A researcher who wishes to process or further process personal data for the purposes of a new health research project may apply to the Health Research Consent Declaration Committee to make a declaration that the explicit consent of the data subject is not required if:
- that researcher believes that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject whose personal data is being processed for the purposes of the research (Regulation 5(1)).
This applies to health research projects which have commenced on or after 8 August 2018.
(a) performed a data protection impact assessment in accordance with GDPR Article 35(1))
(b) obtained ethical approval for the health research from a research ethics committee.
|clearly identifying the valid and lawful basis for the processing of the personal data
|clearly identifying that the proposed data processing meets one of the conditions in GDPR's Article 9(2) for special category personal data
|clearly identifying the data controller and, where there are joint data controllers, the division of responsibilities between them
|that the health research requires that personal data of a type specified be obtained and processed rather than anonymised data
|that the personal data will not be processed in such a way that damage or distress is, or is likely to be, caused to the individual(s) concerned
|that the collection and use of the personal data will go no further than is necessary for the attainment of the research objective (data minimisation)
|that there will be no disclosure of the personal data unless that disclosure is required by law or the individual(s) has given his or her explicit consent to the disclosure
|that the suitable and specific measures referred to in Regulation 3(1)(b)(iv) to (vii), 3(1)(c)(iii) to (viii) and 3(1)(d) have been identified and will be put in place before the health research commences. These include:
|ensuring that the proposed data processing is only that which is necessary to achieve the objectives of the research
|ensuring that the proposed data processing does not and will not cause damage or distress to the individual(s) to whom the data relates
|measures that demonstrate compliance with the data minimisation principle in GDPR's Article 5(1)(c)
|appropriate governance structures in place
|appropriate processes and procedures in place
|appropriate transparency arrangements are in place
|that a data protection officer has been appointed in relation to the health research before it commences
|that ethical approval from a research ethics committee has been received
|a copy of the data privacy impact assessment (DPIA) with particular reference to the possibility of data linkages and details of any consultations undertaken with potential Individual(s) (data subjects)
|demonstrating that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject together with a statement setting out the reasons why it is not proposed to seek the consent of the data subject for the purposes of the health research.
Health Research Regulations 2018, Regulation 5(4)
This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.
It is intended to be general guidance for educational and informational purposes only.
It is not legal advice.