Guidance - Amendments to the Health Research Regulations

NEW:  22nd January 2021:

Following a process of engagement with stakeholders to identify genuine and meaningful challenges in implementation of the Regulations that have impacted health research and health researchers, the Department of Health has identified substantive Amendments to the Regulations responding to these particular challenges. Guidance to the specific Amendments has been prepared collaboratively by the Department of Health, the Secretariat to the Health Research Consent Declaration Committee (HRCDC) and the Health Service Executive and in consultation with the Data Protection Commission:

#1 Guidance on Explicit Consent Amendment

#2 Guidance on Pre-screening Amendments

#3 Guidance on Retrospective Chart Review Amendments

#4 Guidance on Deferred Consent Amendments

#5 Guidance on Informed Consent under EU Directive Amendments

#5b Addendum to Guidance on Informed onsent under EU Directive Amendments

#6 Guidance on Appeals and Technical Amendments 

Frequently Asked Questions

1. What is a consent declaration?
  • A consent declaration is a declaration that can be made by the Health Research Consent Declaration Committee – where it is satisfied that the public’s interest in carrying out the health research significantly outweighs the requirement for the explicit consent of the data subject.
  • A consent declaration is made to the Data Controller(s) of the study – to process personal data for specified health research.
  • Processing of data (See GDPR Article 4(2)) may include, but is not limited to, for example; collecting, using, adapting, retrieving, storing, disseminating, pseudonymisation, anonymisation, sharing, recording etc
  • A consent declaration maybe for a defined part of a project, not necessarily the entire project.
  • NOTE: A consent declaration does not cover the transfer of personal data for third party use, for separate projects. ie  a third party Data Controller wising to further use personal data for their own purpose, may need to seek a separate consent declaration.
  • NOTE: A consent declaration can not be made where consent has been withdrawn by a data subject.
  • NOTE: The HRCDC cannot corroborate a Data Controller’s view as to whether require a consent declaration or not. Each Data Controller must determine whether they require a consent declaration.
2. Who can Apply for a consent declaration
  • Any data controller, national or international may apply for a consent declaration to ‘obtain and use’ and otherwise process personal data it requires, but does not have access to, for a health research study.
  • The data controller that poses/controls the personal data required for the health research study – should not be a party to the application process, unless they are a Joint-Controller in a study.
  • A declaration is made to a data controller of the study seeking to obtain and use personal data for health research study.
  • NOTE: A declaration is not made to the data controller that already possess (data source) the personal data.

Regulation 14 supports the above: Nothing in these Regulations shall be construed as imposing an obligation on a person to disclose personal data to a person who processes personal data for the purpose of health research under these Regulations but, where a declaration is made, any disclosure made by the first mentioned person shall not be in breach of any requirement to obtain consent under these Regulations provided that the disclosure is in accordance with the declaration or any condition to which it may be subject.

3. Who grants a consent declaration?

The Health Research Consent Declaration Committee (HRCDC) have the authority to grant a consent declaration.

4. What steps must be taken prior to submitting an Application?
  • Determine who is the Data Controller.
  • Determine if you are processing identifiable or pseudonymised personal data.
  • Determine if you have explicit consent.
  • Determine what is the scope of the declaration being applied for if explicit consent has not been obtained.
  • Undertake a Data Protection Impact Assessment.
  • Consult with the Data Protection Officer of the Data Controller.
  • Ensure research ethics approval or provisional approval has been granted for the project.
  • Consider if reasonable efforts can be made to contact the data subject to obtain explicit consent for the health research.
  • Alternatively, consider if you can make a case that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject together with a statement setting out the reasons why it is not proposed to seek the consent of the data subject for the purposes of the health research.
5. Is there a transitional period for current research?

The transition period has now expired.

The EU Council and EU Parliament signed off on the GDPR in April 2016 with a two year period before it became effective on 25 May 2018.  That was the transition period for preparing for GDPR compliance.

During that period, health researchers should have ensured that the processing of personal data for health research that was ongoing after 25 May (whether it was commenced before or after that date) was in line with the GDPR.

In the context of the Health Research Regulations 2018, an additional transitional period (up to August 7 2019) was incorporated to allow health research involving the use of personal data that was ongoing on 8 August 2018 to become compliant with the requirements of GDPR and the new Regulations. See Amendment No. 1(S.I.188) for further details on the transition period.

 

6. Current Research: Should personal data and bio-samples be destroyed after the August 7th, 2019 deadline, if I am not compliant with the Health Research Regulations?

Researchers should make immediate steps to address gaps in data protection compliance.

Researchers should avoid destroying valuable data or bio-samples without further consultation with their relevant organisation authorities such as their Research Ethics Committee and Data Protection Officer. Engagement should begin immediately.

7. Legal Basis for Processing: What is the legal basis for processing personal data for health research?

Under the GDPR, the processing of personal data requires that:

  • a lawful ground for the processing of personal data in Article 6 must be identified; and
  • that in the case of processing Article 9 type data (which includes health and genetic data) that a condition in Article 9 must be found.

NOTE: These grounds and conditions are separate from the safeguards, including the safeguard of obtaining explicit consent, as required the Health Research Regulations.

NOTE: Public authorities, in particular, should be aware that the Recitals to the GDPR states that they should not rely on consent as an Article 6 ground given the disparity of power that exist between a public authority and a data subject.

NOTE: Article 6 prohibits public authorities from relying on “legitimate interests” as a lawful ground for processing.

8. Jurisdiction: When do the Health Research Regulations apply?

The collection of personal data for health research is bound by the legislation of the country in which it was collected.

The Health Research Regulations 2018 govern all processing of personal data for health research purposes conducted within the Republic of Ireland.

Where consent is obtained by an international third party in line with their country’s data protection requirements, and international ethical standards in health research, there should be no necessity to obtain any further consent. However, should the Irish institution have concerns that consent has not been obtained this should be interrogated further prior to the processing of personal data

Example: An Irish Data Controller processing data from another jurisdiction, should satisfy itself (to the extent reasonably possible) that the data was collected lawfully and fairly in that jurisdiction.

ie In this scenario, where data was obtained lawfully, a consent declaration is not required. However, all further processing of that data within Ireland falls under the scope of GDPR and the Health Research Regulations.

Example: Where multiple data controllers are involved in a multi-site, international collaboration, the Irish data controller collecting personal data must ensure compliance with the Health Research Regulations and GDPR.

i.e The Irish data controller may require a consent declaration for the purpose of sharing personal data with other non-Irish data controllers, where consent could not be obtained. The provisions of the Health Research Regulations and GDPR will apply.

Please consult with your  DPO for all GDPR queries are they may pertain to the roles and responsibilities of data processors and controllers.

The GDPR has a very broad territorial remit as it applies to all organisations (whether data controllers, joint-data controllers or data processors) that are processing of personal data of people who reside within the EU or who are EU Citizens, even if the organisation is not located in the EU.

9. Do I need consent to anonymise a personal dataset for health research purposes?

Anonymised data fall outside the remit of GDPR and the new Health Research Regulations 2018.

However, the process of anonymisation is, in itself, data processing and does fall under the remit of GDPR and may fall under the remit of the Health Research Regulations 2018 depending on its purpose.  Therefore, if the legal ground that the personal data is being held is consent, then consent is required for the anonymisation of that data.

However, if the data controller has another legal basis (other than consent) and, where relevant, meets at least one of the Article 9(2) conditions (other than explicit consent), then consent is not required.

10. Do I need consent to pseudonymise a personal dataset for health research purposes?

No.

Pseudonymisation is a data security measure that is strongly encouraged by the GDPR.

However, pseudonymised data remain subject to requirements of GDPR and, in the case of health research, to the requirements of the Health Research Regulations 2018.

11. Is data Anonymised or Pseudonymised?

Only a Data Controller, in consultation with their DPO, can determine the level of anonymity of the personal data being processed.

The Data Protection Commission (DPC) has comprehensive guidelines that can be viewed here: DPC – Anonymisation and Pseudonymisation.

 

12. Do all suitable and specific measures to safeguards have to be in place, if I have a consent declaration?

Yes. A consent declaration refers only to the requirement to have obtained the suitable and specific measure of explicit consent (Regulation 3(1)(e)) from the data subject.

All of the other suitable and specific measures to safeguard the fundamental rights and freedoms of the data subject described in Regulation 3(1)(a)-(d) must be in place.

13. Ethics Approval: Do I require Research Ethics Committee approval prior to seeking a consent declaration from the HRCDC?

Yes.

As per Regulation 5 of Health Research Regulations, the HRCDC can only make a declaration once i) a Data Protection Impact Assessment (DPIA) has been carried out; and ii) research ethics approval has been received.

Therefore ethical approval or provisional ethical approval, must by confirmed in writing prior to submitting an application to the HRCDC.

A Data Protection Officer (DPO) must review and provide feedback on the DPIA – which must be submitted as part of the application form.

Where provisional ethical approval has been granted, the HRCDC may make a conditional declaration, where the condition attached is the requirement to ensure full ethics approval is obtained prior to the effective date of the declaration.

Importantly, the role of the Research Ethics Committee (REC) should not overlap with the role of the HRCDC – they are distinct and complimentary to each other.

14. Retrospective Chart Reviews: Do retrospective chart reviews fall under the Health Research Regulations?

The Data Protection Commission (DPC) has agreed that the requirement for explicit consent for retrospective chart review studies carried out in a data controller’s organisation by;

(a) a health practitioner employed by the data controller (including students studying, in the data controller’s organisation, to be health practitioners who are under the supervision of the health practitioner); or

(b) an employee of the data controller (other than a health practitioner in (a)) who, in the course of his or her duties for the data controller, would ordinarily have access to health record information held by the data controller and who, in the circumstances, owes a duty of confidentiality (that includes specified penalties for any breach of that duty) to the data subject that is equivalent to that which would exist if that person were a health practitioner,

– that are low risk with high transparency arrangements in place, will continue to be deferred.

A ‘Health Practitioner’ has the meaning ascribed to it in the Health Identifiers Act, 2014.

This arrangement is pending the conclusion of discussions between the Department of Health and the DPC  on this matter and the introduction of a more formalised arrangement through an amendment to the Health Research Regulations.

Again, it is important to note that all other safeguards required by the GDPR, the Data Protection Act 2018 and the Health Research Regulations, 2018 must be in place, including approval by a research ethics committee.

15. Information Principles for Consent: Must each and every one of the Information Principles be addressed?

The Guidance on Information Principles for Consent has been drafted by the Department of Health as a guide to assist researchers.

It is not a legally binding document, nor is it intended to be a complete and mandatory list of principles that must be addressed in patient information leaflet for the purposes of obtained consent.

Three key points are set out in the document;

  • The onus is on the health researcher to (a) justify what information is or is not provided and (b) ensure that the data subject is not surprised by any use or disclosure of his or her personal health data by the researcher.
  • The researcher must always ensure that the language used avoids jargon and is easy to comprehend by the data subject.
  • The information provided should be written from the perspective of the data subject and not the researcher.
  • The information provided should leave no room for misinterpretation by the data subject.

A researcher can further consult the WP29 guidance on transparency

A researcher can further consult the WP29 guidance on consent.

Researchers should review existing consent and information documents to determine if the information is aligned with the guideline of information principles that reflect data protection compliance under GDPR and the Health Research Regulations.

Researchers should consult with their Data Protection Officers (DPOs) or Research Ethic Committees (RECs), as appropriate.

16. Ensuring 'explicit consent': Re-consenting? Re-contacting? Transparency?

NOTE: Researchers should always consult with their DPO and/or RECs when reviewing/revising consent documentation. The following points should not be viewed as legal advice;

Please consider the following;

  • If the processing of data for health research has deviated from scope of the original consent, re-consenting is likely to be required.
  • Re-consenting study participants may not be necessary in order to update on minor information changes to meet transparency requirements.
  • Consider whether recontacting study participants is an appropriate measure to provide updated information regarding the research study.
17. Non-response to re-consent: Can I apply for a consent declaration where reasonable efforts have been made to re-consent data subjects, but there has been no response?

Yes.

A Data Controller should take reasonable efforts to contact data subjects for the purpose of re-consenting. Where there has been no response from the data subject, then the Data Controller can apply to the HRCDC for a consent declaration.

18. Withdrawal of Consent: Can I continue to hold and process data where consent is withdrawn?

The guidance from the Data Protection Commission on this item can be viewed through the Clinical Research Development Network ‘Q14  – Withdrawal’

The HRCDC can not made a declaration to process data, where consent has been withdrawn by the data subject.

Researchers can further consult the WP29 guidance on consent.

19. Biobank: Do I need a consent declaration for accessing a Biobank

Please consider the following guidance notes when determining whether a consent declaration is required accessing a Biobank :

Biobank Overview

 

The Consent Declaration Process

Prior to Health Research Regulations, there was no mechanism in Irish law to address a situation where consent can not be obtained from a research participant (data subject) for health research. Previously some Research Ethics Committees (RECs) may have granted consent waivers. However, those waivers had no legal standing. The Regulations now establish a rigorous lawful consent declaration process.

The new statutory mechanism set out in the Health Research Regulations allows for use of personal data for health research that is of high public importance, and where obtaining consent from the research participant is not possible.

It is not mandatory to apply to the HRCDC. The onus is on the Data Controller of a reseach study to detemine whether an application to seek a declaration is required for health research study.

The HRCDC is not there as an alternative to seeking consent. The HRCDC will need strong evidence to support a claim that obtaining consent is not possible. For that reason, the HRCDC should never be the first option. It is the last. All decisions are made independently by the HRCDC. All appeals will be made to another equally independent panel (appointed by the Minister).

Further, the HRCDC is not intended to take over the functions of RECs. RECs play a separate, distinct and important role in the health research process.

An application maybe submitted to the HRCDC in order to seek a consent declaration for:  New Research that has commenced on or after August 8th, 2018

Through the application process, the applicant should to make a compelling case, with accompanying documentation, to enable the HRCDC to made its decision regarding a consent declaration.

Read more

Presentations

  • April 21st and 28th 2021: Hosted by the Trinity Centre for Ageing and Intellectual Disability, the Secretariat participated in the Trinity Roundtable. Two webinar series were held: ‘Amendments to the Health Research Regulations – What researchers need to know’ and ‘Trinity Masterclass: Amendments to the Health Research Regulations – Exploring Consent’. Both webinar recordings can be viewed here: https://www.tcd.ie/tcaid/research/healthresearchregulations.php  

Decision Flow Chart

A  simple flow chart has been developed to assist Data Controllers/Researchers to assess:

  • If an application to the HRCDC to obtain a consent declaration is required
  • What additional matters should be considered at the application stage

Please always consult with your institution’s Data Protection Officer for specific advice, where appropriate.

Decision Flow Chart
Skip to content