The Department of Health recently published an update on the Health Research Regulations 2018, which will be of significant interest to those involved in "health research", including in the area of clinical trials.
This is to be welcomed and represents an opportunity for the Department to address some of the more challenging aspects of the Health Research Regulations based on input from relevant stakeholders, including hospitals and the wider research community.
The Health Research Regulations - A recap
The Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (S.I. 314/2018) (the "Health Research Regulations" or the "Regulations") were adopted on 8 August 2018, just three months after commencement of the General Data Protection Regulation ("GDPR"). As explained in our previous briefing (available here), the Regulations introduced material changes to the rules governing how health research can be conducted in Ireland.
The key changes introduced were as follows:
A new statutory definition of "Health Research"; Prescribing a list of mandatory "suitable and specific measures" that must be adopted when processing personal data for Health Research purposes, including a general requirement that "explicit consent" be obtained from data subjects; and Identifying exceptional circumstances in which the explicit consent requirement is not required and laying down a detailed process to be followed in such cases. 2. The legislative backdrop to the Health Research Regulations
Before considering the Department's recent update, it is worth briefly considering the legislative backdrop to the Health Research Regulations. The GDPR defines genetic data as "personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question".
The GDPR expressly includes such "genetic data" as a special category of personal data ("SCPD"), meaning it is subject to a higher standard of data protection. In particular, this requires that one or more of the conditions under Article 9 of the GDPR must be met in order to legitimise the processing of genetic data. Article 9(2)(a) provides that explicit data subject consent is one such condition, while others potentially suitable in a Health Research context are as follows:
Article 9(2)(i), which permits such processing where "necessary for reasons of public interest in the area of public health... ensuring high standards of...