All content related to GDPR and health research was created in close collaboration with the Department of Health. All content related to GDPR and health research was created in close collaboration with the Department of Health. The responsiblity for compliance with the GDPR, the Data Protection Acts and the Health Research Regulations 2018 lies solely with the data controller or joint-data controllers.
The HRB’s “Guidance for health researchers” aims to assist research organisations and researchers who are processing personal data for the purposes of health research understand and implement their data protection obligations under GDPR, the Data Protection Act 2018 and the new Health Research Regulations 2018.
While the HRB’s guidance has been prepared with the utmost care and aims to be as accurate as possible, it should be noted that this is not legal advice. The information provided here is strictly for guidance purposes only and the HRB is not liable for any erroneous, obsolete or incomplete information.
It should also be noted that these are new legal instruments, and therefore, in many instances, it is not possible to provide definitive guidance at this point in time.
The HRB is not in a position to provide project specific guidance or advice.
Individual researchers who are processing personal data for the purposes of health research should seek project specific advice from their organisations’ Data Protection Officer before relying upon any information provided.
A number of PIs are currently working on a proposal that will use lots of data from a variety of sources. Data exchange protocols have already been agreed and task 1 is the anonymisation (not pseudonymisation) of any identifiable data. Which bits will need the 'consent declaration'?
The following general points may be noted:
The Health Research Regulations 2018 require that a data protection assessment is performed in relation to any health research related data processing activity and, in high risk situations, a formal Data Protection Impact Assessment (DPIA) should be conducted.
Anonymised data fall outside the remit of GDPR and the new Health Research Regulations 2018.
However, the process of anonymization is, in itself, data processing and does fall under the remit of GDPR and may fall under the remit of the Health Research Regulations 2018 depending on its purpose. Therefore, if the legal ground that the personal data is being held is consent, then consent is required for the anonymisation of that data. However, if the data controller has another legal basis (other than consent) and, where relevant, meets at least one of the Article 9(2) conditions (other than explicit consent), then consent is not required.
In relation to ongoing storage of personal data, the general points made in Case Study 1 apply.
While not mandatory, it is in the interests of a data controller maintaining good relations with a data subject to explicitly inform them that their data may be anonymised at some future date for further or alternative research purposes.
Seeking a consent declaration should be seen as an option of last resort after all other issues of consent are considered.