HRCDC | Privacy Policy

1. Table of Contents

Who we are
What information do we collect from you?
Why do we collect this information?
What information about you do we obtain from others?
Where did we get this information?
Who might we share this information with?
What are your rights with respect to your information?
What will happen if we change our privacy notice?
How can you contact us?
GDPR in the HRCDC

2. Who we are

The Health Research Consent Declaration Committee (“HRCDC”) was established as part of the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (S.I. No. 314 of 2018 and S.I. No 188 of 2019), made under the Data Protection Act 2018. (For the purpose of this document, the Health Research Regulations, 2018 shall be referred to as ‘Regulations’).

The purpose of the Regulations is to support health research and promote necessary and desirable public confidence and trust in such research.

The Regulations make explicit consent the default position for processing personal data for health research. Specifically, a health researcher/data controller intending to use an individual’s personal information for health research must obtain the explicit consent of the individual to do so.

In limited situations, obtaining explicit consent may not be possible nor practical and the public interest in carrying out the research would significantly outweigh the need for explicit consent being obtained. The Regulations provide for a statutory consent declaration application process that enables a health researcher/data controller or ‘Applicant’ to apply for a consent declaration where explicit consent cannot be sought and the public’s interest outweighs the need for explicit consent (the “Application”).

The HRCDC
The Regulations provide for an independent and representative committee to make decisions on the Applications – that is the role of the Health Research Consent Declaration Committee (HRCDC). The HRCDC is a body formed under statutory instrument (S.I. No. 314 of 2018 and S.I. No. 188 of 2019)
and are the Data Controller that determines the purposes and means of processing of all Personal Data it receives directly or through the Secretariat, as it relates to its duties.

The Secretariat
The HRCDC is administratively supported by the Secretariat. The Secretariat are the ‘Data Processors’ pursuant to the Regulations, to record and process personal information it receives by phone, email and/or contained in consent declaration applications submitted by Applicants. The Secretariat to the HRCDC is provided by the Health Research Board (“HRB”) and hosted in the HRB offices located at Grattan House, 67-72 Lower Mount Street, Dublin 2.

Privacy Notice
This notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by Us, where ‘Us, We, Our’ means the Secretariat and HRCDC either separately or together.

Any reference to ‘Data Controller’, ‘Data Processor’, ‘Personal Data’ and ‘Data Subject’ shall have the meaning ascribed to in the General Data Protection Regulations (the ‘GDPR’).

Please read the following carefully to understand our practices regarding your personal data and how we will treat it. We use certain expressions throughout this document such as ‘Personal data’. This means any information relating to an identified or identifiable natural person, the ‘Data Subject’.

The HRCDC is the Data Controller for Personal Data it receives and processes in the course of its duties under the Regulations;
The HRB is the Data Controller for any Personal Data relating to the staff of the Secretariat.
The HRB, are the Data Processors for any Personal Data it receives and processes in the course of the Secretariat’s role in supporting the HRCDC function.

The Data Protection Officer (“DPO”) for the HRB is the Director of Corporate Operations.

The Data Protection Office for the HRCDC is the Chairperson of the HRCDC.

3. What information do we collect from you?

Information collected by the Secretariat on behalf of the HRCDC relates to:

Applicants seeking information about, or applying for, a consent declaration;
Members of the Committee and the Secretariat;
Visitors to the HRCDC website

You may give Us information by:

corresponding with Us by phone or e-mail or otherwise. We ask you to disclose only as much information as is necessary for your interaction with Us to enable Us to carry out the duties required under the Regulations;
applying for a position with us as a HRCDC member or employee of the Secretariat. The type of information you may provide includes your CV, a cover letter, your name, address, e-mail address and phone number. CVs should include information relevant to your employment history and education (degrees obtained, places worked, positions held, relevant awards, and so forth);
supporting your duties as a member of the HRCDC. For example providing a photograph and professional biography as well as information needed to process relevant allowable payments such as travel expenses
visiting and using the HRCDC website

We ask that no sensitive personal information (e.g. height, weight, medical information, religion, philosophical or political beliefs, and financial data) is ever provided to Us in your application.

4. Why do we collect this information?

Information is collected to process consent declaration Applications, improve the website, recruit staff and members to the HRCDC and Secretariat, and to operate the HRCDC.

For Applicants

For Applicants we will only collect and process personal information that is needed to comply with the HRCDC’s statutory function as an independent committee within the health research consent declaration process. This Personal Data is limited to the names, contact details and professional background of Applicants and those involved in the research project as outlined in the application form. This further includes information on the data controller or Applicant, the lead investigator, your organisation’s Data Protection Officer and the Research Ethics Committee that has approved your research project prior to you seeking a consent declaration from the HRCDC.

Please note that Applicants should never provide personally identifiable information (names, patient identification numbers etc.) or any pseudonymised data of research subjects in their application forms.

As an Applicant your personal data will be used by Us to/for:

Triaging and assessing an Application that you have submitted to the HRCDC
Requesting more information to process your Application
Provide you with updates and decisions on your Application
Processing and assessing submissions for amendments to an existing consent declaration
Discussing the annual review submitted by the Applicant on the anniversary of date the declaration was made
Processing any Report of Breaches made to the HRCDC by the Applicant
Informing you that a consent declaration had been terminated
Maintaining a register of the decisions made by the CHRCDC
Facilitating an appeal that maybe submitted to Minister of Health
Provide you with updates and decisions on your appeal of a decision made by the HRCDC
Producing an annual report of activities to the Minister of Health

The Personal Data processed for the purposes described above will be shared with the HRCDC and the Secretariat only. Personal Data may also be shared with the appeals panel should an Applicant wish to appeal a decision made by the HRCDC in relation to their application. The appeals process is independent of the HRCDC. Personal Data shared with the appeals panel will be limited to the original Application and the information submitted by the Applicant and information on the decision made by the committee. More information on the type of documents, in addition to the original application form and evidence submitted, that will be produced/maintained by the HRCDC as a result of data processing can be found in the HRCDC Standard Operating Procedures.

As required under the Regulations, the following will be published on the HRCDC website as a transparent record:

Applicant and associated organisation as it relates to the Application reviewed by the HRCDC

summary information about applications made to the HRCDC
the application reference number
minutes of all meetings
a register of decisions made by the HRCDC
the annual report furnished to the Minister

For the HRCDC and Secretariat

When applying to join the HRCDC the type of information you may provide includes your CV, a cover letter, your name, address, e-mail address and phone number. CVs should include information relevant to your employment history and education (degrees obtained, places worked, positions held, relevant awards, and so forth).

If you are successful in your application to become a member of the HRCDC, the Secretariat as the Data Processors on behalf of the HRCDC, will collect and store your Personal Data. HRCDC member attendance will be captured in minutes of meetings and other relevant, standard documents that will
be produced as part of the operations of the HRCDC. For transparency HRCDC members will be asked to declare potential and/or actual conflict of interests as they arise during the course of the duties.

The Secretariat will collect and store Personal Data of HRCDC will collect and store Personal Data of its members for the purpose of processing allowable expenses. As a requirement of the Regulations, the names and short professional biographies of HRCDC members will be published on the HRCDC website, subject to the written consent of each HRCDC member.

The legal basis for the processing of your Personal Data is:

such that you have provided consent for the processing for one or more specific purposes. For example, the review of a consent declaration application which you submit to us;
for the performance of a contract which you have entered into with us or to take steps at your request prior to entering into a contract;
for compliance with a legal obligation to which we are subject;
for the performance of a task in the exercise of official authority vested in us by our statutory functions as set out in Statutory Instrument (S.I.) No. 314 of 2018 and S.I. No. 188 of 2019.

We will use this information:

to carry out Our statutory duties under the Regulations;
to create a candidate profile for you;
to communicate any upcoming HRCDC events;
to fulfil Our statutory duties which includes the processing of a consent declaration application which you submit to Us and to communicate decisions as they relate to your application;
to administer and improve Our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes. For further information please see our Cookie Policy on our website;
as part of our efforts to keep our website safe and secure;
to make suggestions and recommendations to you and other users of Our website about services that may interest you or them

5. What information about you do we obtain from others?

The HRCDC only obtains Personal Data that it receives as part of the consent declaration Application process and as required to fulfil the statutory duties of the HRCDC. We may receive your Personal Data through email or telephone queries as they pertain to the duties of the HRCDC and consent declaration process. These queries may be sent to Us by third parties for review, such as the HRB.

6. Where did we get this information?

We obtain this information from you the Applicant and/or your research body/institution as part of a consent declaration application submitted to Us.

7. Who might we share this information with?

To allow Us to fulfil our statutory duties, we may share your Personal Data with selected third parties. Such third parties may include the Department of Health or other Government agencies such as the Revenue Commissioners, Garda Síochana, or other agencies for the detection, investigation or prosecution of offences and to enable them to perform their functions.

To allow Us to fulfil our statutory duties, We may also share your Personal Data with selected third parties including suppliers and sub-contractors. A list of third parties with whom We share your data is as follows:

Department of Health
Cloud Service Providers
IT Back-up Providers
Archive/shredding companies
Email, Website and IT service providers
Auditors
Accounting software
CCTV service providers
Security software
Cookie analytics service provider

8. What are your rights with respect to your information?

You have the following rights:

The right to access the information We hold about you.
The right to require Us to rectify any inaccurate information about you without undue delay.
The right to have Us erase any information We hold about you in circumstances such as where it is no longer necessary for Us to hold the information for your use of our services or if you have withdrawn your consent to the processing.
The right to object to Us processing information about you such as processing for profiling or direct marketing, where consent has not been obtained for such activity.
The right to ask Us to provide your information to you in a portable format or, where technically feasible, for Us to port that information to another provider provided it does not result in a disclosure of information relating to other people.
The right to request a restriction of the processing of your Personal Data

Where our processing of your information is based on your consent to that processing, you have the right to withdraw that consent at any time but any processing that we have carried out before you withdrew your consent remains lawful.

You may exercise any of the above rights by: writing to the Secretariat at dpo@hrcdc.ie or by post to HRCDC, Grattan House, 67-72 Lower Mount Street, Dublin 2.

You may lodge a complaint with your local supervisory authority with respect to our processing of your information. In Ireland, the local Supervisory Authority is the Office of the Data Protection Commissioner with an address at either a) 21 Fitzwilliam Square South Dublin 2 D02 RD28 Ireland or b) Canal House, Station Road, Portarlington, R32 AP23 Co. Laois

9. What will happen if we change our privacy notice?

This notice may change from time to time, and any changes will be posted on Our website and will be effective when posted. Please review this notice each time you use Our website or Our services. This notice was last updated on the date appearing on the cover hereof.

10. How can you contact us?

You can contact us:
by phone: (01) 2345000
by email: dpo@hrcdc.ie
or by post: HRCDC, Grattan House, 67-72 Lower Mount Street, Dublin 2, D02 H638.

The General Data Protection Regulation (“GDPR”) 2018 outlines the legal obligations that are attached to Personal Data that is held by HRCDC. The HRCDC is committed to protecting the rights and privacy of individuals in accordance with this act.

The HRCDC’s obligations under the GDPR are as follows;

Obtain and process the Personal Data fairly.
Keep it only for the one or more specified and lawful purposes.
Process it only in ways compatible with the purposes for which it was given.
Keep it safe and secure.
Keep it accurate and up to date.
Ensure it is adequate, relevant and not excessive.
Retain it no longer than is necessary for the specific purpose or purposes.
Give a copy of his/her Personal Data to that individual, upon request.

When making a request, you should give any details you have that would help Us identify you and to locate all the information that We may keep about you – for example, any previous addresses, date of birth, reference number from previous contact with Us.

You can make a Data Subject Access Request by contacting us as described in Section 9 of this document.

Cookie	Type	Duration	Description
cookielawinfo-checkbox-necessary	Third Party	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	Third Party	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
SECGTiu-nrWmp	Session	1 day	The cookie is set by the WP Cerber Security plugin with the sole purpose of securing https://www.hrcdc.ie by detecting and mitigating malicious activity. This cookie's name has been randomly generated and contains randomly generated values. No personal or sensitive data is stored in this cookie. WP Cerber’s cookies are strictly "Necessary" and no natural person is associated with them.
SECQvceB-fH	Session	1 day	The cookie is set by the WP Cerber Security plugin with the sole purpose of securing https://www.hrcdc.ie by detecting and mitigating malicious activity. This cookie's name has been randomly generated and contains randomly generated values. No personal or sensitive data is stored in this cookie. WP Cerber’s cookies are strictly "Necessary" and no natural person is associated with them.
SECTdJSGbrvPmcMKZO	Session	1 day	The cookie is set by the WP Cerber Security plugin with the sole purpose of securing https://www.hrcdc.ie by detecting and mitigating malicious activity. This cookie's name has been randomly generated and contains randomly generated values. No personal or sensitive data is stored in this cookie. WP Cerber’s cookies are strictly "Necessary" and no natural person is associated with them.
SECZlDjgUHTtb	Session	1 day	The cookie is set by the WP Cerber Security plugin with the sole purpose of securing https://www.hrcdc.ie by detecting and mitigating malicious activity. This cookie's name has been randomly generated and contains randomly generated values. No personal or sensitive data is stored in this cookie. WP Cerber’s cookies are strictly "Necessary" and no natural person is associated with them.
viewed_cookie_policy	Third Party	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. The cookies is used to store the user consent for the cookies in the category "Necessary".