Privacy Policy

Who we are

The Health Research Consent Declaration Committee (“HRCDC”) was established as part of the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (S.I. No. 314 of 2018 and S.I. No 188 of 2019), made under the Data Protection Act 2018. (For the purpose of this document, the Health Research Regulations, 2018 shall be referred to as ‘Regulations’).

The purpose of the Regulations is to support health research and promote necessary and desirable public confidence and trust in such research.

The Regulations make explicit consent the default position for processing personal data for health research. Specifically, a health researcher/data controller intending to use an individual’s personal information for health research must obtain the explicit consent of the individual to do so.

In limited situations, obtaining explicit consent may not be possible nor practical and the public interest in carrying out the research would significantly outweigh the need for explicit consent being obtained. The Regulations provide for a statutory consent declaration application process that enables a health researcher/data controller or ‘Applicant’ to apply for a consent declaration where explicit consent cannot be sought and the public’s interest outweighs the need for explicit consent (the “Application”).

The HRCDC

The Regulations provide for an independent and representative committee to make decisions on the Applications – that is the role of the Health Research Consent Declaration Committee (HRCDC). The HRCDC is a body formed under statutory instrument (S.I. No. 314 of 2018, S.I. No. 188 of 2019 and S.I. No. 18 of 2021) and are the Data Controller that determines the purposes and means of processing of all Personal Data it receives directly or through the Secretariat, as it relates to its duties.

The Secretariat

The HRCDC is administratively supported by the Secretariat. The Secretariat are the ‘Data Processors’ pursuant to the Regulations, to record and process personal information it receives by phone, email and/or contained in consent declaration applications submitted by Applicants. The Secretariat to the HRCDC is provided by the Health Research Board (“HRB”) and hosted in the HRB offices located at Grattan House, 67-72 Lower Mount Street, Dublin 2.

Privacy Notice

This notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by Us, where ‘Us, We, Our’ means the Secretariat and HRCDC either separately or together.
Any reference to ‘Data Controller’, ‘Data Processor’, ‘Personal Data’ and ‘Data Subject’ shall have the meaning ascribed to in the General Data Protection Regulations (the ‘GDPR’).
Please read the following carefully to understand our practices regarding your personal data and how we will treat it. We use certain expressions throughout this document such as ‘Personal data’. This means any information relating to an identified or identifiable natural person, the ‘Data Subject’.

  • The HRCDC is the Data Controller for Personal Data it receives and processes in the course of its duties under the Regulations
  • The HRB is the Data Controller for any Personal Data relating to the staff of the Secretariat
  • The HRB, are the Data Processors for any Personal Data it receives and processes in the course of the Secretariat’s role in supporting the HRCDC function.

The Data Protection Officer (“DPO”) for the HRB is the Director of Corporate Operations.
As and when necessary, the HRCDC and Secretariat will consult with the HRB and Data Protection Commission with respect to all data protection matters as they may arise during the course of their duties. Any data breach that may arise will be managed in accordance with the HRCDC Data Breach Policy.

What information do we collect from you?

Information collected by the Secretariat on behalf of the HRCDC relates to:

  1. Applicants seeking information about, or applying for, a consent declaration
  2. Members of the Committee and the Secretariat
  3. Visitors to the HRCDC website

You may give Us information by:

  • corresponding with Us by phone or e-mail or otherwise. We ask you to disclose only as much information as is necessary for your interaction with Us to enable Us to carry out the duties required under the Regulations
  • applying for a position with us as a HRCDC member or employee of the Secretariat. The type of information you may provide includes your CV, a cover letter, your name, address, e-mail address and phone number. CVs should include information relevant to your employment history and education (degrees obtained, places worked, positions held, relevant awards, and so forth)
  • supporting your duties as a member of the HRCDC. For example providing a photograph and professional biography as well as information needed to process relevant allowable payments such as travel expenses
  • visiting and using the HRCDC website

We ask that no sensitive personal information (e.g. medical information, religion, philosophical or political beliefs, and financial data) is ever provided to Us in your application.

Why do we collect this information?

Information is collected to process consent declaration Applications, improve the website, recruit staff and members to the HRCDC and Secretariat, and to operate the HRCDC.

For Applicants

For Applicants we will only collect and process personal information that is needed to comply with the HRCDC’s statutory function as an independent committee within the health research consent declaration process. This Personal Data is limited to the names, contact details and professional background of Applicants and those involved in the research project as outlined in the application form. This further includes information on the data controller or Applicant, the lead investigator, your organisation’s Data Protection Officer and the Research Ethics Committee that has approved your research project prior to you seeking a consent declaration from the HRCDC.
Please note that Applicants should never provide personally identifiable information (names, patient identification numbers etc.) or any pseudonymised data of research subjects in their application forms.

As an Applicant your personal data will be used by Us to/for:

  • Triaging and assessing an Application that you have submitted to the HRCDC
  • Requesting more information to process your Application
  • Provide you with updates and decisions on your Application
  • Processing and assessing submissions for amendments to an existing consent declaration
  • Discussing the annual review submitted by the Applicant on the anniversary of date the declaration was made
  • Processing any Report of Breaches made to the HRCDC by the Applicant
  • Informing you that a consent declaration had been terminated
  • Maintaining a register of the decisions made by the HRCDC
  • Facilitating an appeal that maybe submitted to Minister of Health
  • Provide you with updates and decisions on your appeal of a decision made by the HRCDC
  • Producing an annual report of activities to the Minister of Health

The Personal Data processed for the purposes described above will be shared with the HRCDC and the Secretariat only. Personal Data may also be shared with the appeals panel should an Applicant wish to appeal a decision made by the HRCDC in relation to their application. The appeals process is independent of the HRCDC. Personal Data shared with the appeals panel will be limited to the original Application and the information submitted by the Applicant and information on the decision made by the committee. More information on the type of documents, in addition to the original application form and evidence submitted, that will be produced/maintained by the HRCDC as a result of data processing can be found in the HRCDC Standard Operating Procedures.

As required under the Regulations, the following will be published on the HRCDC website as a transparent record:

  • applicant and associated organisation as it relates to the Application reviewed by the HRCDC
  • summary information about applications made to the HRCDC
  • the application reference number
  • minutes of all meetings
  • a register of decisions made by the HRCDC
  • the annual report furnished to the Minister

For the HRCDC and Secretariat

When applying to join the HRCDC the type of information you may provide includes your CV, a cover letter, your name, address, e-mail address and phone number. CVs should include information relevant to your employment history and education (degrees obtained, places worked, positions held, relevant awards, and so forth).
If you are successful in your application to become a member of the HRCDC, the Secretariat as the Data Processors on behalf of the HRCDC, will collect and store your Personal Data. HRCDC member attendance will be captured in minutes of meetings and other relevant, standard documents that will be produced as part of the operations of the HRCDC. For transparency HRCDC members will be asked to declare potential and/or actual conflict of interests as they arise during the course of the duties.
The Secretariat will collect and store Personal Data of HRCDC will collect and store Personal Data of its members for the purpose of processing allowable expenses.
As a requirement of the Regulations, the names and short professional biographies of HRCDC members will be published on the HRCDC website, subject to the written consent of each HRCDC member.

Legal Basis

The legal basis for the processing of your Personal Data is:

  • such that you have provided consent for the processing for one or more specific purposes. For example, the review of a consent declaration application which you submit to us;
  • for the performance of a contract which you have entered into with us or to take steps at your request prior to entering into a contract;
  • for compliance with a legal obligation to which we are subject;
  • for the performance of a task in the exercise of official authority vested in us by our statutory functions as set out in Statutory Instrument (S.I.) No. 314 of 2018 and S.I. No. 188 of 2019.

We will use this information:

  • to carry out Our statutory duties under the Regulations;
  • to create a candidate profile for you;
  • to communicate any upcoming HRCDC events;
  • to fulfil Our statutory duties which includes the processing of a consent declaration application which you submit to Us and to communicate decisions as they relate to your application;
  • to administer and improve Our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes. For further information please see our Cookie Policy on our website;
  • as part of our efforts to keep our website safe and secure;
  • to make suggestions and recommendations to you and other users of Our website about services that may interest you or them.

What information about you do we obtain from others?

The HRCDC only obtains Personal Data that it receives as part of the consent declaration Application process and as required to fulfil the statutory duties of the HRCDC. We may receive your Personal Data through email or telephone queries as they pertain to the duties of the HRCDC and consent declaration process. These queries may be sent to Us by third parties for review, such as the HRB.

Where did we get this information?

We obtain this information from you the Applicant and/or your research body/institution as part of a consent declaration application submitted to Us.

Who might we share this information with?

To allow Us to fulfil our statutory duties, we may share your Personal Data with selected third parties. Such third parties may include the Department of Health or other Government agencies such as the Revenue Commissioners, Garda Síochana, or other agencies for the detection, investigation or prosecution of offences and to enable them to perform their functions.
To allow Us to fulfil our statutory duties, We may also share your Personal Data with selected third parties including suppliers and sub-contractors. A list of third parties with whom We share your data is as follows:

  • Department of Health
  • Cloud Service Providers
  • IT Back-up Providers
  • Archive/shredding companies
  • Email, Website and IT service providers
  • Auditors
  • Accounting software
  • CCTV service providers
  • Security software
  • Cookie analytics service provider

What are your rights with respect to your information?

You have the following rights:

  • The right to access the information We hold about you.
  • The right to require Us to rectify any inaccurate information about you without undue delay.
  • The right to have Us erase any information We hold about you in circumstances such as where it is no longer necessary for Us to hold the information for your use of our services or if you have withdrawn your consent to the processing.
  • The right to object to Us processing information about you such as processing for profiling or direct marketing, where consent has not been obtained for such activity.
  • The right to ask Us to provide your information to you in a portable format or, where technically feasible, for Us to port that information to another provider provided it does not result in a disclosure of information relating to other people.
  • The right to request a restriction of the processing of your Personal Data.

Where our processing of your information is based on your consent to that processing, you have the right to withdraw that consent at any time but any processing that we have carried out before you withdrew your consent remains lawful. You may exercise any of the above rights by: writing to the Secretariat at dpo@hrcdc.ie or by post to HRCDC, Grattan House, 67-72 Lower Mount Street, Dublin 2.
You may lodge a complaint with your local supervisory authority with respect to our processing of your information. In Ireland, the local Supervisory Authority is the Office of the Data Protection Commissioner with an address at a) 21 Fitzwilliam Square South Dublin 2 D02 RD28 Ireland.

What will happen if we change our privacy notice?

This notice may change from time to time, and any changes will be posted on Our website and will be effective when posted. Please review this notice each time you use Our website or Our services. This notice was last updated on the date appearing on the cover hereof.

How can you contact us?

You can contact us:

  1. By phone on (01) 2345000
  2. By email at dpo@hrcdc.ie
  3. By post to HRCDC, Grattan House, 67-72 Lower Mount Street, Dublin 2, D02 H638.

GDPR in the HRCDC

The General Data Protection Regulation (“GDPR”) 2018 outlines the legal obligations that are attached to Personal Data that is held by HRCDC. The HRCDC is committed to protecting the rights and privacy of individuals in accordance with this act.
The HRCDC’s obligations under the GDPR are as follows;

  1. Obtain and process the Personal Data fairly.
  2. Keep it only for the one or more specified and lawful purposes.
  3. Process it only in ways compatible with the purposes for which it was given.
  4. Keep it safe and secure.
  5. Keep it accurate and up to date.
  6. Ensure it is adequate, relevant and not excessive.
  7. Retain it no longer than is necessary for the specific purpose or purposes.
  8. Give a copy of his/her Personal Data to that individual, upon request.

When making a request, you should give any details you have that would help Us identify you and to locate all the information that We may keep about you – for example, any previous addresses, date of birth, reference number from previous contact with Us.
You can make a Data Subject Access Request by contacting us via the above section.