Data controllers conducting "Health Research" must be conscious of the recent signing of the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (S.I. No. 314/2018), as they introduce material changes to the rules governing how health research can be conducted in Ireland.
WHAT DO THE REGULATIONS SEEK TO ACHIEVE?
The Regulations build on the existing themes of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, by applying a third layer of specific data protection rules to health research in Ireland.
The mandatory additional requirements for health research were brought about through a consultation process between the Minister for Health and the Data Protection Commission. Significantly, the Regulations were adopted on 8 August 2018, within three months of commencement of the GDPR and the Data Protection Act 2018, illustrating that this is a high priority issue for the government and the Data Protection Commission and likely to be actively enforced.
To the extent that the Regulations are silent on specific aspects of data processing, the GDPR and the Act continue to apply.
SAFEGUARDING THE FUNDAMENTAL RIGHTS AND FREEDOMS OF DATA SUBJECTS
Under Article 9(2)(i) of the GDPR the processing of special categories of data (such as data relating to health) for reasons of public interest in the area of public health is subject to "suitable and specific measures" to safeguard the rights and freedoms of data subjects. Similarly under section 42(1) of the Data Protection Act 2018, the processing of personal data for scientific research purposes is subject to "suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects". Section 42(2) goes on to provide that such processing must "respect the principle of data minimisation", while Section 42(3) states that such processing should only identify the data subjects to the extent necessary for the scientific research.
Where scientific research involves the processing of special categories of data (such as data relating to health), Article 9(2) (j) of the GDPR requires that such processing must:
be proportionate to the aim pursued; respect the essence of the right to data protection; and provide again for "suitable and specific measures" to safeguard the fundamental rights and interests of the data subject. The GDPR does not define "suitable and specific measures" but Section 36(1) of the Act partially does. It provides a nonexhaustive list of "suitable and specific measures" that may be adopted by controllers where personal data is being processed for research purposes under Section 42. However, Section 36(2) also provides for further regulations to be made identifying further suitable and specific measures to those listed in Section 36(1) and/or to specify that certain suitable and specific measures be mandatory in some cases.
WHAT IS 'HEALTH RESEARCH'?
The GDPR contains a number of provisions that apply to health research. For example, the GDPR provides that processing for scientific research purposes should be "interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research" (Recital 159 GDPR). In addition, scientific research should be subject to "appropriate safeguards" in respect of "the rights and freedoms of the data subject" under Article 89(1). The Regulations are in effect Ireland's attempt to prescribe "appropriate safeguards" in the specific context of...