Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2021

• Jurisdiction: Ireland
• Citation: IR SI 18/2021
• Year: 2021

Notice of the making of this Statutory Instrument was published in

“Iris Oifigiúil” of 29th January, 2021.

I, STEPHEN DONNELLY, Minister for Health, in exercise of the powers conferred on me by section 36 (2) of the Data Protection Act 2018 (No. 7 of 2018), and having duly complied with subsections (5)(b) and (6) of section 36 of the Data Protection Act 2018 , hereby make the following regulations:

1. These Regulations may be cited as the Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2021.

2. In these Regulations, “Principal Regulations” means the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 ( S.I. No. 314 of 2018 ).

3. Regulation 2 of the Principal Regulations is amended, in paragraph (1), by the insertion of the following definition:

“ ‘health practitioner’ has the same meaning as it has in section 2 of the Health Identifiers Act 2014 (No. 15 of 2014);”.

4. Regulation 3 of the Principal Regulations is amended -

(a) in paragraph (1), by the substitution of the following paragraph for paragraph (e):

“(e) subject to Regulations 3A and 3B, explicit consent has been obtained from the data subject, as a suitable and specific measure recorded and retained by the controller, and a copy of which is provided to the data subject prior to the commencement of the health research in accordance with international best practice on the ethical conduct of health research (which includes informed consent, transparency and independent ethical oversight) for the processing of his or her personal data for the purpose of specified health research, either in relation to a particular area or more generally in that area or a related area of health research, or part thereof.”, and

(b) in paragraph (2), by the substitution of the following subparagraphs for subparagraph (b):

“(b) Health research referred to in clause (i) to (v) of subparagraph (a) shall include action taken by the controller that has obtained the personal data to establish whether an individual may be suitable or eligible for inclusion in the research and such action shall not require explicit consent or ethical approval by a research ethics committee where such action is in accordance with subparagraph (c).

(c) Explicit consent or ethical approval referred to in subparagraph (b) shall not be required where -

(i) the action is taken by a health practitioner employed by the controller or a person studying to be a health practitioner who is under the direction and control of the controller,

(ii) the action is taken by an employee of the controller (other than a health practitioner in clause (i)) who, in the course of his or her duties for the controller, would ordinarily have access to the personal data of individuals held by the controller that was obtained for the provision of health care to those individuals, or

(iii) subject to subparagraph (d), the action is taken by a person (in this clause referred to as an ‘authorised person’) who is an employee of -

(I) an institution of higher education within the meaning of section 1(1) of the Higher Education Authority Act 1971 (No. 22 of 1971),

(II) a body or person that has as its principal activity the provision, management or development of a health practitioner, or

(III) a registered charitable organisation within the meaning of the Charities Act 2009 (No. 6 of 2009), one of whose objects is to support research and education in the health services,

and that authorised person is under the direction and control of a health practitioner who is an employee of the controller.

(d) An authorised person referred to in subparagraph (c)(iii) may only undertake such action without explicit consent where -

(i) the controller has put in place and made public, including on its website, a process for authorising a person as an authorised person for the purposes of such action,

(ii) the arrangements made by the controller to ensure that personal data are processed in a transparent manner under Regulation 3(1)(d) include where a person has been authorised by the controller as an authorised person, notices and posters on display in those public areas of the data controller’s organisation where individuals attend for the provision of health care stating that -

(I) the controller has appointed an authorised person who may, without explicit consent, access and use the personal data held by the controller for the sole purpose of establishing whether an individual who has been provided with health care from the controller may be suitable or eligible for inclusion in specified health research, and

(II) that any personal data accessed and used by an authorised person without explicit consent shall be only such data that is required to assist in determining the...