Health Research Regulations 2018 FAQ

Disclaimer

The responsiblity for compliance with the GDPR, the Data Protection Acts and the Health Research Regulations 2018 lies solely with the data controller or joint-data controllers.

The HRB’s “Guidance for health researchers” aims to assist research organisations and researchers who are processing personal data for the purposes of health research understand and implement their data protection obligations under GDPR, the Data Protection Act 2018 and the new Health Research Regulations 2018.

While the HRB’s guidance has been prepared with the utmost care and aims to be as accurate as possible, it should be noted that this is not legal advice.  The information provided here is strictly for guidance purposes only and the HRB is not liable for any erroneous, obsolete or incomplete information. 

It should also be noted that these are new legal instruments, and therefore, in many instances, it is not possible to provide definitive guidance at this point in time. 

The HRB is not in a position to provide project specific guidance or advice. 

Individual researchers who are processing personal data for the purposes of health research should seek project specific advice from their organisations’ Data Protection Officer before relying upon any information provided.

General GDPR FAQ

Data controller and processors

Control, rather than possession, of personal data is the key factor.

A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information.  Data controllers include sections or units of the organisation (e.g. academic departments, research centre etc.) and employees (including research students) that control and are responsible for the data processing. 

A data processor may hold or process personal data, but does not exercise responsibility for or control over the personal data.

Close

Yes.  It is not uncommon that an organisation and even an individual might be both a data controller and a data processor.

The decision as to whether an organisation or individual is a data controller or a data processor relates to the type of data processing involved and the extent of control that the organisation or individual has over that processing.

The data controller is the person (or organisation) who determines the purposes for which, and the way in which, personal data is processed. By contrast, a data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees).

 

Close

If as part of the collaborative research project, you and one or more other researcher(s) jointly determine the purposes and means of data processing, then you and those other researcher(s) (and  your employing research organisations) are joint data controllers.

If you are a joint data controller with one or more other researchers/organisations, then it is necessary to agree your respective responsbilities for compliance with GDPR. This agreement should be transparent and must identify an agreed data protection contact point to allow individuals exercise their data protection rights.

Close

A data controller is the individual or the legal entity who controls and is responsible for the collection, storage and/or use of personal information.

Where the data controller is an organisation, e.g. a hospital or a university, the responsibilities of the data controller extend to include sections or units within the organisation (e.g. academic departments, research centres etc.) and employees (including e.g. principal investigators, academics, postdoctoral researchers, technicians, research students etc.) that control and are responsible for the data processing.

GDPR Article 5(2) requires that the data controller be responsible for, and be able to demonstrate, compliance with the principles of data protection. 

Consequently, there is both individual and organisational responsibility to comply with the regulations.

Close

Yes. 

It is not uncommon that an organisation and even an individual might be both a data controller and a data processor.

The data controller is the person or organisation who determines the purposes for which, and the way in which, personal data is processed. By contrast, a data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees).

The decision as to whether an organisation or individual is a data controller or a data processor relates to the type of data processing involved and the extent of control that the organisation or individual has over that processing. 

Close

A data controller is the individual or the legal entity who controls and is responsible for the keeping and use of personal information.

A data processor may hold or process personal data, but does not exercise responsibility for or control over the personal data.

The decision as to whether an organisation or individual is a data controller or a data processor relates to the type of data processing involved and the extent of control that the organisation or individual has over that processing. 

It is possible to have two or more data controllers (i.e. joint controllers) where both the clinical trial sponsor and the university and/or the hospital exert joint control over the personal data in question.

In such circumstances, GDPR requires the joint data controllers to identify their respective roles and responsibilities for compliance.

A formal agreement of roles and responsibilities of the joint data controllers should be in place.

Close

If researchers are unsure of their responsibilities in the context of GDPR, they should seek project specific advice in relation to data processing for health research purposes from their organisation’s DPO.

The decision as to whether an organisation (which encompasses its employees when they are acting in their capacity as employees) or individual is a data controller or a data processor relates to the type of data processing involved and the extent of control that the organisation or individual has over that processing.  Please also bear in mind that there may be joint data controllers in relation to a project and they must also be identified and the respective responsibilities of each should be formally agreed.

The fact that the data processing in question is mandated by legislation is not, in itself, a factor that determines the data controller unless the legislation itself specifies who is the data controller. 

It may, however, be a valid legal basis under Article 6.  

An Article 9 condition must also be met where personal health data is being processed. 

Close

Your role in GDPR

If either you personally, or researchers working for you (including postgraduate students), process personal data as part of a research project that you lead, then yes, you have individual responsibilities under GDPR and, where relevant in the case of health research, under the Health Research Regulations 2018.

As a Principal Investigator, your responsibilities are to ensure that you personally and that all researchers working for you:

  1. are aware of the personal data that you/they are processing as part of your research activities
  2. know and comply with all the data protection procedures and policies in your institution that govern the processing of personal data
  3. where relevant, know and comply with the suitable and specific safeguards mandated by the Health Research Regulations 2018
  4. know who to contact in your institution in the event of a data breach
  5. report any data breach, or a data breach of one of the researchers working for you, without undue delay
  6. undertake data protection training if required by your institution
  7. adhere to all of the GDPR principles, including the principle of Privacy by design and by default throughout the research project lifecycle from initial project design through to project completion

If you are unclear about any of your responsibilities under GDPR or the Health Research Regulations 2018 as a Principal Investigator, you should contact the data protection officer in your organisation to discuss your specific circumstances.

Close

If you process personal data as part of your research project, then yes, you have individual responsibilities under GDPR and, where relevant, under the Health Research Regulations 2018.

As a postgraduate student, your responsibilities are to:

  1. be aware of the personal data that you are processing as part of your research
  2. know and comply with all of the data protection procedures and policies in your institution that govern the processing of personal data
  3. where relevant, know and comply with the suitable and specific safeguards mandated by the Health Research Regulations 2018
  4. know who to contact in your institution in the event of a data breach
  5. report any data breach without undue delay
  6. undertake data protection training if required by your institution
  7. adhere to all of the GDPR principles, including the principle of Privacy by design and by default throughout the research project lifecycle from initial project design through to project completion

If you are unclear about any of your responsibilities under GDPR or the Health Research Regulations 2018 as a researcher or postgraduate student, you should contact either your line manager or the data protection officer in your organisation to discuss your specific circumstances.

Close

In general, many of the data protection concepts and principles (including individual rights) that were put in place under the previous EU data protection directive will remain the same under GDPR.

Explicit consent

Informed consent of the individual remains at the heart of GDPR as it did with the previous EU data protection directive.  In the case of special category data, which includes health data, biometric data and genetic data, the data controller must obtain your explicit consent.

While GDPR allows for the use of a patient's health data for the provision of their medical and health care, the processing of health data for purposes outside this remit, the health care professional must obtain the explicit consent of the patient(s) involved. 

This is strongly reinforced where the processing of personal data is for health research purposes by the Health Research Regulations 2018.


In addition, GDPR strengthens the existing rights and also provides for a number of new data protection rights in order to give individuals more control of the use and storage of their personal data by organisations.

Individual GDPR rights

  • Right to be informed in clear and understandable language (Articles 12, 13, 14)
  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Right to be forgotten) (Article 17)
  • Right to restrict processing (Article 18)
  • Right to notification (Articles 19 and 34)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Right to object to automated decision-making (Article 22)
  • Right to seek compensation (Article 82)

For more details on the rights of individuals under GDPR, please click here

Close

No, you cannot personally use your patients' health data or share their health data with a third party individual or organisation, for research purposes, without the patient's explicit consent.

The only limited exception to this rule is if you have obtained a "consent declaration" under the new Health Research Regulations 2018.

Among other conditions, a consent declaration under the new Health Research Regulations 2018 requires that:

  • the public importance of the research outweigh to a significant degree the public interest in requiring the explicit consent of the individual whose data is being processed.

Explicit consent

Informed consent of the individual remains at the heart of GDPR as it did with the previous EU data protection directive.  In the case of special category data, which includes health data, biometric data and genetic data, the data controller must obtain the explicit consent of the individual data subject.

While GDPR allows for the use of a patient's health data for the provision of their medical and health care, the processing of health data for purposes outside this remit, the health care professional must obtain the explicit consent of the patient(s) involved. 

This is strongly reinforced where the processing of personal data is for health research purposes by the Health Research Regulations 2018.

Close

Information on the transfer of personal data to another country can be found here.

If you wish to transfer personal data to another country outside of the EEA, you should first consult your DPO.

Close

Yes.  Irrespective of whether the legal basis that you are relying upon requires the consent of the data subject, the new Health Research Regulations 2018 require that you obtain the "explicit consent" of the data subject if you are processing personal data for health research purposes.

The only limited exception to this rule is if you have obtained a "consent declaration" under the Health Research Regulations 2018.

Among other conditions, a consent declaration under the new Health Research Regulations 2018 requires that:

  • the public importance of the research outweigh to a significant degree the public interest in requiring the explicit consent of the individual whose data is being processed.

 

Close

GDPR penalties are applicable to both data controllers and data processors

Serious data protection breaches

  • up to 4% of gross annual turnover or €20M (whichever is the higher)

Examples of serious data protection breaches include:

  1. loss of data (whether deliberate or not)
  2. data processing without the consent of users

Less serious data protection breaches

  • up to 2% of gross annual turnover or €10M (whichever is the higher)

Examples of less serious data protection breaches include:

  1. records not in order/accurate
  2. not conducting an impact assessment
Close

Anonymised and pseudonymised data

Anonymised data

Data are anonymized when an individual can no longer be identified from it.  Anonymous data do not allow either direct or indirect re-identification.

Pseudonymous data

Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person

For example, a dataset that has been ‘link-coded’, with names and other key identifiers removed, but which is linked to a separate file held by, or accessible to, the researcher which enables individual research subjects to be identified (including, potentially, consent forms) is considered to be ‘pseudonymised’.


Personal data that have undergone ‘pseudonymisation’ remain personal data in the hands of the data controller that carried out the ‘pseudonymisation’ operation.  Personal data that have been wholly anonymised are outside the scope of the GDPR.

Close

If the personal data that you are processing are fully and irreversibly anonymised and there is no possibility of reidentification (even indirectly) then the GDPR regulation does not apply.

Close

Anonymisation may be a good strategy to keep the benefits and to mitigate the risks of processing personal data.

Once a dataset is truly anonymised and individuals are no longer identifiable, European data protection law no longer applies.

However, it is clear from case studies and research publications that the creation of a truly anonymous dataset from a rich set of personal data, whilst retaining as much of the underlying information as required for the task, is not a simple proposition.

For example, a dataset considered to be anonymous may be combined with another dataset in such a way that one or more individuals can be identified.

Therefore, yes it is possible for personal data to be anonymous in the hands of one party but be identifiable in the hands of another.

Close

Data breaches

If you are a researcher and you have a data protection breach, you must notify the following people as soon as possible:

  1. your supervisor or line manager (as relevant)

  2. the data protection officer of your organisation
Close

In the event of a personal data breach, data controllers must:

  • notify the Data Protection Commission, without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach.
  • If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.
Notice to the DPC is not required if:
  • the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons.

In the event of a personal data breach that is likely to result in "a high risk to the rights and freedoms of individuals", data controllers must also:

  • communicate information regarding the personal data breach to the affected data subjects “without undue delay.”
Notice of data subjects affected is not required if:
  1. the data controller has “implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption”
  2. the data controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialize; or
  3. when notification to each data subject would “involve disproportionate effort,” in which case alternative communication measures may be used.
Close

When a data processor experiences a personal data breach, she/he must notify the controller but otherwise has no other notification or reporting obligation under the GDPR

Close

A notification to the DPC must contain:

  1. a description of the nature of the personal data breach, including the number and categories of data subjects and personal data records affected

  2. the data protection officer’s contact information

  3. a description of the likely consequences of the personal data breach

  4. a description of how the controller proposes to address the breach, including any mitigation efforts.

If not all information is available at once, it may be provided in phases.

Close

NEW 29/08/2018 Consent

No.

Pseudonymisation is a data security measure that is strongly encouraged by the GDPR.  

However, pseudonymised data remain subject to requirements of GDPR and, in the case of health research, to the requirements of the Health Research Regulations 2018.

Close

There is no legal/data protection issue in respect of the deletion of personal data unless:

  1. at the time the personal data were first collected from the data subjects, the data controller explicitly advised that he or she would not do so or would not do so for a specified time, or
  2. there are legal obligations on the data controller not to delete the personal data (usually this applies for a specified time).

However, if no lawful basis applies to your processing, you are in breach of the first principle of the GDPR (the requirement to have a legal basis).  

You do not require an individual’s consent to purge any personal data which is held unlawfully.

Close

Anonymised data fall outside the remit of GDPR and the new Health Research Regulations 2018. 

However, the process of anonymization is, in itself, data processing and does fall under the remit of GDPR and may fall under the remit of the Health Research Regulations 2018 depending on its purpose.  Therefore, if the legal ground that the personal data was obtained under was consent, then consent is required for the anonymisation of that data.  However, if the data controller used another legal basis (other than consent) and, where relevant, meets at least one of the Article 9(2) conditions (other than explicit consent), then consent is not required.

In relation to ongoing storage of personal data, the general points made in Case Study 1 apply.

While not mandatory, it is in the interests of a data controller maintaining good relations with a data subject to explicitly inform them that their data may be anonymised at some future date for further or alternative research purposes. 


Additional considerations

While anonymized data do fall out of the scope of data protection legislation, individuals may still be entitled to protection under other provisions (such as the common law duty to protect confidentiality of communications).

Close

Query

In relation to Article 13 of GDPR: Information to be provided where personal data are collected from the data subject. Clarification is sought on whether there is any scope allowed for privacy notices (rather than re-consent) to be provided to participants who have already consented under existing data protection acts, where certain information was not included in the original participant information, for example, the contact details of the data protection officer.


Privacy notices are an important means of complying with the GDPR principles of transparency and accountability and can play a role under Article 13 (which governs information to be provided where personal data are collected from the data subject).  However, it is not the role of the HRB to recommend or advise what information should be included in any specific notice, information leaflet or consent form. 

Moreover, and importantly, a privacy notice cannot meet a requirement for explicit consent. 

The responsibility for compliance with GDPR and the new Health Research Regulations 2018 lies with the data controller. 

Researchers are recommended to seek project specific advice in relation to data processing for health research purposes from their organisation’s DPO.

Close

NEW 17/08/2018 Article 13 Requirements

Query

Where recruitment and data collection is complete by the 30th April 2019, but data analysis/ archiving has not been complete, do these requirements of Article 13 of GDPR still need to be met retrospectively? Given that ‘personal data collection’ is no longer ongoing. Clear guidance, with a range of examples, on when and how re-consent is to be obtained would be really appreciated.


The requirements of Article 13 of the GDPR (which governs information to be provided where personal data are collected from the data subject) have to be met irrespective of the Health Research Regulations 2018 and came into effect on 25 May 2018.

Close