Health Research Regulations 2018 FAQ

Disclaimer

All content related to GDPR and health research was created in close collaboration with the Department of Health.The responsiblity for compliance with the GDPR, the Data Protection Acts and the Health Research Regulations 2018 lies solely with the data controller or joint-data controllers.

The HRB’s Guidance for health researchers section aims to assist those who process personal data for the purposes of health research to understand and to implement their data protection obligations under GDPR, the Data Protection Act 2018 and the Health Research Regulations 2018.

While the HRB’s guidance has been prepared with the utmost care and aims to be as accurate as possible, it should be noted that this is not legal advice. The information provided here is strictly for guidance purposes only and the HRB is not liable for any erroneous, obsolete or incomplete information. 

It should also be noted that these are new legal instruments, and therefore, in many instances, it is not possible to provide definitive guidance at this point in time. 

The HRB is not in a position to provide project specific guidance or advice. 

Individual researchers who process personal data for the purposes of health research should seek project specific advice from their organisations’ Data Protection Officer before relying upon any information provided here.

Responses from the Department of Health to queries received from Clinical Research Development Ireland regarding the implementation of the Health Research Regulations 2018

New 17/09/2018

Department of Health's first reply

Department of Health's second reply

Case Studies

Case Study 1 - I have personal data on a group of young people who were part of a research study which was completed in 2013.  The personal data is stored in pseudononymised manner.

I wish to conduct a further follow-up study with these young people in the future.  Can I continue to hold this personal data?

Case Study 2 - I have a group of young people who are part of an ongoing follow-up research study - this is now their 4th follow-up. Ethics permission and funding has been obtained for this study since 2017. The letters of invitation to participate in the research study were posted out prior to 25th May.

Can I issue reminders or continue to contact those who have not responded?

Case Study 3 - Can a general practitioner search his/her Electronic Patient Record database to see if any patients are suitable for a clinical trial without explicit consent from all the patients within the EHR database prior to the search? 

Case Study 4 - Would the processing of patient data in the search for a clinical trial treatment for the patient come under Article 6.1(d) (GDPR): processing is necessary in order to protect the vital interests of the data subject or of another natural person.  Since the clinical trial treatment may be vital to the successful recovery of the patient.

Case Study 5 - Do the Health Research Regulations 2018 encompass all health research conducted in Ireland? In the case of a multi-partner project that may be coordinated by an organisation outside Ireland which regulations (HRR2018 in Ireland or equivalent in other countries) apply?

Case Study 6 - A number of PIs are currently working on a proposal that will use lots of data from a variety of sources.  Data exchange protocols have already been agreed and task 1 is the anonymisation (not pseudonymisation) of any identifiable data.  Which bits will need the 'consent declaration'?

Case Study 7 - In the event that a funded research project requires a consent declaration, but the consent declaration application is refused by the Health Research Consent Declaration Committee and the research work must stop, who is contractually liable for incurred costs?


 

General Health Research Regulations 2018 queries

The Health Research Regulations 2018 are formally called the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018.

They were made by the Minister for Health under section 36 of the Data Protection Act 2018 and came into effect on 8 August 2018.

The Health Research Regulations 2018 govern the use of personal data for health research purposes. These important new regulations outline mandatory suitable and specific measures that ensure that health research in Ireland is conducted using best practice principles of information governance in line with new GDPR requirements.

The regulations protect the rights of participants while at the same time they promote and facilitate the conduct of high quality research in the public interest.

The regulations also introduce for the first time a lawful mechanism that allows the processing of personal data for health research purposes in exceptional circumstances without the explicit consent of the individual concerned.

The Health Research Regulations 2018 can be viewed in full here.

Close

Contact your Data Protection Officer

Your first port of call for answering queries regarding your data protection obligations should be your organisation's Data Protection Officer.


All queries regarding the Health Research Regulations 2018 should be submitted using the Health Research Regulations 2018 enquiry form.

Answers to queries will be provided by means of a dedicated Health Research Regulations 2018 FAQ webpage which will be updated regularly.  The HRB will not respond to individual queries. This is to ensure consistency of responses to all of the health research community.

The HRB will send out email alerts to notify people of updates to the FAQ pages. 


Provision of advice by the HRB

The HRB’s “Guidance for health researchers” aims to assist research organisations and researchers who are processing personal data for the purposes of health research understand and implement their data protection obligations under GDPR, the Data Protection Act 2018 and the new Health Research Regulations 2018.

This guidance may be found on its webpages at: GDPR guidance for health researchers.

While the HRB’s guidance has been prepared with the utmost care and aims to be as accurate as possible, it should be noted that this is not legal advice.  The information provided here is strictly for guidance purposes only and the HRB is not liable for any erroneous, obsolete or incomplete information. 

It should also be noted that these are new legal instruments, and therefore, in many instances, it is not possible to provide definitive guidance at this point in time. 

The HRB is not in a position to provide project specific guidance or advice. 

Individual researchers who are processing personal data for the purposes of health research should seek project specific advice from their organisations’ Data Protection Officer before relying upon any information provided.

It should be noted that while HRB aims to provide as much information and as much clarity as it can regarding the implementation of the new regulations and the establishment of the new Health Research Consent Declaration Committee (HRCDC) and its secretariat, it cannot pre-empt answers to questions that fall under the remit of the HRCDC.  In particular, the HRB cannot provide any advice whether or not a particular research project is compliant with GDPR and the new regulations nor whether or not a research project is of sufficient public interest to warrant the granting of a consent declaration.


Irish Data Protection Commission

The Irish Data Protection Commission (DPC) is the independent authority charged with monitoring and enforcing the application of the GDPR in Ireland.

The DPC develops important guidance information to assist organisations and individuals in implementing the GDPR and in exercising their personal data rights. 

The DPC’s latest guidance in relation to GDPR, can be found at: www.gdprandyou.ie and via the DPC’s webpages at www.dataprotection.ie starting with "NEW" as per the navigation panel on the left.

 

Close

Health research falls under scientific research in the GDPR where it is not defined.

Health research is defined for the purposes of the Health Research Regulations 2018 in Regulation 3(2). 

You can find more information on the definition of health research for the purposes of the Health Research Regulations 2018 here.

Close

Current research is any research that has commenced on or before the 7th of August 2018.

New research is any research that commenced on or after the 8th of August 2018. Please refer to the consent declaration decision tree.

A research project is deemed to have commenced on the day that the research receives ethical approval from a research ethics committee.

Close

Participation in clinical trials of medicinal products is subject to its own EU instruments. 

However, the processing of any personal data related to those clinical trials for health research purposes must be in accordance with the GDPR and the Health Research Regulations 2018.

Close

No. 

The transition period only applies to data processing for the purposes of health research that falls within the Health Research Regulations 2018.

For other research, the GDPR and the Data Protection Act 2018 only apply.  Both of these came into effect on 25th May 2018.

Close

General comment

Researchers and host institutions are reminded that the decision to grant or not grant a consent declaration by the Health Research Consent Declaration Committee should always be a position of last resort.  There is a positive responsibility on host research institutions (and by extension on researchers) to ensure that all other avenues of compliance with the GDPR and the Health Research Regulations 2018 such as anonymisation, seeking explicit consent, data minimisation, data purging etc. are considered in detail before applying to seek a consent declaration from the Health Research Consent Declaration Committee.

Researchers are recommended to seek project specific advice in relation to data processing for health research purposes from their organisation’s DPO.

Responsibility

The onus is on a host research institution solely to ensure that the research being conducted by its researchers is legal and is being conducted in a lawful manner.  

This is true also in the case of the GDPR and the Health Research Regulations 2018 where it is the sole responsibility of the data controller (or joint data controllers) to ensure that they are compliant with the regulations.

However, host research institutions should refer to individual research contracts in order to determine their contractual liabilities in specific circumstances. 

HRB Terms and Conditions (October 2017 Edition) for Research Awards

In the case of the HRB, some relevant clauses[1] in the HRB Terms and Conditions (October 2017 Edition) for Research Awards are as follows:

Warranties (Clause 6) and Termination (Clause 16)

In the case of the Health Research Board, research funding contracts are subject to the host research institution obtaining ‘all of the relevant permits, approvals, permissions or consents necessary for the carrying out of the funded research activities or any part of them’ (Clause 6.1.3 and Clause 16.2.10).

Responsibilities of the Host institution (Clause 7)

The Host Institution shall ‘comply with all relevant statutory requirements, regulatory requirements, regulations and bye-laws relating to the Grant and the Grant Funded Activities including without limitation all such relating to the employment, involvement or engagement of the members of the Team’ (Clause 7.2.12).

The Host Institution shall ‘take all necessary steps to ensure that the Principal Investigator and the members of the Team are aware that the contract under which they are employed or otherwise engaged is with the Host Institution and not with the HRB and indemnify the HRB against any claim by the Principal Investigator or the members of the Team that they are an employee of or have otherwise been engaged by the HRB’ (Clause 7.5.8).

Liabilities and indemnities (Clause 9)

Host research institutions should also refer to Clause 9 of the HRB Terms and Conditions (October 2017 Edition) for Research Awards explicitly warrants, inter alia, that the host institution is “wholly responsible for the conduct of the Grant Funded Activities and the HRB shall have no obligation, responsibility or any liability financial or otherwise of any kind to the Host Institution, the Principal Investigator or any member of the Team or any third party arising directly or indirectly from the Grant or the Grant Funded Activities or payment of the Grant or any part thereof or any representation or other act or omission connected with the Grant save and except the payment of the Grant in accordance with the terms and conditions of the Grant.” 

Variations and No Cost Extensions

Clause 20.4 allows a host research institution to request the HRB to consider a variation of the funded grant.  The Host Institution Variation Notice should contain full details of the proposed variation and reasons for the Variation which will be given reasonable consideration by the HRB.  The HRB may also approve a no cost extension to extend the duration of the grant for up to 12 months (Clause 16.3) in order to obtain the required consents or otherwise comply with the requirements of GDPR and the Health Research Regulations 2018.

 


[1] Host research institutions should refer to the full HRB Terms and Conditions (October 2017 Edition) for Research Awards in order to determine all of their contractual obligations and liabilities.

Close

Consent declaration specific queries

consent declaration is a declaration made by the Health Research Consent Declaration Committeethat the explicit consent of the data subject is not required.

Close

No. A consent waiver issued by a Research Ethics Committee under the HSE's National Consent Policy 2017 is not the same as a consent declaration granted under the Health Research Regulations 2018.

Consent waivers do not have, and never had, any legal standing in the context of the previous Data Protection Directive nor in the context of GDPR and the new Health Research Regulations 2018.

Close

Application information is available from the HRCDC website.

Close

The EU Council and EU Parliament signed off on the GDPR in April 2016 with a two year period before it became effective on 25 May 2018.  That was the transition period for preparing for GDPR compliance. 

During that period, health researchers should have made sure that the processing of personal data for health research that was ongoing after 25 May (whether it was commenced before or after that date) was in line with the GDPR.  

In the context of the Health Research Regulations 2018, an additional transitional period up to and including 7 August 2019 was incorporated to allow health research involving the use of personal data that was ongoing on 8 August 2018 to become compliant with the requirements of GDPR and the new Regulations. 

You can find more information on this transitional period

Close

For current research, researchers must submit an application for consideration by the consent declaration to the Health Research Consent Declaration Committee no later than 7 August 2019 (refer to transitional arrangements).

Close
  • Consult the HRB’s GDPR guidance for researchers.
  • Consult the HRB’s consent declaration decision tree.
  • Determine whether your research project is a new project or if it is current.
  • Undertake a data protection impact assessment.
  • Ensure you have research ethics approval.
  • Consider whether or not the personal data can be anonymised.
  • For current research, determine if you have consent and whether or not the consent meets the standard of the previous Data Protection Directive 95/46/EC.
    • If yes, make reasonable efforts to contact the data subject who previously provided consent for the health research for the purposes of reobtaining consent from that data subject.
    • If not, consider if the data can be anonymised. Alternatively, consider if you can make a case that the public interest in continuing to carry out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject together with a statement setting out the reasons why it is not proposed to seek the consent of the data subject for the purposes of the health research.
  • For new research, consider if you can make a case that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject together with a statement setting out the reasons why it is not proposed to seek the consent of the data subject for the purposes of the health research.
Close

The HRB cannot advise researchers when the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject. This will be the remit of the Health Research Consent Declaration Committee once in place.

Close

Yes. 

consent declaration refers only to the requirement to have obtained the suitable and specific measure of explicit consent (Regulation 3(1)(e)) from the data subject.

All of the other suitable and specific measures to safeguard the fundamental rights and freedoms of the data subject described in Regulation 3(1)(a)-(d) must be in place. 

Close

General consent for health research purposes queries

Yes.

Consent may be provided by the data subject in written, electronic or oral format.

Data controllers must be able to demonstrate that the data subject has consented to processing of his/her data.  Therefore, records will need to be kept so that a data subject's consent can be verified.

Close

We recommend speaking to your institutional DPO to determine if your project meets the standards required by current and/or previous data protection legislation.

Close

Anonymised data fall outside the remit of GDPR and the new Health Research Regulations 2018. 

However, the process of anonymization is, in itself, data processing and does fall under the remit of GDPR and may fall under the remit of the Health Research Regulations 2018 depending on its purpose.  Therefore, if the legal ground that the personal data is being held is consent, then consent is required for the anonymisation of that data.  However, if the data controller has another legal basis (other than consent) and, where relevant, meets at least one of the Article 9(2) conditions (other than explicit consent), then consent is not required.

In relation to ongoing storage of personal data, the general points made in Case Study 1 apply.

While not mandatory, it is in the interests of a data controller maintaining good relations with a data subject to explicitly inform them that their data may be anonymised at some future date for further or alternative research purposes. 


Additional considerations

While anonymized data do fall out of the scope of data protection legislation, individuals may still be entitled to protection under other provisions (such as the common law duty to protect confidentiality of communications).

Close

No.

Pseudonymisation is a data security measure that is strongly encouraged by the GDPR.  

However, pseudonymised data remain subject to requirements of GDPR and, in the case of health research, to the requirements of the Health Research Regulations 2018.

Close

There is no legal/data protection issue in respect of the deletion of personal data unless:

  1.  at the time the personal data were first collected from the data subjects, the data controller explicitly advised that he or she would not do so or would not do so for a specified time, or
  2. there are legal obligations on the data controller not to delete the personal data (usually this applies for a specified time).

However, if no lawful basis applies to your processing, you are in breach of the first principle of the GDPR (the requirement to have a legal basis).  You do not require an individual’s consent to purge any personal data which is held unlawfully.

Close

In general, it is not expected that the re-consent of an ongoing health research studies will require fresh ethical approval.

Fresh ethical approval might be required only if, in the context of the re-consenting process, there is a change to the research methodology to the extent that the research protocol no longer reflects that which previously received ethical approval by the Research Ethics Committee.  

Close

The GDPR acknowledges that if you are collecting personal data for scientific research, you may not be able to fully specify your precise purposes in advance. Thus, in principle, if you are seeking consent to process personal data for scientific research, you do not need to be as specific as for other purposes.

However, GDPR also requires that you should identify the general areas of research, and where possible give people granular options to consent only to certain areas of research or parts of research projects.

The term “broad consent” is not mentioned in the Health Research Regulations 2018, but it is covered.

Consequently, while explicit consent is a mandatory requirement for data processing for health research purposes, the Health Research Regulations 2018 also allow for the fact that it may be difficult to fully specify the purposes of the research at the outset.

Health Research Regulations 2018 3(1)(e) provides that explicit consent from the individual may be obtained "for the purpose of the specified health research, either in relation to a particular area or more generally in that area or a related area of health research,or part thereof".

Broad consent is about giving people consent choices at each stage of the research process.

Thus an individual may give their consent to:

  • the specific and immediate processing planned,
  • the next level of research that might be envisaged
  • use of their data for a more general research questions/topics in the specified area of research or in a related area of health research, that cannot be envisaged right now.

(Note: These granular options are for explanation purposes only.  In practice, granular consent options will be specific to the particular research in question).

All other conditions for consent required by GDPR (Article 7 and Recital 43) must be met.

Sufficiently clear information must be provided so that the individual is:

  • fully informed; and
  • that the consent given is an unambiguous indication of his or her wishes.
Close

Yes.

Under the new Health Research Regulations 2018, all data processing for health research purposes requires that the data controller(s) has processes in place in order to assess the data protection implications of the proposed research and, for high risk situations, a formal data protection impact assessment (DPIA) must be carried out.

Furthermore, an application for a consent declaration, whether it be for new research (under Regulation 5) or for current research (under Regulation 6), requires that a copy of the DPIA be submitted to the Health Research Consent Declaration Committee as part of the application.

Further information

Full details of what is required for a consent declaration application may be found here.

Further information on Data Protection Impact Assessments may be found here

Close

If, in the process of securing the data subject's broad consent, the researcher or biobank secures has provided as much information as possible about potential future processing/uses (including information on data controllers, data processors, oversight mechanisms, funders, data storage and sharing arrangements, categories of researchers or institutions the data might be shared with, national and international transfers etc) - then it is not necessary to constantly re-contact and re-consent the data subject.

However, this does not absolve the data controller from other GDPR obligations including but not limited to:

  • the principle of transparency
  • the principle of data minimization
  • the principle of necessity
  • the principles of privacy by design and by default including end-of-project decisions regarding the ongoing storage/archiving, deletion, or anonymization of personal data etc.
  • the requirement for further explicit consent if the terms of the original consent change beyond what might be reasonably expected by the data subject
  • the ability of the data subject to withdraw their consent at any stage and the obligation to inform the data subject how this can be done.
Close

The responsibility for compliance with GDPR and the new Health Research Regulations 2018 lies with the data controller. 

It is recognised that patient information leaflets and consent forms are important elements in obtaining elements in obtaining explicit consent and ensuring the GDPR principles of transparency and accountability. 

However, it is not the role of the HRB to recommend or advise on what information should be included in any specific notice, information leaflet or consent form.

The Department of Health and HRB may consider developing general guidance principles relevant to consent forms and information leaflets at a future date.  Should this be the case, these principles will be made available online on the HRB’s GDPR Guidance for Researchers.  However, any additional information to be provided should not be significant for any health researcher who is already acting consistently with the spirit of informed consent.

Researchers are recommended to seek project specific advice in relation to data processing for health research purposes from their organisation’s DPO.

The Article 29 Working Party has issued guidelines on transparency requirements which may be found under Information resources for health researchers.

The NHS Health Research Authority has also developed some useful guidance in respect of transparency and GDPR which may be accessed at: https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/templates/

The UK Health Research Authority and Human Tissue Authority jointly produced a paper on “Consent to use human tissue and linked health data in health research - A Public Dialogue" which may provide useful background information.  

Please note that these are guidance notes only and you should also consult your organisation’s DPO for further advice. 

Close

Where a data subject consents to participation in health research activities in clinical trials, the relevant provisions of EU Regulation 536/2014 on Clinical Trials on Medicinal Products for Human Use, repealing Directive 2001/20/EC, will apply when they come into effect.

However, the processing of personal data related to clinical trials must comply with GDPR (from 25 May 2018) and the Health Research Regulations 2018 (from 8 August).

Researchers are recommended to seek project specific advice in relation to data processing for health research purposes from their organisation’s DPO, including how to ensure that consent arrangements for any research projects are consistent with the conditions for consent (to be valid) set out in Article 7 of the GDPR.

Close

Retrospective Chart Reviews

As regards Retrospective Chart Reviews carried out for research purposes, and having consulted with the Data Protection Commission, it has been determined that the requirement for explicit consent will commence on 1 May 2019.  This is to allow hospitals and other data controllers who carry out such reviews to adapt their procedures to capture the relevant explicit consent from patients.  All other suitable and specified safeguards set out in the Health Research Regulations will continue to apply in the interim period as will other requirements arising under the General Data Protection Regulation.  Where a hospital or other data controller does not use this time to put a mechanism in place to capture explicit consent for retrospective chart reviews for research purposes then applications to the Consent Declaration Committee for a consent declaration for such reviews will be unlikely to succeed.  The HRB’s GDPR Guidance for health researchers addresses this here:  http://www.hrb.ie/funding/gdpr-guidance-for-researchers/gdpr-and-health-research/what-is-research/.

 

Retrospective chart reviews that are undertaken for the purposes of a) clinical audit, b) service evaluation or c) training do not fall under the remit of the Health Research Regulations 2018.  However, they are still covered by the GDPR and professional and ethical rules. 

It is accepted that the distinction between research, clinical audit, service evaluation and training can be a fine one.  As with every aspect of the GDPR, it is for the data controller to determine whether a particular processing activity is health research or clinical audit or something else and to be able to justify that view having regard to the individual circumstances involved.  Accordingly, Data Protection Officers within organisations are best placed to offer advice on particular processing activities. 

It is acknowledged that, in the past, retrospective studies sought REC approval for a consent waiver.  Unfortunately, consent waivers by RECs do not and never had any legal validity.  However, it is recognised that such REC consent waivers were generally issued in good faith.

The Department of Health has indicated that it is willing to look further at the challenges posed by the consent waivers given by RECs and retrospective chart reviews to see if something can be done to ameliorate the situation.  Any potential positive outcome would have to be consistent with the parameters of GDPR and protecting the rights of data subjects.    

Close