Data Protection and Research

The Health Service Executive (HSE) must comply with all applicable data protection, privacy and security laws and regulations in the locations in which we operate. Through maintaining a high standard of data protection the HSE wants to foster a culture that is honest, compassionate, transparent and accountable and promote research


On 22 January 2020 the Minister for Health, Stephen Donnelly TD, has made amendments to the Health Research Regulations 2018 (S.I. No. 314 of 2018).

Data protection in research: GDPR, Health Research Regulations

The GDPR (General Data Protection Regulation (EU) 2016/679) came into force and took direct effect across all of Europe on 25th May 2018 replacing the Data Protection Directive (95/46/EC). GDPR Regulation, Official Journal of the European Union

Streamlining and simplifying EU Data Protection Regulations: The GDPR provides a single set of rules for all organisations that process data in the European Economic Area to ensure that data protection underlying concepts and principles remain the same in all Member States.  

The GDPR governs all processing of personal data: If you collect, use or store personal data, digital, manual, handwritten or any type of record, then GDPR affects you.

The DPA 2018 (Data Protection Act 2018) gives effect to certain aspects of the GDPR in Irish Law. Section 36(2) of the DPA 2018 the “Health Research Regulation” (HRR) addresses specific health research requirements. HRR S.I No. 314 of 2018

Amendments to the Health Research Regulations

The Amendments address five substantive areas, and Guidance material has been produced by the Department of Health in collaboration with the HSE, Health Research Board and Health Research Consent Declaration Committee in consultation with the Data Protection Commission: 

Amendments to HHR 5 May 2019

The Amendment can be accessed at the following link:

Contact Details for DPOs

Practical advice for Researchers

Essentials for HSE staff involved in Research

data protection algorithm thumbnail

Data Protection in Research Essentials for HSE Researchers [Download poster]

Research, Evaluation and Audit

The NHS’s Health Research Authority in conjunction with the UK’s Medical Research Council have developed a useful decision making tool to help you decide if your activity is a research project, clinical audit, evaluation study or usual practice.

You can find this decision-making tool on their webpages by clicking on the following weblink:
(Source: HRB)

What constitute Personal Data as it applies to Research

Personal Data: means any information relating to an identified or identifiable natural person i.e. living individual (“Data Subject“), where the Data Subject can be identified or is identifiable, directly from the information in question or indirectly from that information in combination with other information(s).

Special Category Personal Data: This type of data, commonly referred to as sensitive data, includes Personal Data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.

Genetic Data: is Personal Data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

For example: in some clinical trials, samples are taken from the subjects or patients in order to characterise their genetic profile and to use this information to correlate sub-populations of patients responding to the treatment to a specific genetic profile, which then may be studied and validated as a biomarker.

Data Concerning Health: is Personal Data related to the past, current or future physical or mental health of a data subject, which could directly or indirectly allow his/her identification.

Biometric data: means Personal Data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images, fingerprints, models, similarity scores, behaviour data and all verification or identification data excluding the individual’s name and demographics.

Obtaining a Consent Declaration

What is a Consent Declaration

Health researchers must obtain the explicit consent of the individual before they conduct health research. In limited situations, when obtaining consent will not be possible and the public interest significantly outweighs the need for explicit consent researchers need to obtain a Consent Declaration from the Health Research Consent Declaration Comittee in order to proceed.

The Health Research Consent Declaration Committee (HRCDC) was established as part of the Health Research Regulations made under the Data Protection Act, 2018.

In such cases the HRCDC has a decision making role.

Consent Declaration Process

Supporting Tools for HSE

The following tools will soon be available:

Training Material

Further training material will be added soon.

Further information

Back to top