The Consent Declaration Process

Prior to Health Research Regulations, there was no mechanism in Irish law to address a situation where consent can not be obtained from a data subject, for health research. Previously some Research Ethics Committees (RECs) may have granted consent waivers. However, those waivers had no legal standing. The requirements in the Regulations to establish a lawful consent declaration process is a clear indication of just how rigorous the consent declaration process has to be to be lawful.

The new statutory mechanism set out in the Health Research Regulations allows for use of personal data for health research that is of high public importance, and where obtaining consent from the data subject is not possible.

It is not mandatory to apply to the HRCDC. The onus is on the data controller to decide whether an application to seek a declaration is required for health research project. The data controller should carefully assess whether or not they are likely to meet the criteria and conditions set out in the Health Research Regulations.

The HRCDC is not there as an alternative to seeking consent. The HRCDC will need strong evidence to support a claim that obtaining consent is not possible. For that reason, the Committee should never be the first option. It is the last. All decisions are made independently by the HRCDC. All appeals will be made to another equally independent panel (appointed by the Minister).

Further, the Committee is not intended to take over the functions of Research Ethics Committees. RECs play a separate, distinct and important role in the health research process.

There are three situations where applications maybe submitted to the HRCDC in order to seek a consent declaration:

  • New Research‘ that has commenced on or after August 8th, 2018 – The research project is outside the scope of the existing consent (Regulation 5).
  • Current Research‘ that has commenced prior to August 8th, 2018 – The existing consent was obtained under the requirement of previous EU Data Protection Directive and the Data Protection Acts 1988 & 2003 (Regulation 6(4)(b)).
  • Current Research‘ that has commenced prior to August 8th, 2018 – No consent was ever obtained (Regulation 6(4)(a).

Through the application process, the applicant should to make a compelling case, with accompanying documentation, to enable the HRCDC to made its decision regarding a consent declaration.

Read more

Decision Tree

The HRB has developed the following decision tree to help researchers assess:

  • Whether they might be eligible to submit an application to the Health Research Consent Declaration Committee to obtain a consent declaration, and
  • Whether such an application should be made under the transitional arrangements or as a new research project.

This decision tree also outlines a number of important preliminary steps that must be completed by researchers prior to the submission of any application to the Health Research Consent Declaration Committee.

However, we strongly recommend that you also contact your institution’s DPO in order to get specific advice.

Download Form

Frequently Asked Questions

What is a consent declaration?

consent declaration is a declaration made by the Health Research Consent Declaration Committee that the explicit consent of the data subject is not required.

Who grants a consent declaration?

The Health Research Consent Declaration Committee, once established, will have the authority to grant a consent declaration.

I have a consent waiver from my REC, is this the same as a consent declaration under the Health Research Regulations 2018?

No. A consent waiver issued by a Research Ethics Committee under the HSE’s National Consent Policy 2017 is not the same as a consent declaration granted under the Health Research Regulations 2018.

Consent waivers do not have, and never had, any legal standing in the context of the previous Data Protection Directive nor in the context of GDPR and the new Health Research Regulations 2018.

Is there a transitional period?

The EU Council and EU Parliament signed off on the GDPR in April 2016 with a two year period before it became effective on 25 May 2018.  That was the transition period for preparing for GDPR compliance.

During that period, health researchers should have made sure that the processing of personal data for health research that was ongoing after 25 May (whether it was commenced before or after that date) was in line with the GDPR.

In the context of the Health Research Regulations 2018, an additional transitional period (up to 30 April 2019) was incorporated to allow health research involving the use of personal data that was ongoing on 8 August 2018 become compliant with the requirements of GDPR and the new Regulations.

When is the deadline for submitting a consent declaration application for current research?

For current research, researchers must submit an application for consideration by the consent declaration to the Health Research Consent Declaration Committee no later than 30 April 2019 (refer to transitional arrangements).

What are the steps that need to be addressed before submitting an application for a consent declaration?
  • Consult the HRB’s GDPR guidance for researchers.
  • Consult the HRB’s consent declaration decision tree.
  • Determine whether your research project is a new project or if it is current.
  • Undertake a data protection impact assessment.
  • Ensure you have research ethics approval.
  • Consider whether or not the personal data can be anonymised.
  • For current research, determine if you have consent and whether or not the consent meets the standard of the previous Data Protection Directive 95/46/EC.
  • If yes, make reasonable efforts to contact the data subject who previously provided consent for the health research for the purposes of reobtaining consent from that data subject.
  • If not, consider if the data can be anonymised. Alternatively, consider if you can make a case that the public interest in continuing to carry out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject together with a statement setting out the reasons why it is not proposed to seek the consent of the data subject for the purposes of the health research.
  • For new research, consider if you can make a case that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject together with a statement setting out the reasons why it is not proposed to seek the consent of the data subject for the purposes of the health research.
Do I have to have all of the other suitable and specific measures to safeguard to fundamental freedoms and rights of individuals in place if I have a consent declaration?

Yes. A consent declaration refers only to the requirement to have obtained the suitable and specific measure of explicit consent (Regulation 3(1)(e)) from the data subject.

All of the other suitable and specific measures to safeguard the fundamental rights and freedoms of the data subject described in Regulation 3(1)(a)-(d) must be in place.

Points of Clarification

Must each and every one of the Information Principles on Consent be addressed exhaustively & are they legally binding?

No.

The Guidance on Information Principles for Consent has been drafted by the Department of Health as a guide to assist researchers.

It is not a legally binding document, nor is it intended to be a complete and mandatory list of principles that must be addressed in patient information leaflet for the purposes of obtained consent.

Three key points are set out in the document;

  1. The onus is on the health researcher to (a) justify what information is or is not provided and (b) ensure that the data subject is not surprised by any use or disclosure of his or her personal health data by the researcher.
  2. The researcher must always ensure that the language used avoids jargon and is easy to comprehend.
  3. The information provided should be written from the perspective of the data subject and not the researcher.
  4. A researcher could consult the WP29 guidance on transparency

Researchers should review existing consent and information documents to determine if the information is aligned with the guideline of information principles that reflect data protection compliance under GDPR and the Health Research Regulations.

Researchers are further welcomed to get in touch with the HRCDC, through the Secretariat; secretariat@hrcdc.ie

Should data and bio-samples be destroyed after the transition period if I am not compliant with the Health Research Regulations?

No.

Researchers should make immediate steps to address gaps in data protection compliance.

Researchers should not destroy valuable data or bio-samples without further consultation with their relevant organisation authorities such as their Research Ethics Committee and Data Protection Officer. Engagement should begin immediately.

The HRCDC offers a mechanism, through the consent declaration application process, to enable researchers to continue to use/process valuable data for health research that is of significant public importance.

Researchers are further welcomed to get in touch with the HRCDC, through the Secretariat; secretariat@hrcdc.ie