The Data Protection Commission (DPC) has agreed that the requirement for explicit consent for retrospective chart review studies carried out in a data controller’s organisation by;
(a) a health practitioner employed by the data controller (including students studying, in the data controller’s organisation, to be health practitioners who are under the supervision of the health practitioner); or
(b) an employee of the data controller (other than a health practitioner in (a)) who, in the course of his or her duties for the data controller, would ordinarily have access to health record information held by the data controller and who, in the circumstances, owes a duty of confidentiality (that includes specified penalties for any breach of that duty) to the data subject that is equivalent to that which would exist if that person were a health practitioner,
– that are low risk with high transparency arrangements in place, will continue to be deferred.
A ‘Health Practitioner’ has the meaning ascribed to it in the Health Identifiers Act, 2014.
This arrangement is pending the conclusion of discussions between the Department of Health and the DPC on this matter and the introduction of a more formalised arrangement through an amendment to the Health Research Regulations.
Again, it is important to note that all other safeguards required by the GDPR, the Data Protection Act 2018 and the Health Research Regulations, 2018 must be in place, including approval by a research ethics committee.