FAQ

Data controller and processors

Control, rather than possession, of personal data is the key factor.

A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information.  Data controllers include sections or units of the organisation (e.g. academic departments, research centre etc.) and employees (including research students) that control and are responsible for the data processing. 

A data processor may hold or process personal data, but does not exercise responsibility for or control over the personal data.

Close

Yes.  It is not uncommon that an organisation and even an individual might be both a data controller and a data processor.

The decision as to whether an organisation or individual is a data controller or a data processor relates to the type of data processing involved and the extent of control that the organisation or individual has over that processing.

The data controller is the person (or organisation) who determines the purposes for which, and the way in which, personal data is processed. By contrast, a data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees).

 

Close

If as part of the collaborative research project, you and one or more other researcher(s) jointly determine the purposes and means of data processing, then you and those other researcher(s) (and  your employing research organisations) are joint data controllers.

If you are a joint data controller with one or more other researchers/organisations, then it is necessary to agree your respective responsbilities for compliance with GDPR. This agreement should be transparent and must identify an agreed data protection contact point to allow individuals exercise their data protection rights.

Close

Your role in GDPR

If either you personally, or researchers working for you (including postgraduate students), process personal data as part of a research project that you lead, then yes, you have individual responsibilities under GDPR and, where relevant in the case of health research, under the Health Research Regulations 2018.

As a Principal Investigator, your responsibilities are to ensure that you personally and that all researchers working for you:

  1. are aware of the personal data that you/they are processing as part of your research activities
  2. know and comply with all the data protection procedures and policies in your institution that govern the processing of personal data
  3. where relevant, know and comply with the suitable and specific safeguards mandated by the Health Research Regulations 2018
  4. know who to contact in your institution in the event of a data breach
  5. report any data breach, or a data breach of one of the researchers working for you, without undue delay
  6. undertake data protection training if required by your institution
  7. adhere to all of the GDPR principles, including the principle of Privacy by design and by default throughout the research project lifecycle from initial project design through to project completion

If you are unclear about any of your responsibilities under GDPR or the Health Research Regulations 2018 as a Principal Investigator, you should contact the data protection officer in your organisation to discuss your specific circumstances.

Close

If you process personal data as part of your research project, then yes, you have individual responsibilities under GDPR and, where relevant, under the Health Research Regulations 2018.

As a postgraduate student, your responsibilities are to:

  1. be aware of the personal data that you are processing as part of your research
  2. know and comply with all of the data protection procedures and policies in your institution that govern the processing of personal data
  3. where relevant, know and comply with the suitable and specific safeguards mandated by the Health Research Regulations 2018
  4. know who to contact in your institution in the event of a data breach
  5. report any data breach without undue delay
  6. undertake data protection training if required by your institution
  7. adhere to all of the GDPR principles, including the principle of Privacy by design and by default throughout the research project lifecycle from initial project design through to project completion

If you are unclear about any of your responsibilities under GDPR or the Health Research Regulations 2018 as a researcher or postgraduate student, you should contact either your line manager or the data protection officer in your organisation to discuss your specific circumstances.

Close

In general, many of the data protection concepts and principles (including individual rights) that were put in place under the previous EU data protection directive will remain the same under GDPR.

Explicit consent

Informed consent of the individual remains at the heart of GDPR as it did with the previous EU data protection directive.  In the case of special category data, which includes health data, biometric data and genetic data, the data controller must obtain your explicit consent.

While GDPR allows for the use of a patient's health data for the provision of their medical and health care, the processing of health data for purposes outside this remit, the health care professional must obtain the explicit consent of the patient(s) involved. 

This is strongly reinforced where the processing of personal data is for health research purposes by the Health Research Regulations 2018.


In addition, GDPR strengthens the existing rights and also provides for a number of new data protection rights in order to give individuals more control of the use and storage of their personal data by organisations.

Individual GDPR rights

  • Right to be informed in clear and understandable language (Articles 12, 13, 14)
  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Right to be forgotten) (Article 17)
  • Right to restrict processing (Article 18)
  • Right to notification (Articles 19 and 34)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Right to object to automated decision-making (Article 22)
  • Right to seek compensation (Article 82)

For more details on the rights of individuals under GDPR, please click here

Close

No, you cannot personally use your patients' health data or share their health data with a third party individual or organisation, for research purposes, without the patient's explicit consent.

The only limited exception to this rule is if you have obtained a "consent declaration" under the new Health Research Regulations 2018.

Among other conditions, a consent declaration under the new Health Research Regulations 2018 requires that:

  • the public importance of the research outweigh to a significant degree the public interest in requiring the explicit consent of the individual whose data is being processed.

Explicit consent

Informed consent of the individual remains at the heart of GDPR as it did with the previous EU data protection directive.  In the case of special category data, which includes health data, biometric data and genetic data, the data controller must obtain the explicit consent of the individual data subject.

While GDPR allows for the use of a patient's health data for the provision of their medical and health care, the processing of health data for purposes outside this remit, the health care professional must obtain the explicit consent of the patient(s) involved. 

This is strongly reinforced where the processing of personal data is for health research purposes by the Health Research Regulations 2018.

Close

Information on the transfer of personal data to another country can be found here.

If you wish to transfer personal data to another country outside of the EEA, you should first consult your DPO.

Close

Yes.  Irrespective of whether the legal basis that you are relying upon requires the consent of the data subject, the new Health Research Regulations 2018 require that you obtain the "explicit consent" of the data subject if you are processing personal data for health research purposes.

The only limited exception to this rule is if you have obtained a "consent declaration" under the Health Research Regulations 2018.

Among other conditions, a consent declaration under the new Health Research Regulations 2018 requires that:

  • the public importance of the research outweigh to a significant degree the public interest in requiring the explicit consent of the individual whose data is being processed.

 

Close

GDPR penalties are applicable to both data controllers and data processors

Serious data protection breaches

  • up to 4% of gross annual turnover or €20M (whichever is the higher)

Examples of serious data protection breaches include:

  1. loss of data (whether deliberate or not)
  2. data processing without the consent of users

Less serious data protection breaches

  • up to 2% of gross annual turnover or €10M (whichever is the higher)

Examples of less serious data protection breaches include:

  1. records not in order/accurate
  2. not conducting an impact assessment
Close

Anonymised data

Anonymised data

Data are anonymized when an individual can no longer be identified from it.  Anonymous data do not allow either direct or indirect re-identification.

Pseudonymous data

Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person

For example, a dataset that has been ‘link-coded’, with names and other key identifiers removed, but which is linked to a separate file held by, or accessible to, the researcher which enables individual research subjects to be identified (including, potentially, consent forms) is considered to be ‘pseudonymised’.


Personal data that have undergone ‘pseudonymisation’ remain personal data in the hands of the data controller that carried out the ‘pseudonymisation’ operation.  Personal data that have been wholly anonymised are outside the scope of the GDPR.

Close

If the personal data that you are processing are fully and irreversibly anonymised and there is no possibility of reidentification (even indirectly) then the GDPR regulation does not apply.

Close

Data breaches

If you are a researcher and you have a data protection breach, you must notify the following people as soon as possible:

  1. your supervisor or line manager (as relevant)

  2. the data protection officer of your organisation
Close

In the event of a personal data breach, data controllers must:

  • notify the Data Protection Commission, without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach.
  • If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.
Notice to the DPC is not required if:
  • the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons.

In the event of a personal data breach that is likely to result in "a high risk to the rights and freedoms of individuals", data controllers must also:

  • communicate information regarding the personal data breach to the affected data subjects “without undue delay.”
Notice of data subjects affected is not required if:
  1. the data controller has “implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption”
  2. the data controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialize; or
  3. when notification to each data subject would “involve disproportionate effort,” in which case alternative communication measures may be used.
Close

When a data processor experiences a personal data breach, she/he must notify the controller but otherwise has no other notification or reporting obligation under the GDPR

Close

A notification to the DPC must contain:

  1. a description of the nature of the personal data breach, including the number and categories of data subjects and personal data records affected

  2. the data protection officer’s contact information

  3. a description of the likely consequences of the personal data breach

  4. a description of how the controller proposes to address the breach, including any mitigation efforts.

If not all information is available at once, it may be provided in phases.

Close
Disclaimer

This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.

It is intended to be general guidance for educational and informational purposes only.

It is not legal advice.