Health Research Regulations 2018 FAQ


All content related to GDPR and health research was created in close collaboration with the Department of Health. The responsiblity for compliance with the GDPR, the Data Protection Acts and the Health Research Regulations 2018 lies solely with the data controller or joint-data controllers.

The HRB’s “Guidance for health researchers” aims to assist research organisations and researchers who are processing personal data for the purposes of health research understand and implement their data protection obligations under GDPR, the Data Protection Act 2018 and the new Health Research Regulations 2018.

While the HRB’s guidance has been prepared with the utmost care and aims to be as accurate as possible, it should be noted that this is not legal advice.  The information provided here is strictly for guidance purposes only and the HRB is not liable for any erroneous, obsolete or incomplete information. 

It should also be noted that these are new legal instruments, and therefore, in many instances, it is not possible to provide definitive guidance at this point in time. 

The HRB is not in a position to provide project specific guidance or advice. 

Individual researchers who are processing personal data for the purposes of health research should seek project specific advice from their organisations’ Data Protection Officer before relying upon any information provided.

NEW 29/08/2018 Case Study 5

Do the Health Research Regulations 2018 encompass all health research conducted in Ireland? In the case of a multi-partner project that may be coordinated by an organisation outside Ireland which regulations (HRR2018 in Ireland or equivalent in other countries) apply?

The following general points may be made:

The GDPR has a very broad territorial remit as it applies to all organisations (whether data controllers, joint-data controllers or data processors) that are processing of personal data of people who reside within the EU or who are EU Citizens, even if the organisation is not located in the EU. 

Further information on transferring, processing or storing personal data outside of Ireland please see the HRB guidance at:

The Health Research Regulations 2018 govern all processing of personal data for health research purposes conducted within the Republic of Ireland. 

The suitable and specific measures mandated by the Health Research Regulations 2018, Regulation 3(1)(b), requires that appropriate governance structures for the carrying out of the research must have been put in place or met, including:

  1. identification of the data controller including, if relevant, any joint data controllers involved
  2. identification of any data processors involved
  3. identification of any person (other than a person in points i or ii) with whom it is intended to share any of the personal data collected (including where the data has been pseudonymised or anonymised) and the purpose of such sharing
  4. in the case of joint data controllers, compliance with Article 26 of the GDPR.

GDPR Article 26

  1. Article 26 of the GDPR requires that joint data controllers shall in a transparent manner determine their respective responsibilities for compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in the GDPR Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. 
  2. The arrangement may designate a contact point for data subjects.
  3. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects.  The essence of the arrangement shall be made available to the data subject. 
  4. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under the GDPR in respect of and against each of the data controllers.