Disclaimer

All content related to GDPR and health research was created in close collaboration with the Department of Health. The responsiblity for compliance with the GDPR, the Data Protection Acts and the Health Research Regulations 2018 lies solely with the data controller or joint-data controllers.

The HRB’s “Guidance for health researchers” aims to assist research organisations and researchers who are processing personal data for the purposes of health research understand and implement their data protection obligations under GDPR, the Data Protection Act 2018 and the new Health Research Regulations 2018.

While the HRB’s guidance has been prepared with the utmost care and aims to be as accurate as possible, it should be noted that this is not legal advice.  The information provided here is strictly for guidance purposes only and the HRB is not liable for any erroneous, obsolete or incomplete information. 

It should also be noted that these are new legal instruments, and therefore, in many instances, it is not possible to provide definitive guidance at this point in time. 

The HRB is not in a position to provide project specific guidance or advice. 

Individual researchers who are processing personal data for the purposes of health research should seek project specific advice from their organisations’ Data Protection Officer before relying upon any information provided.

I have personal data on a group of young people who were part of a research study which was completed in 2013.  The personal data is stored in pseudononymised manner.

I wish to conduct a further follow-up study with these young people in the future.  Can I continue to hold this personal data?

The following general points may be noted:

Pseudonymised data is personal data for the purposes of GDPR and is subject to all of the data protection obligations that this entails.  The GDPR encourages pseudonymisation as an important data security measure and it should be used whenever possible. 

Data processing under GDPR (and under the previous EU 1995 Data Protection Directive) includes the storage of personal data.  Furthermore, as this is personal data being used for the purposes of health research, it is also subject to the requirements of the Health Research Regulations 2018. 

In considering this query, the data controller should determine if they have secured the consent of the data subjects to conduct the original study in compliance with, at a minimum, the 1995 Data Protection Directive.

Data controllers should consult their DPO if they have any questions in this regard.

The following options may apply:                                                

Option 1 – Consent in line with 1995 Data Protection Directive for continued storage of personal data

Except where the deletion of the personal data within a particular timeframe is an express element of the consent given by a data subject, a data controller can continue to hold the personal data concerned as long as s/he is compliant with:

1. all the appropriate requirements of the GDPR,
2. the applicable provisions of the Data Protection Act 2018 and any other laws relevant to the processing of the personal data of minors, 
3. the suitable and specific measures required under the new Health Research Regulations 2018 including the requirement for the explicit consent of the individuals whose data are being processed,
4. established ethical considerations.

While not mandatory, it is in the interests of a data controller maintaining good relations with a data subject to explicitly say that there may be follow up contact with the data subject at some future date regarding further or alternative uses of their data. 

Option 2 – Consent in line with 1995 Data Protection Directive but not with GDPR for further or alternative purposes

If the consent is compliant with the 1995 Data Protection Directive but does not meet the requirements of GDPR then as a current or ongoing health research project, there is transitional period (up until 30 April 2019) to allow data controllers ensure that any processing of personal data for health research purposes complies with GDPR and the suitable and specific measures mandated by the Health Research Regulations 2018 including the requirement for explicit consent. 

There is no legal/data protection issue in respect of going back to data subjects in order to seek their consent for further or alternative uses of their data unless at the time the data was first collected from them the data controller explicitly advised that he or she would not be coming back to them regarding further or alternative uses of their data. 

During the transitional period, the data controller has the opportunity to contact the individuals involved to obtain their explicit consent in line with GDPR requirements to be contacted in the future to seek their further consent to participate in any new study proposed. 

If it is not possible, or if a significant cohort of the individuals do not respond, then the data controller may consider if the data processing in question meets the eligibility criteria to apply for a consent declaration from the Health Research Consent Declaration Committee under the transitional arrangements (Regulation 6).

Option 3 – Explicit consent in line with GDPR requirements

If consent provided by the data subject is explicit and includes explicit consent to be contacted for possible future follow-up studies and in all other respects meets:

1. the appropriate requirements of GDPR,
2. the applicable provisions of the Data Protection Act 2018 and any other laws relevant to the processing of the personal data of minors,
3. the suitable and specific measures required by the Health Research Regulations 2018, and
4. any other established ethical considerations;

then it is fully compliant and no further action is required. 

Option 4 – No consent or invalid consent

If there is no consent or the original consent provided expressly precluded consent for the ongoing storage of their personal data and/or to be contacted for possible future follow-up studies or if the consent obtained was not compliant with the 1995 Data Protection Directive (i.e. not valid consent), then the following options apply:

1. If the data controller can identify another valid legal basis under GDPR (other than consent) for the data processing, and, where the personal data falls within the definition of special category of personal data, that the ongoing storage meets at least one of the GDPR Article 9(2) conditions (other than explicit consent), then, under those circumstances, the data controller may contact the individuals involved to obtain their explicit consent in line with GDPR requirements to be contacted in the future to seek their further consent to participate in any new study proposed.
2. If the data controller can identify another valid legal basis under GDPR and, where relevant meets at least one of the GDPR Article 9(2) conditions but it is not possible to obtain the explicit consent of the individuals involved, or if a significant cohort of the individuals do not respond, then the data controller may consider if the data processing in question meets the eligibility criteria to apply for a consent declaration from the Health Research Consent Declaration Committee under the transitional arrangements (Regulation 6).
3. If the data controller does not have any valid legal basis for the data processing, then the continued data storage is unlawful and is in breach of the first principle of GDPR. 

Any personal data that is held unlawfully should be deleted.  You do not require an individual’s consent to purge personal data which is held unlawfully.

Other important considerations:

Consent of young people under GDPR

“Young people” has no legal meaning under GDPR or the Health Research Regulations 2018. 

The critical distinction in the Data Protection Act 2018 is between adults (persons aged 18 and over) and minors (persons under the age of 18). 

Data controllers processing Article 9 Special Category Personal Data in relation to minors – including for the purposes of health research - need to be especially aware of applicable ethical and legal considerations including, where relevant, capacity to consent issues.

Consideration should also be given to putting in place processes to seek the explicit consent a data subject that transitions from a minor to an adult, in order to continue using their personal data, if and when this becomes necessary.

Transparency

When personal data is being collected from data subjects for research, or any purpose, the data subjects must be provided with information in relation to the purpose of purposes for which the data is going to be used. 

It is recommended that, at all times, the data controller be as transparent as possible in respect of the information that they provide to the data subject when seeking their explicit consent to process personal data for health research purposes under GDPR, the Data Protection Act 2018 and the new Health Research Regulations 2018. 

In preparing this information, the data controller should refer to the HRB’s GDPR Guidance for Researchers and also to the Article 29 Working Group guidance documents on Consent and Transparency, which can be found in Information resources for health researchers