All research conducted by the HSE and its funded organisations must comply with relevant Data Protection legislation. This includes obtaining consent from the prospective participants for the processing of their personal data for research purposes as part of the overall process of obtaining consent.
Read the Health Research Data Protection Network (HRDPN) Guide document for health researchers to understand what personal data refers to, and the principles of data protection before commencing the research.
- Steps to follow before starting a research project that involves the use of personal data
- Sharing of personal data arising from research
- Access to personal data to select suitable candidates for research
- Research involving the review of existing healthcare records (Retrospective Chart Reviews)
- Consent for the processing of personal data for research purposes
- Contact Details For The Health Service Data Protection Officers
- Understanding GDPR, the Health Research Regulations 2018, and subsequent amendments
- Training and Support Resources
- Further Information
Steps to follow before starting a research project that involves the use of personal data
The following steps will help researchers to fulfill their data protection obligations when doing research:
Step 1: Identify the Data Controller/s and Data processor/s
Firstly, researchers need to identify the organisations that hold the data controller and processor roles for the research project.
To help you with this, identify the personal data you intend to use and map the data processing required for your project.
Step 2 for Data Controllers
If your organisation is the data controller for the study data:
- Determine the legal basis for the processing of the data. If in doubt, consult with the data controller DPO
- Determine whether your project requires a Data Protection Impact Assessment (DPIA) by using the Risk Scoring tool.
- The Risk Scoring Tool (RST) factors the legal exceptions where a DPIA is mandatory, or not required.
- The project does not require a DPIA If the RST score is “low”. The completed RST template, indicating that a DPIA is not required, should be submitted to the HSE Research Ethics Committees.
- The project requires a DPIA If the score is “likely to be high”. In this case, the Data Controller DPIA template should be completed and submitted to the Data controller’s Data Protection Officer (DPO). Such DPO should annotate the DPIA. In the case of joint controllership, the DPOs of each organisations must annotate the DPIA. A downloadable list of DPO contact details for hospitals, community services, and HSE national/corporate services and the DPIA for research template is available.
- For Regulated Clinical Trials involving multiple sites, it is recommended that the following protocol for the DPIA Review is used.
Step 2 for Data Processors
If your organisation is the processor of the study data:
- You must enter into a Data Sharing Agreement with the Controller. The controller and the processor should entered into this agreement before the processing starts. The Controller is the entity that must initiate and manage this process.
- Please note that you should only process data as prescribed in the data sharing agreement. Processing must not step beyond the processing required in such. If in doubt consult your DPO.
- For further guidance please, see the HSE R&D Webinar on how to complete a DPIA in HSELand or download the presentation slides.
Sharing of personal data arising from research
Data sharing of personal data arising from the research study may be required within the HSE or with a third party. Note that All HSE healthcare sites are considered a single legal entity for the purpose of data sharing. S38 and S39 organisations, although funded by the HSE, are independent legal entities and are therefore a third party for data sharing.
- Sharing personal data arising from research within the HSE: This can be done without needing a data-sharing agreement.
- Sharing with a third party:
- The entity that intends to share its data (the data exporter) must enter into a Data Sharing Agreement (DSA) with the entity that will receive the data (the data importer).
- If the research project requires the transfer of personal data outside the EEA or with a Country with no Adequacy Decision (EC Adequacy Decision) then the HSE Transfer Impact Assessment is also required
- For guidance see the HSE R&D webinar on Research Data Transfers on HSE Land or download the webinar slides. and visit the HSE Data Protection pages
Access to personal data to find suitable candidates for research study
Healthcare professionals, or other employees of the data controller (i.e a healthcare records clerk), who normally have access to personal data for healthcare, can access such records to determine eligible research participants (pre-screening). This does not require the explicit consent of the data subject, not REC approval, provided that measures are in place to appropriately inform service users that these activities are taking place. Privacy statements and transparency notices must be appropriately displayed.
However, access to such records for the same purpose by research personnel under the direction of HSE staff but employed by an academic institution can only be done if:
- The individual has been formally authorized. A formal pre-screening agreement must exist between the HSE/Hospital and the employer of the individual. The individual must be appointed as an Authorised person by the HSE and his/her Appointment must be activated for specific projects.
OR
- Be formally seconded to the HSE/Hospital. A secondment agreement can be put in place for a single individual or fully for the organisation. To access a secondment agreement template for this purpose, please get in touch with National HSE R&D.
Always ensure that appropriate transparency measures are in place to keep the patients and the public appropriately informed about how their data may be used for research.
For further guidance visit:
- The Department of Health website
- Download explanatory slides
- HSE National Policy for Consent in Health and Social Care
Research involving the review of existing healthcare records (Retrospective Chart Reviews)
What is a retrospective chart review (RCR):
- The retrospective chart review (RCR), also known as a medical record review, is a type of analysis that involves the use of pre-recorded, patient-centered data to answer one or more questions.
- The data used in such reviews exist in many forms and it is a popular methodology widely applied in many healthcare-based disciplines such as epidemiology, quality assessment, professional education and residency training, inpatient care, and clinical research, and valuable information may be gathered from study results to direct subsequent prospective studies (Vassar & Holzmann, J Educ Eval Health Prof. 2013)
The importance of defining the purpose of a retrospective chart review upfront.
- While retrospective Chart Reviews (RCR) can be used for several purposes, i.e research, clinical audit, service evaluations, etc; the governance route is different depending on the purpose of the review
- RCR conducted for research purposes must be submitted to a HSE or Hospital Research Ethics committee, while those conducted for audit or evaluation purposes should follow the clinical governance path as outlined by their organisation.
- Hence it is very important to try and define the purpose of the RCR as early as possible during the study design to ensure the appropriate governance path is followed.
Consent and Data protection considerations for retrospective chart reviews for research purposes.
From a data protection perspective, a Retrospective Chart Review for research purposes is a research study involving the analysis of personal data already collected for the provision of healthcare by the Data Controller, which is carried out by a staff member of the Data Controller of such data.
- In all cases, a RCR carried out for research purposes must be approved by an appropriate Research Ethics Committee.
- By law, a retrospective chart review done for research purposes that involve the use of personal data without the explicit consent of the data subject can only be carried out if the risk to the data subject is low. To determine the risk, the risk scoring tool can be used.
- If the risk is not deemed low, the research can only be carried out if a Consent Declaration from the Health Research Consent Declaration Committee is obtained. Submission to the HRCDC for a consent declaration must be accompanied by a Data Protection Impact Assessment annotated by the DPO and approved by an appropriate REC.
- If the data has been collected with explicit consent from the data subject for use for research purposes, the above is not required.
- In all cases, the data controller organisation displays posters and privacy notices to inform the service users of data processing matters related to RCRs.
Who can carry out a retrospective chart review for research purposes?
Only certain classes of persons are permitted under law to conduct a retrospective chart review study for research purposes without ‘explicit consent’ or a ‘consent declaration’
RCR for research purposes on identifiable personal healthcare data can only be carried out by:
- Employees who ordinarily have access to records e.g. healthcare professionals, medical records clerks
- Students on placement who are in training to become a ‘healthcare practitioner’
(All students, including student nurses and doctors, must be “under the direction and control” of the HSE service or Hospital at all times.)
Can personal data collected during a retrospective chart review study be shared or published?
The personal data accessed under these conditions and used for a research retrospective chart review cannot be used for other purposes. The data used for a research retrospective chart review by the above authorised individuals cannot be shared with others (third parties) unless it is fully anonymised. Any published results must not
be identifiable.
For further information visit:
- The Department of Health website
- Download explanatory slides
- S.I. No. 18/2021 – Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2021
- HSE National Policy for Consent in Health and Social Care Research.
Consent for the processing of personal data for research purposes
The Health Research Regulations 2018 place additional consent requirements for the processing of personal data for research in Ireland. The HSE National Consent Policy for Health and Social Care Research explains how to comply with data protection requirements in common scenarios. It also explains how to obtain valid consent for the use of personal data for future research purposes. Such consent, while it may be broader it needs to be as informed as possible. In addition, the choices made by the participant have to be appropriately recorded and documented (explicit).
In certain circumstances, when the explicit consent of the individual for the processing of personal data for research purposes cannot be obtained, researchers can apply to the Health Research Consent Declaration Committee HRCDC for a consent declaration. The application needs to be accompanied by a research ethics committee approval and a DPIA annotated by the data controller DPO. The HRCDC will evaluate the merit of the research proposal and ultimately decide whether the public interest outweighs the rights to privacy of the data subjects concerned.
Contact Details For The Health Service Data Protection Officers
- Hospital DPOs (PDF)
- CHO DPOs (PDF)
- HSE Corporate and National divisions DPO (Email)
Understanding GDPR, the Health Research Regulations 2018, and subsequent amendments
The GDPR (General Data Protection Regulation (EU) 2016/679) came into force across all of Europe on 25th May 2018 replacing the Data Protection Directive (95/46/EC).
The GDPR provides a single set of rules for all EEA organisations to ensure that data protection underlying concepts and principles remain the same in all Member States.
If you collect, use or store personal data, digital, manual, handwritten, or any type of record, then GDPR affects you.
The DPA 2018 (Data Protection Act 2018) gives effect to certain aspects of the GDPR in Irish Law. Section 36(2) of the DPA 2018 the “Health Research Regulation” (HRR) addresses specific health research requirements. HRR S.I No. 314 of 2018
The Health Research Regulations were amended in 2021 to address five substantive areas,
- Processing of personal data to establish suitability or eligibility for inclusion in health research (Pre-screening)
- Carrying out low-risk retrospective chart reviews
- Deferred consent for the processing of personal data for health research in exceptional situations
- Informed consent for health research obtained during the time of the EU Data Protection Directive
- Explicit consent for processing personal data in a health research context
Training and Support Resources
Legal Insights in Health Research Seminar Series
In collaboration with EY Law and CKT Solicitors, HSE R&D hosted a comprehensive seminar series designed to offer an overview of legal and data protection issues relevant to researchers working within the HSE and HSE-funded organisations.
These seminars are available to access via HSeLand. To access please log in to HSeLand. Click on Hubs and Resources in the top line menu. Click on Discovery Zone and search for “Legal and Data Protection in Health Research”.
Link to HSeLand.
Easy access to Templates and Tools Related to research and Data Protection
- Workflow tools to determine the data controller and data processor roles
- Risk Scoring tool to determine the need to complete a DPIA (Download Excel file)
- Data sharing agreement template (Download Word file)
- DPIA for Research template (Download Word file)
- Companion Guide to Complete Health Research DPIA Template (Download PDF file)
- Pre-screening agreement (Download Word file)
- Authorisation form for Pre-screening (PAS-Vetting Form) (Download Word file)
- Activation Form for Pre-screening Authorised Person (PSAP-Activation Form) (Download Word file)
- HSE Privacy Statement and Privacy Notice (HSE R&D & HSE DPO Office) (Dowload PDF file)
- Transfers of Personal Data outside the EEA TIA Form (Download Word file)
Practical Guidance On Data Protection For Health Researchers
- Download HRDPN Guidance for Researchers on Data Protection (Download PDF file)
- Data Protection in Research Essentials for HSE Researchers (Download PDF file)
- Data Processing Mapping and Data Controllers & Data Processors Determination (Download PDF file)
- HSE International Transfer of Personal Data: Special Rules, FAQs, Glossary
- EDPB Guidelines on Data Controllers and Data Processors
- Link to HSE Research R&D Seminars page
- GDPR training (HSE only)
Further Information
- Suitable and Specific Measures (Source: HRB)
- Consent (Source: HRB)
- Consent Declaration (Source: HRB)
- Privacy Notice (Source: HRB)
- Data Protection Commission: GDPR Basics
- Understanding the GPR in a wider Legal Framework (Youtube video; source: HRB)
- HRR FAQ (Source: HRB)
- European Commission EU data protection rules (source: European Commission)
Disclaimer:
This guidance has been prepared by HSE R&D to help researchers undertaking research under the scope of the HSE National Research Framework for the Governance, Management and Support of Research, to comply with Data Protection legislation requirements. It is intended to be general guidance for educational and information purpose only. It is not legal advice.
updated 10/03/25