Guidance

• A consent declaration is a declaration that can be made by the Health Research Consent Declaration Committee – where it is satisfied that the public’s interest in carrying out the health research significantly outweighs the requirement for the explicit consent of the data subject.
• A consent declaration is made to the Data Controller(s) of the study – to process personal data for specified health research.
• Processing of data (See GDPR Article 4(2)) may include, but is not limited to, for example; collecting, using, adapting, retrieving, storing, disseminating, pseudonymisation, anonymisation, sharing, recording etc
• A consent declaration maybe for a defined part of a project, not necessarily the entire project.
• NOTE: A consent declaration does not cover the transfer of personal data for third party use, for separate projects. ie  a third party Data Controller wising to further use personal data for their own purpose, may need to seek a separate consent declaration.
• NOTE: A consent declaration can not be made where consent has been withdrawn by a data subject.
• NOTE: The HRCDC cannot corroborate a Data Controller’s view as to whether require a consent declaration or not. Each Data Controller must determine whether they require a consent declaration.

• Any data controller, national or international may apply for a consent declaration to ‘obtain and use’ and otherwise process personal data it requires, but does not have access to, for a health research study.
• The data controller that poses/controls the personal data required for the health research study – should not be a party to the application process, unless they are a Joint-Controller in a study.
• A declaration is made to a data controller of the study seeking to obtain and use personal data for health research study.
• NOTE: A declaration is not made to the data controller that already possess (data source) the personal data.

Regulation 14 supports the above: Nothing in these Regulations shall be construed as imposing an obligation on a person to disclose personal data to a person who processes personal data for the purpose of health research under these Regulations but, where a declaration is made, any disclosure made by the first mentioned person shall not be in breach of any requirement to obtain consent under these Regulations provided that the disclosure is in accordance with the declaration or any condition to which it may be subject.

The Health Research Consent Declaration Committee (HRCDC) have the authority to grant a consent declaration.

• Determine who is the Data Controller.
• Determine if you are processing identifiable or pseudonymised personal data.
• Determine if you have explicit consent.
• Determine what is the scope of the declaration being applied for if explicit consent has not been obtained.
• Undertake a Data Protection Impact Assessment.
• Consult with the Data Protection Officer of the Data Controller.
• Ensure research ethics approval or provisional approval has been granted for the project.
• Consider if reasonable efforts can be made to contact the data subject to obtain explicit consent for the health research.
• Alternatively, consider if you can make a case that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject together with a statement setting out the reasons why it is not proposed to seek the consent of the data subject for the purposes of the health research.

The transition period has now expired.

The EU Council and EU Parliament signed off on the GDPR in April 2016 with a two year period before it became effective on 25 May 2018.  That was the transition period for preparing for GDPR compliance.

During that period, health researchers should have ensured that the processing of personal data for health research that was ongoing after 25 May (whether it was commenced before or after that date) was in line with the GDPR.

In the context of the Health Research Regulations 2018, an additional transitional period (up to August 7 2019) was incorporated to allow health research involving the use of personal data that was ongoing on 8 August 2018 to become compliant with the requirements of GDPR and the new Regulations. See Amendment No. 1(S.I.188) for further details on the transition period.

Researchers should make immediate steps to address gaps in data protection compliance.

Researchers should avoid destroying valuable data or bio-samples without further consultation with their relevant organisation authorities such as their Research Ethics Committee and Data Protection Officer. Engagement should begin immediately.

Under the GDPR, the processing of personal data requires that:

• a lawful ground for the processing of personal data in Article 6 must be identified; and
• that in the case of processing Article 9 type data (which includes health and genetic data) that a condition in Article 9 must be found.

NOTE: These grounds and conditions are separate from the safeguards, including the safeguard of obtaining explicit consent, as required the Health Research Regulations.

NOTE: Public authorities, in particular, should be aware that the Recitals to the GDPR states that they should not rely on consent as an Article 6 ground given the disparity of power that exist between a public authority and a data subject.

NOTE: Article 6 prohibits public authorities from relying on “legitimate interests” as a lawful ground for processing.

The collection of personal data for health research is bound by the legislation of the country in which it was collected.

The Health Research Regulations 2018 govern all processing of personal data for health research purposes conducted within the Republic of Ireland.

Where consent is obtained by an international third party in line with their country’s data protection requirements, and international ethical standards in health research, there should be no necessity to obtain any further consent. However, should the Irish institution have concerns that consent has not been obtained this should be interrogated further prior to the processing of personal data

Example: An Irish Data Controller processing data from another jurisdiction, should satisfy itself (to the extent reasonably possible) that the data was collected lawfully and fairly in that jurisdiction.

ie In this scenario, where data was obtained lawfully, a consent declaration is not required. However, all further processing of that data within Ireland falls under the scope of GDPR and the Health Research Regulations.

Example: Where multiple data controllers are involved in a multi-site, international collaboration, the Irish data controller collecting personal data must ensure compliance with the Health Research Regulations and GDPR.

i.e The Irish data controller may require a consent declaration for the purpose of sharing personal data with other non-Irish data controllers, where consent could not be obtained. The provisions of the Health Research Regulations and GDPR will apply.

Please consult with your  DPO for all GDPR queries are they may pertain to the roles and responsibilities of data processors and controllers.

The GDPR has a very broad territorial remit as it applies to all organisations (whether data controllers, joint-data controllers or data processors) that are processing of personal data of people who reside within the EU or who are EU Citizens, even if the organisation is not located in the EU.

Anonymised data fall outside the remit of GDPR and the new Health Research Regulations 2018.

However, the process of anonymisation is, in itself, data processing and does fall under the remit of GDPR and may fall under the remit of the Health Research Regulations 2018 depending on its purpose.  Therefore, if the legal ground that the personal data is being held is consent, then consent is required for the anonymisation of that data.

However, if the data controller has another legal basis (other than consent) and, where relevant, meets at least one of the Article 9(2) conditions (other than explicit consent), then consent is not required.

No.

Pseudonymisation is a data security measure that is strongly encouraged by the GDPR.

However, pseudonymised data remain subject to requirements of GDPR and, in the case of health research, to the requirements of the Health Research Regulations 2018.

Only a Data Controller, in consultation with their DPO, can determine the level of anonymity of the personal data being processed.

The Data Protection Commission (DPC) has comprehensive guidelines that can be viewed here: DPC – Anonymisation and Pseudonymisation.

Yes. A consent declaration refers only to the requirement to have obtained the suitable and specific measure of explicit consent (Regulation 3(1)(e)) from the data subject.

All of the other suitable and specific measures to safeguard the fundamental rights and freedoms of the data subject described in Regulation 3(1)(a)-(d) must be in place.

Yes.

As per Regulation 5 of Health Research Regulations, the HRCDC can only make a declaration once i) a Data Protection Impact Assessment (DPIA) has been carried out; and ii) research ethics approval has been received.

Therefore ethical approval or provisional ethical approval, must by confirmed in writing prior to submitting an application to the HRCDC.

A Data Protection Officer (DPO) must review and provide feedback on the DPIA – which must be submitted as part of the application form.

Where provisional ethical approval has been granted, the HRCDC may make a conditional declaration, where the condition attached is the requirement to ensure full ethics approval is obtained prior to the effective date of the declaration.

Importantly, the role of the Research Ethics Committee (REC) should not overlap with the role of the HRCDC – they are distinct and complimentary to each other.

The Data Protection Commission (DPC) has agreed that the requirement for explicit consent for retrospective chart review studies carried out in a data controller’s organisation by;

(a) a health practitioner employed by the data controller (including students studying, in the data controller’s organisation, to be health practitioners who are under the supervision of the health practitioner); or

(b) an employee of the data controller (other than a health practitioner in (a)) who, in the course of his or her duties for the data controller, would ordinarily have access to health record information held by the data controller and who, in the circumstances, owes a duty of confidentiality (that includes specified penalties for any breach of that duty) to the data subject that is equivalent to that which would exist if that person were a health practitioner,

– that are low risk with high transparency arrangements in place, will continue to be deferred.

A ‘Health Practitioner’ has the meaning ascribed to it in the Health Identifiers Act, 2014.

This arrangement is pending the conclusion of discussions between the Department of Health and the DPC  on this matter and the introduction of a more formalised arrangement through an amendment to the Health Research Regulations.

Again, it is important to note that all other safeguards required by the GDPR, the Data Protection Act 2018 and the Health Research Regulations, 2018 must be in place, including approval by a research ethics committee.

The Guidance on Information Principles for Consent has been drafted by the Department of Health as a guide to assist researchers.

It is not a legally binding document, nor is it intended to be a complete and mandatory list of principles that must be addressed in patient information leaflet for the purposes of obtained consent.

Three key points are set out in the document;

• The onus is on the health researcher to (a) justify what information is or is not provided and (b) ensure that the data subject is not surprised by any use or disclosure of his or her personal health data by the researcher.
• The researcher must always ensure that the language used avoids jargon and is easy to comprehend by the data subject.
• The information provided should be written from the perspective of the data subject and not the researcher.
• The information provided should leave no room for misinterpretation by the data subject.

A researcher can further consult the WP29 guidance on transparency

A researcher can further consult the WP29 guidance on consent.

Researchers should review existing consent and information documents to determine if the information is aligned with the guideline of information principles that reflect data protection compliance under GDPR and the Health Research Regulations.

Researchers should consult with their Data Protection Officers (DPOs) or Research Ethic Committees (RECs), as appropriate.

NOTE: Researchers should always consult with their DPO and/or RECs when reviewing/revising consent documentation. The following points should not be viewed as legal advice;

Please consider the following;

• If the processing of data for health research has deviated from scope of the original consent, re-consenting is likely to be required.
• Re-consenting study participants may not be necessary in order to update on minor information changes to meet transparency requirements.
• Consider whether recontacting study participants is an appropriate measure to provide updated information regarding the research study.

Yes.

A Data Controller should take reasonable efforts to contact data subjects for the purpose of re-consenting. Where there has been no response from the data subject, then the Data Controller can apply to the HRCDC for a consent declaration.

The guidance from the Data Protection Commission on this item can be viewed through the Clinical Research Development Network ‘Q14  – Withdrawal’

The HRCDC can not made a declaration to process data, where consent has been withdrawn by the data subject.

Researchers can further consult the WP29 guidance on consent.

Please consider the following guidance notes when determining whether a consent declaration is required accessing a Biobank :

Biobank Overview