The personal data must be necessary to achieve the objective of the research.Close
Any personal data used for health research purposes must not be used in such a way that causes, or is likely to cause, damage or distress to the individual(s) to whom the data relate.Close
Regulation 3(1)(b) requires that appropriate governance structures for the carrying out of the research must have been put in place or met, including:
- ethical approval of the health research by a research ethics committee,
- identification of the data controller including, if relevant, any joint data controllers involved
- identification of any data processors involved
- identification of any person who provides funding for, or otherwise supports, the project
- identification of any person (other than a person in points 3 or 4) with whom it is intended to share any of the personal data collected (including where the data has been pseudonymised or anonymised) and the purpose of such sharing
- provision of training in data protection law and practice to those individuals involved in carrying out the health research
Regulation 3(1)(c) specifies that all of the following processes and procedures relating to the management and conduct of the research have been put in place or met:
- processes to assess the data protection implications of the proposed research and for high risk situations, a data protection privacy impact assessment must be carried out
- measures that verifiably demonstrate compliance with the data minimisation principle in GDPR Article 5
- controls to log and limit access to the personal data undergoing processing in order to prevent unauthorised access to or other processing of that data,
- adequate measures to protect the security of the personal data concerned,
- appropriate arrangements have been identified for when the research has been completed in order to anonymise, properly archive or securely destroy that data,
- other technical and organisational measures designed to ensure that processing is carried out in accordance with the GDPR, together with processes for testing and evaluating the effectiveness of such measures
Appropriate transparency arrangements (e.g. notices on websites, in public areas etc) must be identified and put in place to inform individuals of how their data is being used for health research purposes.
Such notices must be in clear and understandable language.Close
Regulation 3(1)(e) of the Health Research Regulations 2018 requires that the explicit consent of the individual has been obtained prior to the commencement of the research for the processing of his or her personal data for the purpose of the research.
The term "explicit consent" used in the Health Research Regulations 2018 is equivalent to the term used in the GDPR.
The Health Research Regulations 2018 allows for the fact that it may be difficult to fully specify the purposes of the research at the outset.
- Health Research Regulation 3(1)(e) provides that explicit consent from the individual may be obtained "for the purpose of the specified health research, either in relation to a particular area or more generally in that area or a related area of health research, or part thereof".
This allows an individual to give his or her explicit consent where the research area is only generally defined and/or to give his or her consent only to certain areas of research or to parts of a particular research project.
At all times, the individual must be provided with sufficiently clear information to allow his or her explicit consent to be informed and to represent the unambiguous indication of his or her wishes.Close
GDPR Article 89(1) requires that "processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards ... for the rights and freedoms of the data subject."
GDPR refers to the following safeguards:
- technical and organisational measures to ensure the principle of data minimisation
- pseudonymisation where possible
- anonymisation where possible.
The Data Protection Act 2018, Section 36 further describes what "suitable and specific measures" may be taken to safeguard the fundamental rights and freedoms of data subjects.
Regulation 3(1)(a)-(e) of the Health Research Regulations 2018 specifies the mandatory "suitable and specific measures" that must be taken when the processing of personal data (including health data) is undertaken for the purposes of health research specifically.
This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.
It is intended to be general guidance for educational and informational purposes only.
It is not legal advice.