Information resources for health researchers
Final legal text of the EU General Data Protection Regulation.
Final legal text of the Data Protection Act 2018.
Final legal text of the Health Research Regulations 2018 (Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018).
Close- Guidelines on Consent under Regulation 2016/679
- Guidelines on Transparency under Regulation 2016/679
- Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679
- Guidelines on Personal data breach notification under Regulation 2016/679
- Guidelines on Data Protection Officers ('DPOs')
- Guidelines on the right to "data portability"
- Guidelines on Data Protection Impact Assessment (DPIA)
Also by the Article 29 Working Party
Other guidance notes and opinions by the Article 29 Working Party may be accessed at:
The Article 29 Working Party has now ceased to exist. It has been replaced by the European Data Protection Board.
The new European Data Protection Board has endorsed all of the above guidelines produced by the Article 29 Working Party.
Close- An animated website which explains GDPR in plain English.
- GDPR guidance produced by the European Commission.
- Q&As on GDPR produced by the European Commission.
These web resources are targeted at the wider public and the interpretations are not sector specific. However, the information provided and the questions addressed are relevant to all data controllers including health researchers.
CloseIrish Data Protection Commissioner’s Guide to GDPR: The GDPR and You.
Irish Data Protection Commissioner’s Guidance to Data Protection Impact Assessments
The Irish Data Protection Commissioner's article: The Transparency Challenge: Making children aware of their data protection rights and the risks online
CloseImportant notice when referring to UK guidance on GDPR
It should be noted that the UK implementation of GDPR in the context of health research is different to that of Ireland.
In particular, official guidance by the Health Research Authority to UK researchers is that, in most instances, the appropriate legal basis for health research activities in public institutions is either "Public Interest" or "Legitimate Interests" (i.e. not the legal basis of consent). This only relates to the recommendation not to use consent as a legal basis for the purposes of GDPR. It does not lessen the ethical obligation on researchers to obtain consent.
In Ireland, researchers and institutions may choose any legal basis that they feel is most appropriate for them to use. This includes consent, public interest or legitimate interests (although legitimate interest is not available as a legal basis for public bodies in the conduct of their public functions.)
However, in Ireland, the Health Research Regulations 2018 mandate "explicit consent" as one of the "suitable and specific measures" that must be undertaken when the processing of personal data (including health data) for the purposes of health research.
Therefore, regardless of what legal basis is chosen to justify the processing of personal data for health research purposes, the explicit consent of the data subject is required unless the researcher has been granted a consent declaration under the Health Research Regulations 2018 (Regulation 5) or under the Health Research Regulations 2018 transitional arrangements (Regulation 6).
GDPR Guidance in the UK
- UK Information Commissioner’s Guide to the General Data Protection Regulation
- The UK has passed a new Data Protection Act (2018). This implements the derogations and also brings the GDPR into domestic law in preparation for the UK leaving the EU.
- The UK Government is also aiming to secure an ‘adequacy plus’ agreement (for information on adequacy agreements please click here) with the EU to ensure data is able to flow across borders after Brexit. It will argue for building GDPR guidanceon standard adequacy approaches to reflect the close partnership between the UK and the EU on data protection issues. This will be a matter for Brexit negotiations.
- The Health Research Authority published detailed guidance for researchers on GDPR, covering: lawful bases for processing; safeguards; transparency; and data subject rights.
- The MRC Regulatory Support Centre has also produced a helpful summary of the main changes for research activity in the UK.
- The Information Governance Alliance has produced guidance for clinicians and those working within the health service.
GDPR in research journals
You can also find some reporting on the likely impact of GDPR on medical research in The Lancet, Science and the BMJ.
CloseThe BBMRI-ERIC is developing a Code of Conduct for health research, in line with GDPR Article 40.
This initiative aims to ensure there is authoritative sector-specific guidance on implementing GDPR that can apply across Member States. BBMRI-ERIC aims to have the Code ready for public consultation by Autumn 2018.
The UK Health Research Authority and Human Tissue Authority jointly produced a paper on “Consent to use human tissue and linked health data in health research - A Public Dialogue" which may provide useful background information.
CloseThis guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.
It is intended to be general guidance for educational and informational purposes only.
It is not legal advice.