Data Protection and Research

The EU General Data Protection Regulation (GDPR) came into effect on 25th May 2018.

Health Research Regulations: came into on 8th August 2018. The regulation requires that explicit consent and ethical approval is obtained for the use of personal data for research purposes. Researchers must also have completed training in data protection law, and conducted an assessment of the data protection implications of the health research, in addition to having data protection controls in place.

Personal Data: GDPR governs the collection, use and storage of living individual’s personal data (e.g. name, address, contact details, medical record number, research related pseudonymisation number), in any format (e.g. digital, manual, handwritten, etc.).

The Health Research Board have outlined guidanace on GDPR for health researchers.

Principles of GDPR

Lawfulness, Fairness and Transparency

Lawfulness

The HSE provides care, treatment and services to a large number of people every year. The various Health Acts provide us a legal basis for the processing of their personal data (in line with Article 6 or GDPR). Where ‘special category’ data is processed, we must be satisfied, not just that we have a lawful basis but also that we are meeting one of the requirements under Article 9 of GDPR.

Fairness

Relates to how we inform people about the way we process their data.

Transparency

Transparency relates to how we ensure people know what personal data we hold about them, how we process it and for what purpose. This is contained with the HSE Privacy Notice and Privacy Notice for HSE employees.

Purpose Limitation

Purpose limitation is about using personal data in a way that is in-keeping with the purpose for which you first collected it. Explicit consent is required for further processing.

Data Minimisation

You should only collect or process data to the extent that it is relevant and necessary to accomplish a specified purpose; if it’s not needed…don’t collect or use it.

Accuracy

Personal information must be recorded accurately and kept up to date. Under GDPR, people can ask that their personal data be updated or deleted if they believe it is incomplete or inaccurate.

Storage Limitation

Only keeping data for as long as you need it.

Integrity and Confidentiality

It is the responsibility of the HSE as Data Controller to ensure that data is processed safely and stored securely, e.g. physical access restriction, password protection, use of encrypted devised and USB keys, not removing personal data from HSE premises without prior authorisation.

Access

Under GDPR, people have the right to access the information held about them. This is called a Subject Access Request (SAR). Service users should be informed that they can apply to the service for a copy of their records. The HSE has 1 month to provide the information that is requested via SAR. Service users can ask that personal data be updated or deleted it they believe it is incomplete or inaccurate.

Accountability

The HSE has overall responsibility – is accountable – for making sure the principles of GDPR are followed at all times when data is processed, including data protection policies, procedures for reporting data breaches, procedures for keeping data safe and secure, privacy notices to inform members of the public and staff about data protection in the HSE.

Top Tips for data protection compliance in Health Research:

  1. Consider the legal entities involved – When preparing a consent form make sure to list all data processors and data controllers involved.  In thinking this through, it may be helpful to consider the different legal entities involved.  For example, if you are doing your research in a hospital and there is also an academic institution involved in your project, you may need to list them as a data processor or a data controller on your patient information leaflet. Think of any other legal entities who you may be sharing the personal data with during the course of your project, these may need to be listed on your consent form.
  2. You can never own an individual’s personal data, you will simply become a custodian of the personal data.  As such, treat personal data like something valuable which you have been entrusted with.

Key legislation on Data Protection and GDPR

Key Websites on Data Protection:

Key Documents on Data Protection: