The Health Service Executive (HSE) must comply with all applicable data protection, privacy and security laws and regulations in the locations in which we operate. Through maintaining a high standard of data protection the HSE wants to foster a culture that is honest, compassionate, transparent and accountable and promote research
- Data protection in Research: GDPR and Health Research Regulations
- Amendments to Health Research Regulations
- Consent for Health and Social Care Research
- Contact details for Data Protection Officers
- Practical Advice for Researchers
- Supporting Tools for HSE Researchers
- Training Material
- Further Information
NEWS:
On 22 January 2020 the Minister for Health, Stephen Donnelly TD, has made amendments to the Health Research Regulations 2018 (S.I. No. 314 of 2018).
Data protection in research: GDPR, Health Research Regulations
The GDPR (General Data Protection Regulation (EU) 2016/679) came into force and took direct effect across all of Europe on 25th May 2018 replacing the Data Protection Directive (95/46/EC). GDPR Regulation, Official Journal of the European Union
Streamlining and simplifying EU Data Protection Regulations: The GDPR provides a single set of rules for all organisations that process data in the European Economic Area to ensure that data protection underlying concepts and principles remain the same in all Member States.
The GDPR governs all processing of personal data: If you collect, use or store personal data, digital, manual, handwritten or any type of record, then GDPR affects you.
The DPA 2018 (Data Protection Act 2018) gives effect to certain aspects of the GDPR in Irish Law. Section 36(2) of the DPA 2018 the “Health Research Regulation” (HRR) addresses specific health research requirements. HRR S.I No. 314 of 2018
Amendments to the Health Research Regulations
The Amendments address five substantive areas, and Guidance material has been produced by the Department of Health in collaboration with the HSE, Health Research Board and Health Research Consent Declaration Committee in consultation with the Data Protection Commission:
- Processing of personal data to establish suitability or eligibility for inclusion in health research (Pre-screening)
Guidance on Pre-screening: Amendment to the Health Research Regulations – January 2021 - Carrying out low risk retrospective chart reviews
Guidance on Retrospective Chart Review: Amendment to the Health Research Regulations – January 2021 - Deferred consent for the processing of personal data for health research in exceptional situations
Guidance on Deferred Consent: Amendment to the Health Research Regulations – January 2021 - Informed consent for health research obtained during the time of the EU Data Protection Directive
Guidance on Informed Consent obtained in the time of EU Directive: Amendment to the Health Research Regulations – January 2021 - Explicit consent for processing personal data in a health research context
Guidance on Explicit Consent: Amendment to the Health Research Regulations – January 2021 - Appeals and technical matters.
Guidance on Appeals and Technical Amendments to the Health Research Regulations – January 2021
Amendments to HHR 5 May 2019
The Amendment can be accessed at the following link:
http://www.irishstatutebook.ie/eli/2021/si/18/made/en/print?q=18&years=2021
Contact Details for DPOs
- Hospital DPOs (PDF)
- CHO DPOs (PDF)
Practical advice for Researchers
Essentials for HSE staff involved in Research

Data Protection in Research Essentials for HSE Researchers [Download poster]
Research, Evaluation and Audit
The NHS’s Health Research Authority in conjunction with the UK’s Medical Research Council have developed a useful decision making tool to help you decide if your activity is a research project, clinical audit, evaluation study or usual practice.
You can find this decision-making tool on their webpages by clicking on the following weblink: http://www.hra-decisiontools.org.uk/research/index.html
(Source: HRB)
What constitute Personal Data as it applies to Research
Personal Data: means any information relating to an identified or identifiable natural person i.e. living individual (“Data Subject“), where the Data Subject can be identified or is identifiable, directly from the information in question or indirectly from that information in combination with other information(s).
Special Category Personal Data: This type of data, commonly referred to as sensitive data, includes Personal Data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.
Genetic Data: is Personal Data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
For example: in some clinical trials, samples are taken from the subjects or patients in order to characterise their genetic profile and to use this information to correlate sub-populations of patients responding to the treatment to a specific genetic profile, which then may be studied and validated as a biomarker.
Data Concerning Health: is Personal Data related to the past, current or future physical or mental health of a data subject, which could directly or indirectly allow his/her identification.
Biometric data: means Personal Data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images, fingerprints, models, similarity scores, behaviour data and all verification or identification data excluding the individual’s name and demographics.
Obtaining a Consent Declaration
Health researchers must obtain the explicit consent of the individual before they conduct health research. In limited situations, when obtaining consent will not be possible and the public interest significantly outweighs the need for explicit consent researchers need to obtain a Consent Declaration from the Health Research Consent Declaration Comittee in order to proceed.
The Health Research Consent Declaration Committee (HRCDC) was established as part of the Health Research Regulations made under the Data Protection Act, 2018.
In such cases the HRCDC has a decision making role.
Supporting Tools for HSE
The following tools will soon be available:
- A practical guide on Data protection for Health Researchers (HR-DPN)
- A DPIA Assessment Tool (HR-DPN)
- DPIA for Research Template (HSE R&D & HSE DPO Office)
- HSE Privacy notice (HSE R&D & HSE DPO Office)
- Decision-support tools (HSE R&D)
Training Material
- HRB GDPR & New HRR Briefing for Researchers 14/08/2018 (Source: HRB)
- HRB HRR Seminar (Source: HRB)
- GDPR Training (HSE only)
Further training material will be added soon.
Further information
- Suitable and Specific Measures (Source: HRB)
- Consent (Source: HRB)
- Consent Declaration (Source: HRB)
- Privacy Notice (Source: HRB)
- Data Protection Commission: GDPR Basics
- Data Protection Commissioner: Data Protection Guidelines on Research in the Health Sector
- Understanding the GPR in a wider Legal Framework (Youtube video; source: HRB)
- HRR FAQ (Source: HRB)
- European Commission EU data protection rules (source: European Commission)
- What is the GDPR (GDPR.eu H2020 EC co-funded initiative)