What do Health Research Regulations 2018 mean for

health researchers?

Ruth Davis BL, PhD (Microbiology)

19/10/18

What are the Health Research Regulations 2018?

• Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018

• Statutory Instrument (S.I.) 314/2018

How do the new Health Research Regulations 2018 fit in with GDPR and Irish

legislation ? General Data Protection Regulation

Overarching European

Law

All Member States

Data Protection Act 2018

Irish Law

Gives effect to aspects of GDPR that are specific

to Ireland including

conditions for data processing

for research

Health Research Regulations 2018

Gives effect to GDPR and the Data Protection Act 2018 in the context of health research specifically

Data Protection Act 2018 • Data Protection Act 2018 (DPA 2018) is the Irish legislation that gives effect to aspects

of the EU's GDPR in Ireland

– Makes provisions for the processing of personal data (Section 42) and special categories of personal data (Section 54) for the purposes of:

• archiving in the public interest;

• scientific or historical research purposes; or,

• statistical purposes.

• The Data Protection Act 2018 requires that the processing of all personal data (including special categories of personal data) for the above purposes above comply with a number of conditions:

– that the personal data is processed in accordance with the conditions outlined in GDPR Article 89

– that the processing respects the principle of data minimisation (GDPR Article 5(1)(c))

– that suitable and specific measures are taken to safeguard the fundamental rights and freedoms of data subjects – Section 32

What do the Health Research Regulations 2018 do?

• Outline the mandatory suitable and specific measures for the processing of personal data for the purposes of health research (Regulation 3(1))

• Provide a definition of health research for the purposes of the regulation (Regulation 3(2))

• Provide for the possibility of applying for a consent declaration for new research (Regulation 5)

• Provide for transitional arrangements in respect of the granting of consent declarations for health research that is already underway (Regulation 6)

• Provide for the establishment and operation of a committee of persons to make decisions on applications for consent declarations, including an appeals process (Regulation 7-13 and Schedule)

• include a number of miscellaneous provisions (Regulations 14-16)

What are suitable and specific measures for the processing of personal data for health research?

• Necessary to achieve the objectives of the research and must not cause damage or distress

• Appropriate governance structures

• Appropriate processes and procedures

• Transparency arrangements (e.g. notices on websites, in public areas etc.)

• Must have explicit consent

M A N D A T O R Y

Codifies well-established

good research practices and governance

Why are these measures mandatory?

• Patient trust

• Public confidence and support

• Well regulated, sound information governance principles in line with international best practice

• Certainty, consistency and clarity of the data protection rules for those carrying out health research

What is health research for the purposes of the Health Research Regulations 2018?

• Research with the goal of understanding normal and abnormal functioning, at the molecular, cellular, organ system and whole body levels

• Research that is specifically concerned with innovative strategies, devices, products or services for the diagnosis, treatment or prevention of human disease or injury

• Research with the goal of improving the diagnosis and treatment (including the rehabilitation and palliation) of human disease and injury and of improving the health and quality of life of individuals

• Research with the goal of improving the efficiency and effectiveness of health professionals and the health care system

• Research with the goal of improving the health of the population as a whole or any part of the population through a better understanding of the ways in which social, cultural, environmental, occupational and economic factors determine health status

What is health research for the purposes of the Health Research Regulations 2018?

• It includes:

– Experimental, translational and clinical research

– Public health and social care research

– Population health research

– Basic and translational health research

– Research into treatment strategies, medical device or product development

• It also includes any actions taken to establish whether an individual may be suitable for inclusion in the research

What is not Research?

• Service evaluation

• Clinical audit

• Usual practice

Consent

• Unbundled: i.e. Separate from other terms and conditions. Not a precondition

• Granular: i.e. options to consent to different types of processing if appropriate

• Named: i.e. organisations and third parties relying on consent must be individually named - cannot use “categories” of third-party organisations

• Documented: i.e. records documenting consent

• Easy to withdraw: i.e. must tell people they have the right to withdraw their consent at any time, and how to do this

• Explicit consent

– Not defined

– Little difference with consent as defined by GDPR

– Express statement of consent

– No ambiguity

Consent

• Freely given, specific, informed and unambiguous indication of the data subject’s wishes signifying agreement

GDPR

• Freely given, specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

• personal data may be processed only if the data subject has unambiguously given his consent

Data Protection Directive 95/46/EC

• Consent by default (using opt out tick boxes rather than opt in)

• Presumed/implied consent is not valid

• Blanket consent is not valid

• Must be told how to withdraw consent

Consent

• Consent is one of the six GDPR legal bases

• Explicit consent is one of the GDPR Article 9 conditions for the processing of special categories of personal data

• Health Research Regulations 2018 requires explicit consent regardless of what GDPR legal basis or Article 9 conditions have been relied upon when processing personal data for health research purpose

What is a consent declaration?

• A declaration that the explicit consent of the data subject is not required

• Exceptional circumstances only

When might a consent declaration apply?

New research

• A researcher may apply if: – The research is of public importance and – the public importance of the research

outweighs to a significant degree the public interest in requiring the explicit consent of the individual whose data is being processed

Current research

• A researcher may apply if : – They have obtained explicit

consent of the individual(s) to use his or her data for the purpose of the health research in accordance with previous data protection legislation

Or … – The public importance of the

research outweighs to a significant degree the public interest in requiring the explicit consent of the individual whose data is being processed

Consent declarations

• Not a fix for past poor research practices

• Research Ethics Committee consent waiver is not the same as a consent declaration – Consent waivers do not and have never had any legal standing in the context

of the previous Data Protection Directive nor with GDPR and the new Health Research Regulations 2018

When is research considered to be current?

• Health research will be considered to be current where on or before 7 August 2018 the research has been approved by a research ethics committee

• The Health Research Regulations 2018 provide for an 9 month period of transition to allow for current health research projects reach the consent standard laid down by the GDPR or else to obtain a consent declaration where it can be demonstrated that this consent standard cannot be achieved

Who makes a consent declaration?

• Health Research Regulations 2018 describes a "Committee of Persons" which will by appointed by the minister and have the authority to assess and make consent declarations

• The Health Research Consent Declaration Committee will comprise: – > 15 and < 21 ordinary members

• Chairperson and two Deputy Chairpersons

• persons with knowledge of data protection law, research ethics, statistics or other relevant knowledge,

• persons with experience in healthcare or health research

• persons who are representative of data subjects

What is required for a Consent Declaration application?

New research (Regulation 5)

• Identify GDPR Article 6 lawful basis and Article 9(2) condition

• Identify data controller(s), data processors & responsibilities

• Can anonymised data not be used?

• How you are ensuring no damage/distress to individuals?

• How you are ensuring data minimisation is observed?

• How you are ensuring no disclosure beyond what has been consented or is required by law?

• That the suitable & specific measures are in place

• Data Protection Officer is in place

• Research ethics approval

• Copy of Data Privacy Impact Assessment

• Statement demonstrating how the public interest in carrying out the research significantly outweighs the public interest in requiring consent and explaining the reasons why it is not proposed to seek the consent of the individual

What is required for a Consent Declaration application?

Current research (Regulation 6(4))

• Identify GDPR Article 6 lawful basis and Article 9(2) condition • Identify data controller(s), data processors & responsibilities • Can anonymised data not be used? • How you are ensuring no damage/distress to individuals? • How you are ensuring data minimisation is observed? • How you are ensuring no disclosure beyond what has been consented or is required by law? • That the suitable & specific measures are in place • Data Protection Officer is in place • Research ethics approval • Copy of Data Privacy Impact Assessment • Statement demonstrating how the public interest in carrying out the research significantly outweighs

the public interest in requiring consent and explaining the reasons why it is not proposed to seek the consent of the individual (Regulation 6(4)(a))

or • Reasonable efforts were made to contact the individual(s) who previously provided consent for the

health research in accordance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 and the Data Protection Acts 1988 and 2003 for the purposes of reobtaining their consent (Regulation 6(4)(b))

Decisions of the Health Research Consent Declaration Committee

• The Committee may: – make a consent declaration

– make a consent declaration subject to conditions to protect the interests of an individual likely to be affected by the consent declaration

– refuse to make a consent declaration

– revoke a consent declaration

– request additional information

– consult with any person who it believes can assist it in its deliberations

Appealing committee decisions

• An applicant may appeal – the refusal of the committee to make a declaration or

– any of the conditions attached to the making of a declaration

– the revocation of a consent declaration

Health Research Consent Declaration Committee Secretariat

• The Health Research Consent Declaration Committee will be supported by a secretariat

• The secretariat is being provided by a new team in the HRB

• Key roles of secretariat

- Central point of contact, Helpdesk

- Support Committee’s work

- Manage process for applying for Consent Declaration

- Follow up on any Consent Declarations made

- Establish guidelines etc.

- Coordination of training and CPD activities in conjunction with the Committee

Decision tree

• The HRB has developed the following decision tree to help researchers assess:

– whether they might be eligible to submit an application to the Health Research Consent Declaration Committee to obtain a consent declaration, and

– whether such an application should be made under the transitional arrangements or as a new research project

• This decision tree also outlines a number of important preliminary steps that must be completed by researchers prior to the submission of any application to the Health Research Consent Declaration Committee

• URL … http://www.hrb.ie/funding/gdpr-guidance-for-researchers/gdpr-and-health-research/consent/health-research-consent-declaration-committee/consent-declaration-decision-tree/

Actions for researchers …

• Read more about GDPR and health research at:

http://www.hrb.ie/funding/gdpr-guidance-for-researchers/

• Consult your Data Protection Officer

• Use the decision tree to see if you need to apply for a consent declaration and if so, whether you are applying as a new research project or as a current research project

• Undertake a Data Protection Impact Assessment

• Consider anonymising the personal data that you are using

• Where necessary, try to obtain the explicit consent of the people whose data you are using

Information resources

• Guidance on GDPR and the new Health Research Regulations 2018 may be found at:

• http://www.hrb.ie/funding/gdpr-guidance-for-researchers/