Health Research Regulations 2018 FAQ


All content related to GDPR and health research was created in close collaboration with the Department of Health. The responsiblity for compliance with the GDPR, the Data Protection Acts and the Health Research Regulations 2018 lies solely with the data controller or joint-data controllers.

The HRB’s “Guidance for health researchers” aims to assist research organisations and researchers who are processing personal data for the purposes of health research understand and implement their data protection obligations under GDPR, the Data Protection Act 2018 and the new Health Research Regulations 2018.

While the HRB’s guidance has been prepared with the utmost care and aims to be as accurate as possible, it should be noted that this is not legal advice.  The information provided here is strictly for guidance purposes only and the HRB is not liable for any erroneous, obsolete or incomplete information. 

It should also be noted that these are new legal instruments, and therefore, in many instances, it is not possible to provide definitive guidance at this point in time. 

The HRB is not in a position to provide project specific guidance or advice. 

Individual researchers who are processing personal data for the purposes of health research should seek project specific advice from their organisations’ Data Protection Officer before relying upon any information provided.

NEW 29/08/2018 Case Study 3

Can a general practitioner search his/her Electronic Patient Record database to see if any patients are suitable for a clinical trial without explicit consent from all the patients within the EHR database prior to the search? 

The following general points may be noted:

A general practitioner holding personal data in relation to his or her patients for their care and treatment will generally have a necessary legal basis (as set out under Article 6) as well as meeting a required condition applicable to special category personal data which includes health data (as per Article 9), to process personal data in respect of the patients under his/her care. 

Under the GDPR, general practitioners and other healthcare professionals that are bound by a professional duty of confidence, can process personal health data for the care and treatment of their patients and the management of their practices. 

Where the GP (or other healthcare professional) decides to become involved in a health research project either by (i) directly carrying out the research himself or herself or (ii) proposing to disclose details of suitable patients to a third party carrying out the research then the Health Research Regulations 2018 are applicable.

The definition of health research in the Health Research Regulations 2018 encompasses:

  1.  clinical trials of medicinal products[1], and
  2. may include actions taken to establish whether an individual may be suitable for inclusion in the research. 

In the case of option 2 (i.e. actions taken to establish whether an individual may be suitable for inclusion in the research) the Regulations use the word ‘may’ to distinguish between:

  1.  the actions of a health professional (who is providing care to the patient) searching through his or her records, and
  2. the actions of another person (unconnected with the care and treatment of the patient) going through the records.

In the first case, the search will not be regarded as research per se and consent will not be required. 
In the second case, it will be research because of the involvement of the third party and explicit consent will be required.

In either of the above cases, if suitable patients are identified for the clinical trial (or other research) they may only be contacted by the health professional involved in their care and treatment. 

In the case of a clinical trial, the health professional should explain why they are being contacted give them such information as to allow them decide whether they may be interested in being involved in the trial. 

In the case of a research project that will involve only the processing of their personal health information (rather than their active participation) the health professional should seek their explicit consent before their data can be used in or disclosed for the research project unless a consent declaration is sought and successfully obtained in relation to the research.

General points about consent:

Patients must be given the option to opt in/out at any level of consent specificity. 

They must also be able to withdraw their consent at any time and they should be told how this may be done.

It must be also made clear, that the patient’s healthcare by the GP will not be prejudiced in any way by their decision to not give consent. (In other words, the patient must be given a real choice and not one which is influenced by perceptions (real or imagined) that their future healthcare may be negatively impacted by their decision). 

Patients should also be informed that should they be deemed eligible to be included in a future clinical trial[2] that, their participation in such a trial will not occur without their further explicit consent. 


Transparency is a key tenant of GDPR. 

In addition to seeking the explicit consent of the patients to the specific data processing in question, it is recommended that patient information leaflets, information notices in public areas and/or on websites are used to inform patients of the fact that the GP practice engages in research and describing the different research activities in which it is engaged. 

More information

For more information on consent and on explicit consent please see the HRB’s GDPR guidance for researchers at:

For more information on GDPR’s principle of transparency see the HRB’s GDPR guidance for researchers at:

[1] It is important to note that participation by individuals in clinical trials is by a separate EU instrument.  However, the processing of personal data in a clinical trial is governed by the GDPR, the Data Protection Acts and the Health Research Regulations. 

[2] If it is possible to specify types of potential future clinical trials further, then this should be done.  For example, if a GP partakes in a particular type or category of clinical trial, then this option should also be included instead of, or in addition to, the broad ‘unspecified’ type of clinical trial. Very generalised, blanket consent for unspecified health research purposes is not valid under GDPR.