It’s a busy time for privacy pros in the healthcare sector in Ireland at the moment. They are working hard to not just comply with GDPR but also to roll out a new framework when processing data for health research.
The Irish Government’s Health Research Regulations 2018 apply in addition to the GDPR and the Data Protection Act 2018; so organisations are now creating processes to ensure that they comply with all regimes, in addition to any other regulations relating to health research/clinical trials (including the Clinical Trials Regulation (EU Regulation 536/2014) due to commence in 2020).
In summary, the Health Research Regulations set out ‘suitable and specific measures’ to be implemented when processing personal data for health research. These measures include a requirement that personal data is not processed in such a way that causes damage or distress to data subjects. Governance structures must be in place including: processes for ethical approval; compliance with GDPR; specification of the controller, funders and those with whom the personal data will be shared (even where the data is anonymised or pseudonymised). There is also a requirement to provide data protection training to researchers.
Furthermore, specific processes must be in place for the management and conduct of health research including DPIAs; data minimisation; access controls; security measures and compliance with GDPR. An important issue is the requirement to obtain the explicit consent of data subjects. While consent is just one of the lawful bases under which health data can be processed under Articles 6 and 9 of the GDPR, under the Health Research Regulations in Ireland, organisations must obtain the explicit consent of data subjects to process their personal data for the purposes of health research, even where another lawful basis under Articles 6 and 9 of the GDPR exists.
There is an exemption to the requirement to obtain explicit consent under the Regulations where organisations apply for a “Consent Declaration”. This involves the Government’s Consent Declaration Committee assessing the proposed research and finding that explicit consent is not required because the public interest in carrying out the research outweighs the public interest in requiring explicit consent. Utilising this exemption may prove to be an arduous task however due to the extent of the information to be provided with the application, and the conditions to be fulfilled in advance of the application. There is also a transition period allowed for research which commenced before 8 August 2018 where organisations must obtain the explicit consent of the data subjects before 7 August 2019 or seek a Consent Declaration.
The Regulations go over and above GDPR and may result in delays to research projects, certainly at the beginning stages while organisations implement the necessary processes and await Consent Declarations from the Consent Declaration Committee. At this point, most organisations engaged in health research in Ireland should have assessed their ongoing health research projects and determined whether appropriate levels of consent have been obtained or whether they must make an application for an exemption before the August deadline. DPOs must make sure that they are included in the process also. There’s never a dull moment for privacy pros!
This article first appeared in the IAPP’s European Digest