Research Using Health Related Personal Data
About
- Key Terminology of GDPR
- Personal Data Incident & Breach Management
- Data Protection Principles & Applications
- Six Legal Bases for Processing – GDPR Article 6
- Data Subject Rights
- Processing Special Category Personal Data – GDPR Article 9
- International Data Transfers
- Personal Data & Scientific Research
- Research Using Health Related Personal Data
- Data Privacy & Security Training
- Data Protection and its Scope
- Data Protection Obligations of the University
- Role of the DPO
Research Using Health Related Personal Data
It is important to know that Ireland has introduced detailed Health Research Regulations (HRR). Research using personal health related data needs to comply with the Health Research Regulations. The Irish HRRs have been brought in under the GDPR which gives EU Member States more national control over certain areas.
What are special category data?
- personal data revealing racial or ethnic origin
- personal data revealing political opinions
- personal data revealing religious or philosophical beliefs
- personal data revealing trade union membership
- genetic data and
- biometric data (where used for identification purposes)
- data concerning health
- data concerning a person’s sex life
- data concerning a person’s sexual orientation
In the context of the HRR it is especially important for researchers to remember that health-related research projects will include ‘special category’ personal data that are more sensitive by nature and need to:
- be based on one or more legal basis (bases) (as per GDPR Article 6)
- in order to lawfully process special category data, you must identify in addition to a lawful basis under Article 6 of the GDPR a separate condition for processing under Article 9. These do not have to be linked. There are 10 conditions for processing special category data in Article 9 (a)-(j)
- have safeguards in place to protect an individual's fundamental rights; HRR makes explicit consent one of the safeguards
The HRR require that the processing of personal health data for research purposes needs to be based, as a default, on explicit consent as a safeguard. This is in addition to other suitable and specific measures that need to be in place as well. Health research projects of substantial public interest, where explicit consent is not feasible to obtain, need to apply to the Health Research Consent Declaration Committee (HRCDC)
Important points to consider for research projects that use health related personal data:
- Have absolute clarity on who is responsible for the personal data. This can be one organisation alone, or more than one organisation jointly. Any collaborative research, where more than one organisation can make decisions on 'how' and 'why' personal data are processed, should put joint controller agreements in place, which clearly define each party’s roles and responsibilities in terms of data protection obligations.
- Have a governance committee in place that is responsible for the processing of personal data being in line with legal requirements.
- Know who the personal data will be shared with, now and going forward and put data sharing agreements in place accordingly. Individuals whose personal data are used in the project need to be informed about this from the outset.
- Be aware of any e.g. outsourcing of certain processing operations to experts external to your organisation you intend to do. If you use such processors, you are required by law to manage the Controller-Processor Relationship and put an agreement in place.
- Put appropriate and stringent security measures in place to safeguard the confidentiality, integrity and security of the personal data you process.
- Map your project's dataflows and consider the lifecycle of the personal data you process from the point the data enter your organisation to the point of safe deletion.
- Make sure you design informative privacy notices and Patient Information Leaflets (PILs) and provide them to the individuals you wish to collect personal data from in advance of commencing the collection. This is very important so that they can make informed decisions regarding their choice to participate or not.
- Don't forget that there are restrictions on transferring personal data outside the EEA and that any such transfers to a third country require appropriate provisions to be put in place before they can happen.
- Remember that it is very likely you will have to do a Data Privacy Impact Assessment (DPIA). A DPIA needs to be undertaken before the project plan is finalised and sufficient time should be allowed for the process.
Researchers are required to submit health research projects to an appropriate UCD research ethics committee for ethical review, i.e. HREC-HS and HREC-LS (for details see http://www.ucd.ie/researchethics)
An application that is not compliant with HRR and GDPR cannot be approved by the UCD HRECs (or AREC where appropriate). Data protection issues must be addressed in applications for ethical approval.
A Data Protection Impact Assessment (‘DPIA’) will normally be required for Health Research under HRR and as part of your ethics application. It should outline the rationale for the research you plan to undertake, identify and assess risks to data subjects and ensure compliance. You can find out more and a link to a DPIA template in our document on Managing Risk in Personal Data Processing*. Please be aware that you need to allocate sufficient time for undertaking and reviewing a DPIA, and the integration of any DPO advice received back into the project plan.
You should ensure that you and your research partners have considered all your obligations in terms of the legislation and that you have agreed processes and procedures in place for the handling of any requests, such as access requests, and that these are documented within agreements as needed.
Important documents and guidance for health researchers:
- Health Research Board (HRB) HRB Guidance on Health Research Regulation
- EC- Ethics and data protection [in scientific research, including H2020]
- Guidance on Information Principles for informed consent for the processing of personal data for health research
- DATA PROTECTION ACT 2018 (SECTION 36(2)) (HEALTH RESEARCH) REGULATIONS 2018, Health Research Regulations (HRR)
- Health Research Regulations - 2021 Amendments
- Health Research Consent Declaration Committee (HRCDC)
- Anonymisation and pseudonymisation
- DPC - Full Guidance on Anonymisation and Pseudonymisation
For additional information see: Guidance & Resources