Data Protection and Research in Health and Social Care

NOTE: The content of this page is new. Please give us your feedback to help us improve it.

All research conducted by the HSE and its funded organisations must comply with relevant Data Protection legislation. This includes obtaining consent from the prospective participants for the processing of their personal data for research purposes as part of the overall process of obtaining consent.

Read the Health Research Data Protection Network (HRDPN) Guide document for health researchers to understand what personal data refers to, and the principles of data protection before commencing the research.

Steps to follow before starting a research project that involves the use of personal data
Sharing of personal data arising from research
Access to personal data to select suitable candidates for research
Research involving the review of existing healthcare records (Retrospective Chart Reviews)
Consent for the processing of personal data for research purposes
Contact Details For The Health Service Data Protection Officers
Easy access to Templates and Tools Related To research and Data Protection
Practical Guidance On Data Protection For Health Researchers
Understanding GDPR, the Health Research Regulations 2018, and subsequent amendments
Further Information

Steps to follow before starting a research project that involves the use of personal data

The steps on this page will help researchers to comply with data protection requirements.

Sharing of personal data arising from research

Data sharing of personal data arising from the research study may be required within the HSE or with a third party. Note that All HSE healthcare sites are considered a single legal entity for the purpose of data sharing. S38 and S39 organisations, although funded by the HSE, are independent legal entities and are therefore a third party for data sharing.

Sharing personal data arising from research within the HSE: This can be done without needing a data-sharing agreement.

Sharing with a third party:
- The entity that intends to share its data (the data exporter) must enter into a Data Sharing Agreement (DSA) with the entity that will receive the data (the data importer).
- If the research project requires the transfer of personal data outside the EEA or with a Country with no Adequacy Decision (EC Adequacy Decision) then the HSE Transfer Impact Assessment is also required
- For guidance see the HSE R&D webinar on Research Data Transfers on HSE Land or download the webinar slides. and visit the HSE Data Protection pages

Access to personal data to find suitable candidates for research study

Healthcare professionals, or other employees of the data controller (i.e a healthcare records clerk), who normally have access to personal data for healthcare, can access such records to determine eligible research participants (pre-screening). This does not require the explicit consent of the data subject, not REC approval, provided that measures are in place to appropriately inform service users that these activities are taking place. Privacy statements and transparency notices must be appropriately displayed.

However, access to such records for the same purpose by research personnel under the direction of HSE staff but employed by an academic institution can only be done if:

The individual has been formally authorized. A formal pre-screening agreement must exist between the HSE/Hospital and the employer of the individual. The individual must be appointed as an Authorised person by the HSE and his/her Appointment must be activated for specific projects.

Be formally seconded to the HSE/Hospital. A secondment agreement can be put in place for a single individual or fully for the organisation. To access a secondment agreement template for this purpose, please get in touch with National HSE R&D.

Always ensure that appropriate transparency measures are in place to keep the patients and the public appropriately informed about how their data may be used for research.

For further guidance visit:

Research involving the review of existing healthcare records (Retrospective Chart Reviews)

What is a retrospective chart review (RCR):

The retrospective chart review (RCR), also known as a medical record review, is a type of analysis that involves the use of pre-recorded, patient-centered data to answer one or more questions.
The data used in such reviews exist in many forms and it is a popular methodology widely applied in many healthcare-based disciplines such as epidemiology, quality assessment, professional education and residency training, inpatient care, and clinical research, and valuable information may be gathered from study results to direct subsequent prospective studies (Vassar & Holzmann, J Educ Eval Health Prof. 2013)

The importance of defining the purpose of a retrospective chart review upfront.

While retrospective Chart Reviews (RCR) can be used for several purposes, i.e research, clinical audit, service evaluations, etc; the governance route is different depending on the purpose of the review
RCR conducted for research purposes must be submitted to a HSE or Hospital Research Ethics committee, while those conducted for audit or evaluation purposes should follow the clinical governance path as outlined by their organisation.
Hence it is very important to try and define the purpose of the RCR as early as possible during the study design to ensure the appropriate governance path is followed.

Consent and Data protection considerations for retrospective chart reviews for research purposes.

From a data protection perspective, a Retrospective Chart Review for research purposes is a research study involving the analysis of personal data already collected for the provision of healthcare by the Data Controller, which is carried out by a staff member of the Data Controller of such data.

In all cases, a RCR carried out for research purposes must be approved by an appropriate Research Ethics Committee.
By law, a retrospective chart review done for research purposes that involve the use of personal data without the explicit consent of the data subject can only be carried out if the risk to the data subject is low. To determine the risk, the risk scoring tool can be used.
If the risk is not deemed low, the research can only be carried out if a Consent Declaration from the Health Research Consent Declaration Committee is obtained. Submission to the HRCDC for a consent declaration must be accompanied by a Data Protection Impact Assessment annotated by the DPO and approved by an appropriate REC.
If the data has been collected with explicit consent from the data subject for use for research purposes, the above is not required.
In all cases, the data controller organisation displays posters and privacy notices to inform the service users of data processing matters related to RCRs.

Who can carry out a retrospective chart review for research purposes?

Only certain classes of persons are permitted under law to conduct a retrospective chart review study for research purposes without ‘explicit consent’ or a ‘consent declaration’

RCR for research purposes on identifiable personal healthcare data can only be carried out by:

Employees who ordinarily have access to records e.g. healthcare professionals, medical records clerks
Students on placement who are in training to become a ‘healthcare practitioner’
(All students, including student nurses and doctors, must be “under the direction and control” of the HSE service or Hospital at all times.)

Can personal data collected during a retrospective chart review study be shared or published?

The personal data accessed under these conditions and used for a research retrospective chart review cannot be used for other purposes. The data used for a research retrospective chart review by the above authorised individuals cannot be shared with others (third parties) unless it is fully anonymised. Any published results must not
be identifiable.

For further information visit:

The Health Research Regulations 2018 place additional consent requirements for the processing of personal data for research in Ireland. The HSE National Consent Policy for Health and Social Care Research explains how to comply with data protection requirements in common scenarios. It also explains how to obtain valid consent for the use of personal data for future research purposes. Such consent, while it may be broader it needs to be as informed as possible. In addition, the choices made by the participant have to be appropriately recorded and documented (explicit).

In certain circumstances, when the explicit consent of the individual for the processing of personal data for research purposes cannot be obtained, researchers can apply to the Health Research Consent Declaration Committee HRCDC for a consent declaration. The application needs to be accompanied by a research ethics committee approval and a DPIA annotated by the data controller DPO. The HRCDC will evaluate the merit of the research proposal and ultimately decide whether the public interest outweighs the rights to privacy of the data subjects concerned.

Contact Details For The Health Service Data Protection Officers

Hospital DPOs (PDF)
CHO DPOs (PDF)
HSE Corporate and National divisions DPO (Email)

Easy access to Templates and Tools Related to research and Data Protection

Workflow tools to determine the data controller and data processor roles
Risk Scoring tool to determine the need to complete a DPIA (Download Excell file)
Data sharing agreement template (Download Word file)
HSE DPIA Template and guidance (Download Word file)
Pre-screening agreement (Download Word file)
Authorisation form for Pre-screening (PAS-Vetting Form) (Download Word file)
Activation Form for Pre-screening Authorised Person (PSAP-Activation Form) (Download Word file)
HSE Privacy Statement and Privacy Notice (HSE R&D & HSE DPO Office) (Dowload PDF file)
Transfers of Personal Data outside the EEA TIA Form (Download Word file)

Practical Guidance On Data Protection For Health Researchers

The GDPR (General Data Protection Regulation (EU) 2016/679) came into force across all of Europe on 25th May 2018 replacing the Data Protection Directive (95/46/EC).

The GDPR provides a single set of rules for all EEA organisations to ensure that data protection underlying concepts and principles remain the same in all Member States.

If you collect, use or store personal data, digital, manual, handwritten, or any type of record, then GDPR affects you.

The DPA 2018 (Data Protection Act 2018) gives effect to certain aspects of the GDPR in Irish Law. Section 36(2) of the DPA 2018 the “Health Research Regulation” (HRR) addresses specific health research requirements. HRR S.I No. 314 of 2018

The Health Research Regulations were amended in 2021 to address five substantive areas,

Processing of personal data to establish suitability or eligibility for inclusion in health research (Pre-screening)
Carrying out low-risk retrospective chart reviews
Deferred consent for the processing of personal data for health research in exceptional situations
Informed consent for health research obtained during the time of the EU Data Protection Directive
Explicit co n sent for processing personal data in a health research context

Further Information

Suitable and Specific Measures (Source: HRB)
Consent (Source: HRB)
Consent Declaration (Source: HRB)
Privacy Notice (Source: HRB)
Data Protection Commission: GDPR Basics
Understanding the GPR in a wider Legal Framework (Youtube video; source: HRB)
HRR FAQ (Source: HRB)
European Commission EU data protection rules (source: European Commission)

Disclaimer:

This guidance has been prepared by HSE R&D to help researchers undertaking research under the scope of the HSE National Research Framework for the Governance, Management and Support of Research, to comply with Data Protection legislation requirements.  It is intended to be general guidance for educational and information purpose only. It is not legal advice.

updated 21/02/23