Important Clarifications

Non-response to re-consent: Can I apply for a consent declaration where reasonable efforts have been made to re-consent data subjects, but there has been no response?

Yes.

A Data Controller should take reasonable efforts to contact data subjects for the purpose of re-consenting. Where there has been no response from the data subject, then the Data Controller can apply to the HRCDC for a consent declaration.

Do I need a consent declaration for a biobank?

Please consider the following guidance notes when determining whether a consent declaration is required:

Biobank Overview

Must each and every one of the Information Principles on consent be addressed?

The Guidance on Information Principles for Consent has been drafted by the Department of Health as a guide to assist researchers.

It is not a legally binding document, nor is it intended to be a complete and mandatory list of principles that must be addressed in patient information leaflet for the purposes of obtained consent.

Three key points are set out in the document;

  • The onus is on the health researcher to (a) justify what information is or is not provided and (b) ensure that the data subject is not surprised by any use or disclosure of his or her personal health data by the researcher.
  • The researcher must always ensure that the language used avoids jargon and is easy to comprehend by the data subject.
  • The information provided should be written from the perspective of the data subject and not the researcher.
  • The information provided should leave no room for misinterpretation by the data subject.

A researcher can further consult the WP29 guidance on transparency

A researcher can further consult the WP29 guidance on consent.

Researchers should review existing consent and information documents to determine if the information is aligned with the guideline of information principles that reflect data protection compliance under GDPR and the Health Research Regulations.

Researchers should consult with their Data Protection Officers (DPOs) or Research Ethic Committees (RECs), as appropriate.

Ensuring 'explicit consent': Re-consenting? Re-contacting? Transparency?

NOTE: Researchers should always consult with their DPO and/or RECs when reviewing/revising consent documentation. The following points should not be viewed as legal advice;

Please consider the following;

  • If the processing of data for health research has deviated from scope of the original consent, re-consenting is likely to be required.
  • Re-consenting study participants may not be necessary in order to update on minor information changes to meet transparency requirements.
  • Consider whether recontacting study participants is an appropriate measure to provide updated information regarding the research study.

The principles of fairness and accountability under the GDPR require Data Controllers to always consider the reasonable expectations of data subjects, the effect that the processing may have on them and their ability to exercise their rights in relation to that processing,

NOTE: A privacy notice alone cannot meet a requirement for explicit consent.

Further information can be viewed here: WP29 guidance on transparency

For current research - should personal data and bio-samples be destroyed after the August 7th, 2019 deadline, if I am not compliant with the Health Research Regulations?

Researchers should make immediate steps to address gaps in data protection compliance.

Researchers should avoid destroying valuable data or bio-samples without further consultation with their relevant organisation authorities such as their Research Ethics Committee and Data Protection Officer. Engagement should begin immediately.

Do I require Research Ethics Committee approval prior to seeking a consent declaration from the HRCDC?

Yes.

As per Regulation 5 of Health Research Regulations, the HRCDC can only make a declaration once i) a Data Protection Impact Assessment (DPIA) has been carried out; and ii) research ethics approval has been received.

Therefore ethical approval or provisional ethical approval, must by confirmed in writing prior to submitting an application to the HRCDC.

A Data Protection Officer (DPO) must review and provide feedback on the DPIA – which must be submitted as part of the application form.

Where provisional ethical approval has been granted, the HRCDC may make a conditional declaration, where the condition attached is the requirement to ensure full ethics approval is obtained prior to the effective date of the declaration.

Importantly, the role of the Research Ethics Committee (REC) should not overlap with the role of the HRCDC – they are distinct and complimentary to each other.

Frequently Asked Questions

What is a consent declaration?
  • A consent declaration is a declaration that can be made by the Health Research Consent Declaration Committee – where it is satisfied that the public’s interest in carrying out the health research significantly outweighs the requirement for the explicit consent of the data subject.
  • A consent declaration is made to the Data Controller(s)  – to process personal data for specified health research.
  • Processing of data (See GDPR Article 4(2)) may include, but is not limited to, for example; collecting, using, adapting, retrieving, storing, disseminating, pseudonymisation, anonymisation, sharing, recording etc
  • A consent declaration maybe for a defined part of a project, not necessarily the entire project.
  • NOTE: A consent declaration does not cover the transfer of personal data for third party use, for separate projects. ie  a third party Data Controller wising to further use personal data for their own purpose, may need to seek a separate consent declaration.
  • NOTE: A consent declaration can not be made where consent has been withdrawn by a data subject.
  • NOTE: The HRCDC cannot corroborate a Data Controller’s view as to whether require a consent declaration or not. Each Data Controller must determine whether they require a consent declaration.
Is there a transitional period for current research?

The transition period has now expired.

The EU Council and EU Parliament signed off on the GDPR in April 2016 with a two year period before it became effective on 25 May 2018.  That was the transition period for preparing for GDPR compliance.

During that period, health researchers should have ensured that the processing of personal data for health research that was ongoing after 25 May (whether it was commenced before or after that date) was in line with the GDPR.

In the context of the Health Research Regulations 2018, an additional transitional period (up to August 7 2019) was incorporated to allow health research involving the use of personal data that was ongoing on 8 August 2018 become compliant with the requirements of GDPR and the new Regulations. See Amendment No. 1(S.I.188) for further details on the transition period.

The HRCDC is not empowered to consider applications from researchers where health research commenced prior to August 8th, 2018.

When is the deadline for submitting a consent declaration application for current research that commenced prior to August 8th, 2018?
  • For current research, researchers must submit an application for consideration to the Health Research Consent Declaration Committee no later than August 7th 2019 (refer to transitional arrangements below).
  • Applications submitted after August 7th 2019 can not be considered by the HRCDC.
  • Applications submitted on of before July 7th 2019 will be considered pending until a decision is made by the HRCDC. The Data Controller will not be considered in breach of the Regulations during this time.
  • An explanatory note provided by the Dept. of Health can be viewed here.

 

Who grants a consent declaration?

The Health Research Consent Declaration Committee (HRCDC) have the authority to grant a consent declaration.

Jurisdiction: When do the Health Research Regulations apply?

The collection of personal data for health research is bound by the legislation of the country in which it was collected.

The Health Research Regulations 2018 govern all processing of personal data for health research purposes conducted within the Republic of Ireland.

Example: An Irish Data Controller processing data from another jurisdiction, should satisfy itself (to the extent reasonably possible) that the data was collected lawfully and fairly in that jurisdiction.

ie In this scenario, where data was obtained lawfully, a consent declaration is not required. However, all further processing of that data within Ireland falls under the scope of GDPR and the Health Research Regulations.

Example: Where multiple data controllers are involved in a multi-site, international collaboration, the Irish data controller collecting personal data must ensure compliance with the Health Research Regulations and GDPR.

i.e The Irish data controller may require a consent declaration for the purpose of sharing personal data with other non-Irish data controllers, where consent could not be obtained. The provisions of the Health Research Regulations and GDPR will apply.

Please consult with your  DPO for all GDPR queries are they may pertain to the roles and responsibilities of data processors and controllers.

The GDPR has a very broad territorial remit as it applies to all organisations (whether data controllers, joint-data controllers or data processors) that are processing of personal data of people who reside within the EU or who are EU Citizens, even if the organisation is not located in the EU.

What steps must be addressed before submitting an application for a consent declaration?
  • Determine who is the Data Controller.
  • Determine if you are processing identifiable or pseudonymised personal data.
  • Determine if you have explicit consent.
  • Determine what is the scope of the declaration being applied for if explicit consent has not been obtained.
  • Undertake a Data Protection Impact Assessment.
  • Consult with the Data Protection Officer of the Data Controller.
  • Ensure research ethics approval or provisional approval has been granted for the project.
  • Consider if reasonable efforts can be made to contact the data subject to obtain explicit consent for the health research.
  • Alternatively, consider if you can make a case that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject together with a statement setting out the reasons why it is not proposed to seek the consent of the data subject for the purposes of the health research.
Is data Anonymised or Pseudonymised?

Only the Data Controller in consultation with their DPO can determine the level of anonymity of the personal data being processed.

The Data Protection Commission (DPC) has comprehensive guidelines that can be viewed here: DPC – Anonymisation and Pseudonymisation.

Do all suitable and specific measures to safeguards have to be in place, if I have a consent declaration?

Yes. A consent declaration refers only to the requirement to have obtained the suitable and specific measure of explicit consent (Regulation 3(1)(e)) from the data subject.

All of the other suitable and specific measures to safeguard the fundamental rights and freedoms of the data subject described in Regulation 3(1)(a)-(d) must be in place.

Retrospective Chart Reviews: Do retrospective hart reviews fall under the Health Research Regulations?

The Data Protection Commission (DPC) has agreed that the requirement for explicit consent for retrospective chart review studies carried out in a data controller’s organisation by;

(a) a health practitioner employed by the data controller (including students studying, in the data controller’s organisation, to be health practitioners who are under the supervision of the health practitioner); or

(b) an employee of the data controller (other than a health practitioner in (a)) who, in the course of his or her duties for the data controller, would ordinarily have access to health record information held by the data controller and who, in the circumstances, owes a duty of confidentiality (that includes specified penalties for any breach of that duty) to the data subject that is equivalent to that which would exist if that person were a health practitioner,

– that are low risk with high transparency arrangements in place, will continue to be deferred.

A ‘Health Practitioner’ has the meaning ascribed to it in the Health Identifiers Act, 2014.

This arrangement is pending the conclusion of discussions between the Department of Health and the DPC  on this matter and the introduction of a more formalised arrangement through an amendment to the Health Research Regulations.

Again, it is important to note that all other safeguards required by the GDPR, the Data Protection Act 2018 and the Health Research Regulations, 2018 must be in place, including approval by a research ethics committee.

The Consent Declaration Process

Prior to Health Research Regulations, there was no mechanism in Irish law to address a situation where consent can not be obtained from a data subject, for health research. Previously some Research Ethics Committees (RECs) may have granted consent waivers. However, those waivers had no legal standing. The requirements in the Regulations to establish a lawful consent declaration process is a clear indication of just how rigorous the consent declaration process has to be to be lawful.

The new statutory mechanism set out in the Health Research Regulations allows for use of personal data for health research that is of high public importance, and where obtaining consent from the data subject is not possible.

It is not mandatory to apply to the HRCDC. The onus is on the Data Controller to decide whether an application to seek a declaration is required for health research project. The data controller should carefully assess whether or not they are likely to meet the criteria and conditions set out in the Health Research Regulations.

The HRCDC is not there as an alternative to seeking consent. The HRCDC will need strong evidence to support a claim that obtaining consent is not possible. For that reason, the HRCDC should never be the first option. It is the last. All decisions are made independently by the HRCDC. All appeals will be made to another equally independent panel (appointed by the Minister).

Further, the HRCDC is not intended to take over the functions of RECs. RECs play a separate, distinct and important role in the health research process.

An application maybe submitted to the HRCDC in order to seek a consent declaration for:  New Research that has commenced on or after August 8th, 2018

Through the application process, the applicant should to make a compelling case, with accompanying documentation, to enable the HRCDC to made its decision regarding a consent declaration.

Read more

Decision Flow Chart

A  simple flow chart has been developed to assist Data Controllers/Researchers to assess:

  • If an application to the HRCDC to obtain a consent declaration is required
  • What additional matters should be considered at the application stage

Please always consult with your institution’s Data Protection Officer for specific advice, where appropriate.

Decision Flow Chart