Updated April 30th, 2019:
After further consultation with, and agreement by the Data Protection Commission, the Dept. of Health has confirmed that the requirement for explicit consent has been deferred for Retrospective chart reviews under the following circumstances:
Specifically, explicit consent is not required where retrospective chart reviews are carried out in a data controller’s organisation by;
(a) a health practitioner** employed by the data controller (including students studying, in the data controller’s organisation, to be health practitioners who are under the supervision of the health practitioner) or
(b) an employee of the data controller (other than a health practitioner in (a)) who, in the course of his or her duties for the data controller, would ordinarily have access to health record information held by the data controller and who, in the circumstances, owes a duty of confidentiality (that includes specified penalties for any breach of that duty) to the data subject that is equivalent to that which would exist if that person were a health practitioner,
and where retrospective chart reviews are low risk, with highly visible transparency arrangements in place. All other safeguards required by GDPR, the Data Protection Act, 2018 and the Health Research Regulations must be in place, including research ethics approval and data protection risk assessments.
(** A ‘Health Practitioner’ has the meaning ascribed to it in the Health Identifiers Act, 2014)
The requirement for explicit consent for the the purpose of retrospective chart reviews will continue to be deferred pending the conclusion of discussions between the Department of Health and the Data Protection Commission on this matter. The introduction of a more formalised arrangement will follow through an amendment to the Health Research Regulations.
Retrospective chart reviews that are undertaken for the purposes of a) clinical audit, b) service evaluation or c) training do not fall under the remit of the Health Research Regulations, 2018. However, they are still covered by the GDPR and professional and ethical rules.
It is accepted that the distinction between research, clinical audit, service evaluation and training can be a fine one. As with every aspect of the GDPR, it is for the data controller to determine whether a particular processing activity is health research or clinical audit or something else and to be able to justify that view having regard to the individual circumstances involved. Accordingly, Data Protection Officers within organisations are best placed to offer advice on particular processing activities.