Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018

• Jurisdiction: Ireland
• Year: 2018
• Citation: IR SI 314/2018

Notice of the making of this Statutory Instrument was published in

“Iris Oifigiúil” of 10th August, 2018.

I, SIMON HARRIS, Minister for Health, in exercise of the powers conferred on me by section 36 (2) of the Data Protection Act 2018 (No. 7 of 2018), and having duly complied with subsections (5)(b) and (6) of section 36 of the Data Protection Act 2018 , hereby make the following regulations:

1. (1) These Regulations may be cited as the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018.

(2) These Regulations shall come into operation on 8 August 2018.

2. (1) In these Regulations—

“appeal panel” means a panel established by the Minister under Regulation 11(2);

“appellant” has the meaning given to it by Regulation 11(1);

“applicant” has the meaning given to it by Regulation 8(1);

“Committee” means the committee of persons appointed by the Minister under Regulation 7;

“declaration” means a declaration referred to in Regulation 5(2) or 6(5);

“health research” has the meaning given to it by Regulation 3(2);

“Minister” means the Minister for Health;

“research ethics committee” has the meaning given to it by Regulation 4(3).

(2) Unless the context otherwise requires, a reference to a numbered Article is a reference to the Article so numbered in the Data Protection Regulation.

3. (1) A controller who is processing or further processing personal data for the purposes of health research shall ensure that the following suitable and specific measures are taken to safeguard the fundamental rights and freedoms of the data subject:

(a) arrangements are in place so that personal data shall be processed as is necessary to achieve the objective of the health research and shall not be processed in such a way that damage or distress is, or is likely to be, caused to the data subject;

(b) appropriate governance structures for the carrying out of the health research are in place, including—

(i) ethical approval of the health research by a research ethics committee,

(ii) specification of the controller involved,

(iii) in the case of joint controllers within the meaning of Article 26, compliance with Article 26,

(iv) specification of any data processors involved,

(v) specification of any person who provides funding for, or otherwise supports, the project,

(vi) specification of any person (other than a person in clause (iii) or (iv)) with whom it is intended to share any of the personal data collected (including where it has been pseudonymised or anonymised) and the purpose of such sharing,

(vii) provision of training in data protection law and practice to those individuals involved in carrying out the health research;

(c) the following processes and procedures relating to the management and conduct of the health research are in place:

(i) the carrying out of an assessment of the data protection implications of the health research;

(ii) where the assessment carried out under clause (i) indicates a high risk to the rights and freedoms of individuals, the carrying out of a data protection impact assessment;

(iii) measures that demonstrate compliance with the data minimisation principle in Article 5(1)(c);

(iv) controls to limit access to the personal data undergoing processing in order to prevent unauthorised consultation, alteration, disclosure or erasure of personal data;

(v) controls to log whether and by whom personal data have been consulted, altered, disclosed or erased;

(vi) measures to protect the security of the personal data concerned;

(vii) arrangements to anonymise, archive or destroy personal data once the health research has been completed;

(viii) other technical and organisational measures designed to ensure that processing is carried out in accordance with the Data Protection Regulation, together with processes for testing and evaluating the effectiveness of such measures;

(d) arrangements to ensure that personal data are processed in a transparent manner are identified and in place;

(e) explicit consent has been obtained from the data subject, prior to the commencement of the health research, for the processing of his or her personal data for the purpose of specified health research, either in relation to a particular area or more generally in that area or a related area of health research, or part thereof.

(2)(a) In paragraph (1), “health research” means any of the following scientific research for the purpose of human health:

(i) research with the goal of understanding normal and abnormal functioning, at molecular, cellular, organ system and whole body levels;

(ii) research that is specifically concerned with innovative strategies, devices, products or services for the diagnosis, treatment or prevention of human disease or injury;

(iii) research with the goal of improving the diagnosis and treatment (including the rehabilitation and palliation) of human disease and injury and of improving the health and quality of life of individuals;

(iv) research with the goal of improving the efficiency and effectiveness of health professionals and the health care system;

(v) research with the goal of improving the health of the population as a whole or any part of the population through a better understanding of the ways in which social, cultural, environmental, occupational and economic factors determine health status;

(b) Health research referred to in clause (i) to (v) of subparagraph (a) may include action taken to establish whether an individual may be suitable for inclusion in the research.

4. (1) Health research to which these Regulations apply shall be regarded as commencing on the day that the research receives ethical approval from a research ethics committee.

(2) For the purposes of these Regulations, any of the following issues associated with health research which form the basis of consideration for ethical approval by a research ethics committee shall be an ethical issue:

(a) whether the health research is likely to substantially assist in—

(i) the advancement or protection of human health, whether of the population as a whole or of any part of the population,

(ii) the scientific understanding of human health,

(iii) the understanding of social factors affecting human health,

(iv) the identification, prevention or treatment of illness, disease or other medical impairment, or

(v) the effective management of health services, including improvements in the delivery of those services;

(b) whether the controller proposing to carry out the health research has identified and assessed the potential benefits and risks associated with the health research;

(c) whether the controller proposing to carry out the health research will make every effort to ensure that the participation of individuals in the health research will be informed and voluntary;

(d) whether the controller proposing to carry out the health research is qualified to carry out the research concerned;

(e) whether there are adequate safeguards in place to protect the privacy of individuals participating in the health research and the confidentiality of their personal data;

(f) whether the research methodology proposed is, in the view of the research ethics committee, appropriate;

(g) whether any controller who will be carrying out the health research concerned is independent of any person who provides funding for, or otherwise supports, the project;

(h) any other matter relating to the health research concerned that, in the view of the research ethics committee, will undermine public confidence in health research generally.

(3) In this Regulation “research ethics committee” means a committee to consider the ethical issues associated with health research established by one or jointly by more than one person or body that—

(a) is a Minister of the Government,

(b) is a body established under—

(i) an Act of the Oireachtas,

(ii) a statute that was in force in Saorstát Eireann immediately before the date of the coming into operation of the Constitution and that continues in force by virtue of Article 50 of the Constitution, or

(iii) an instrument made under an Act of the Oireachtas or a statute referred to in clause (ii),

(c) is an institution of higher education within the meaning of section 1(1) of the Higher Education Authority Act 1971 (No. 22 of 1971),

(d) has as its principal activity—

(i) the provision, management or development of a health practitioner (within the meaning of the Health Identifiers Act 2014 (No. 15 of 2014)), or

(ii) the carrying out of social and economic or health research.

5. (1) A controller proposing to process or further process personal data for the purposes of health research which commenced on or after 8 August 2018 may apply to the Committee, in accordance with paragraph (4), for a declaration where he or she is of the view that the public interest in carrying out the research significantly outweighs the public interest in requiring the explicit consent of the data subject under Regulation 3(1)(e).

(2) A declaration for which a controller may apply under paragraph (1) is a declaration by the Committee that explicit consent by a data subject is not required by the controller.

(3) A controller making an application under paragraph (1) shall, prior to making that application—

(a) carry out a data protection impact assessment in accordance with Article 35(1), and

(b) obtain ethical approval of the health research from a research ethics committee.

(4) An application under paragraph (1) shall be made in writing to the Committee and the controller making the application shall as part of that application furnish the following to the Committee:

(a) written information that clearly identifies—

(i) that the controller has a valid and lawful basis for the processing of the personal data, and

(ii) that the controller meets one of the conditions in Article 9(2);

(b)...