The following steps will help researchers to fulfill their data protection obligations when doing research:
Step 1: Identify the Data Controller/s and Data processor/s
Firstly, researchers need to identify the organisations that hold the data controller and processor roles for the research project.
To help you with this, identify the personal data you intend to use and map the data processing required for your project.
Step 2 for Data Controllers
If your organisation is the data controller for the study data:
- Determine the legal basis for the processing of the data. If in doubt, consult with the data controller DPO
- Determine whether your project requires a Data Protection Impact Assessment (DPIA) by using the Risk Scoring tool.
- The Risk Scoring Tool (RST) factors the legal exceptions where a DPIA is mandatory, or not required.
- The project does not require a DPIA If the RST score is “low”. The completed RST template, indicating that a DPIA is not required, should be submitted to the HSE Research Ethics Committees.
- The project requires a DPIA If the score is “likely to be high”. In this case, the Data Controller DPIA template should be completed and submitted to the Data controller’s Data Protection Officer (DPO). Such DPO should annotate the DPIA. In the case of joint controllership, the DPOs of each organisations must annotate the DPIA. A downloadable list of DPO contact details for hospitals, community services, and HSE national/corporate services and the DPIA for research template is available.
- For Regulated Clinical Trials involving multiple sites, it is recommended that the following protocol for the DPIA Review is used.
Step 2 for Data Processors
If your organisation is the processor of the study data:
- You must enter into a Data Sharing Agreement with the Controller. The controller and the processor should entered into this agreement before the processing starts. The Controller is the entity that must initiate and manage this process.
- Please note that you should only process data as prescribed in the data sharing agreement. Processing must not step beyond the processing required in such. If in doubt consult your DPO.
- For further guidance please, see the HSE R&D Webinar on how to complete a DPIA in HSELand or download the presentation slides.