Research Data Protection

TUH Research Data Protection Officer: Dr. Sadhbh O’Neill, Saidhbh.ONeill@tuh.ie

  • The General Data Protection Regulation (GDPR) was signed into law on the on the 28th May 2018 for all of Europe (https://gdpr-info.eu/)
  • Irelands Interpretation of GDPR, namely the Data Protection Act of 2018 (http://www.irishstatutebook.ie/eli/2018/act/7/enacted/en/html) was implemented in Ireland on the 8th August 2018.
  • The Department of Health (DoH) in Consultation with the Data Protection Commission (DPC) (https://www.dataprotection.ie/) published the Health Research Regulations 2018 (http://www.irishstatutebook.ie/eli/2018/si/314/made/en/pdf), which is Irelands Interpretation of GDPR/Data Protection Act 2018 for Health Research.
  • And it’s amendments (https://www.irishstatutebook.ie/eli/2021/si/18/made/en/print)
  • Therefore all Health Research taking place in Ireland is subject to the GDPR, the Data Protection Act and the Health Research Regulation     
  • What does this mean for Health Research in Ireland?

GDPR, the Data Protection Act of 2018 and the Health Regulations (HRR) required consent to be sought for all research taking place. However in January 2021 amendments to the HRR were enacted by the DoH and the Data Protection Commission. These amendments concerned a number of areas but of particular interest to researchers are the amendments to:

    1. Retrospective Chart Reviews - Consent is no longer required for this type of study BUT only when the study meets certain low risk criteria: (i) the data is protected by a unique coding system (ii) a data protection risk assessment has concluded that the study is low risk (iii) it is performed by a healthcare practitioner who is an employee of TUH or a student healthcare practitioner (iii) is another employee of TUH who in their normal duties has access to medical records (iv) the data will not be shared unless completely anonymous (v) the published results will not identify any individual and (vi) the Research Ethics Committee must review and approve the study.
    2. Pre-screening – pre-screening is the process researchers used to identify patients that may be suitable for the research study they wish to undertake. This involves accessing medical records for the purpose of identifying patients but no data is removed/copied/recorded prior to consent. This can only be conducted by a healthcare practitioner employed by the controller (hospital, primary care centre, GP practice etc) or a person studying to be a health practitioner who is under the direction and control of the controller. That means that there are formal governance arrangements in place that include specifying that the controller rather than the supervising health practitioner is responsible for all data protection matters relevant to the student; • An employee of the controller (for example, a medical records clerk) who in the course of his or her duties for the controller, would ordinarily have access to the personal data of individuals held by the controller (that were obtained for the provision of health care to those individuals); or • A person referred to an “authorised person” (see next slides). Who can be an authorised person? The amendment specifies certain persons who can be authorised by the controller holding the personal data to carry out the pre-screening element of health research without explicit consent. Those persons can be employees of the following organisations: (a) an institution of higher education within the meaning of section 1(1) of the Higher Education Authority Act 1971 (No. 22 of 1971), (b) a body or person that has as its principal activity the provision, management or development of a health practitioner, or (c) a registered charitable organisation within the meaning of the Charities Act 2009 (No. 6 of 2009), one of whose objects is to support research and education in the health services. Should they be deemed suitable they will be contacted in order to provide them with information about the study and, if they feel comfortable and happy, to obtain their consent. This first contact should be made health practitioner of the controller or an authorised person who is a health practitioner.
    3. Health Research Consent Declaration Committee 
    • Research involving patients who lack capacity to provide their own informed consent for their participation in research require a consent declaration by the Health Research Consent Declaration Committee (HRCDC)
    • The data controller must apply to the HRCDC for a consent declaration
    • The HRCDC is a separate committee to the Ethics committee. Their role is to review applications regarding the processing of a patient's data without seeking consent from the patient   
      I.  Personal data (i.e. name. address, MRN, email address, DOB, etc)
      II. Personal sensitive data (i.e. patients medical data)
    • The HRCDC committee make a decision as to whether there is significant public interest in the study and this public interest outweighs an individual's right to give their consent for their data to be processed
    • The HRCDC will require assent to be sought from the patient’s proxy.
    • More information and the HRCDC application form can be found at the link above

Consent for Health Research must be dual consent, (i) consent for participating in research and (ii) consent for processing a patient’s data. The DoH have published their guidance for seeking explicit consent from patients. Please also consult the HSE consent policy for health and social care research (https://www2.healthservice.hse.ie/organisation/national-pppgs/hse-national-policy-for-consent-in-health-and-social-care-research/)