

It is not mandatory to apply to the HRCDC. The onus is on the Data Controller to decide whether an application to seek a declaration is required for health research project. The data controller should carefully assess whether or not they are likely to meet the criteria and conditions set out in the Health Research Regulations.

The HRCDC is not there as an alternative to seeking consent. The HRCDC will need strong evidence to support a claim that obtaining consent is not possible. For that reason, the HRCDC should never be the first option. It is the last. All decisions are made independently by the HRCDC. All appeals will be made to another equally independent panel (appointed by the Minister).

Further, the HRCDC is not intended to take over the functions of RECs. RECs play a separate, distinct and important role in the health research process.

There are three situations where applications maybe submitted to the HRCDC in order to seek a consent declaration:

  • New Research‘ that has commenced on or after August 8th, 2018 – The research project is outside the scope of the existing consent (Regulation 5).
  • Current Research‘ that has commenced prior to August 8th, 2018 – The existing consent was obtained under the requirement of previous EU Data Protection Directive and the Data Protection Acts 1988 & 2003 (Regulation 6(4)(b)).
  • Current Research‘ that has commenced prior to August 8th, 2018 – No consent was ever obtained (Regulation 6(4)(a).

Through the application process, the applicant should to make a compelling case, with accompanying documentation, to enable the HRCDC to made its decision regarding a consent declaration.

Read more

Decision Tree

The HRB has developed the following decision tree to help researchers assess:

  • Whether they might be eligible to submit an application to the Health Research Consent Declaration Committee to obtain a consent declaration, and
  • Whether such an application should be made under the transitional arrangements or as a new research project.

This decision tree also outlines a number of important preliminary steps that must be completed by researchers prior to the submission of any application to the Health Research Consent Declaration Committee.

However, we strongly recommend that you also contact your institution’s DPO in order to get specific advice.

Download Form