Research Data Management: Data Protection

• The General Data Protection Regulation (GDPR) came into force 25 May 2018.
• GDPR applies to any research that uses personal data, including scientific research and studies in the arts and humanities.
• It is important to know that Ireland has introduced detailed Health Research Regulations that anyone, who works with health related personal data needs to be aware of.
• Informed consent must be gained for preservation and/or sharing of personal data.
• Consider anonymisation of personal data for preservation and/or sharing (truly anonymous data are no longer considered personal data).

The General Data Protection Regulation (GDPR) came into force in May 2018. It aims at empowering the citizens and provides a modernised, single set of data protection and privacy rules across Europe.

Data protection law covers most situations in which information about somebody (the ‘personal data’ of a ‘data subject’) is used in some way (‘processed’) by some other person or organisation (the ‘data controller’), other than in a purely personal context.

Organisations, which includes universities, that process personal data in the context of their activities, are classed as data controllers, when they decide the ‘why’ and ‘how’ of the processing.  Data processors, on the other hand, are those organisations or bodies, that process personal data ‘on behalf of’ one or more data controllers. Under GDPR, both controllers and processors are subject to increased obligations, especially in terms of accountability for their processing.

Individuals whose personal data are used have a fundamental right to privacy. It is important for organisations, which process personal data, to be cognisant of any data subject rights and of how to best facilitate individuals to make use of their rights.

Any processing of personal data needs to be based on one or more legal basis. This means in data protection terms a ‘legal basis’ (also referred to as a ‘lawful basis’ or ‘lawful reason’) the legal justification for the processing of personal data. A valid legal basis is required in all cases if a data subject’s personal data are to be lawfully processed in line with data protection law.

GDPR also applies to any research that uses personal data, including scientific research and studies in the arts and humanities. Anytime sensitive, special category personal data are processed, researchers need to be aware that the processing of such data is generally prohibited, unless certain conditions apply as per GDPR Article 9 (2).

Please note, this is not legal advice.

Research using health related personal data

Ireland has introduced detailed Health Research Regulations (HRR) that anyone, who works with health - related personal data needs to be aware of.

Key messages

• The Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018, commonly referred to as the Health Research Regulations (HRR) apply to all health research being carried out in Ireland. These regulations have been brought in under the GDPR which gives EU Member States the right to modify rules for research.
• Under the Irish regulations, there is a firm requirement to have explicit consent of data subjects for health research as a ‘safeguard’. This is in addition to other suitable and specific measures. Health research projects of substantial public interest, where explicit consent is not feasible to obtain, need to apply to the Health Research Consent Declaration Committee (HRCDC) 
• Any collaborative research where more than one organisation can make decisions on how and why personal data is processes, should put joint controller agreements in place, which clearly define each party’s roles and responsibilities in terms of data protection obligations.
• A Data Protection Impact Assessment (‘DPIA’) will normally be required for Health Research under the Health Research Regulations and as part of your ethics application. DPIAs need to outline the rationale for the research you plan to undertake. They identify and assess risks to data subjects and develop risk mitigating measures to ensure compliance with data protection. The types of items that will be considered in a DPIA are: types and quantities of data collected; data flows and disclosures; data minimisation technologies and security. 
• You should ensure you and your research partners have considered all your obligations in terms of the legislation and that you have agreed processes and procedures in place for handling of any requests, such as access requests, and these are documented within agreements as needed.
• Researchers are required to submit health research projects to an appropriate UCD research ethics committee for ethical review i.e., HREC-HS and HREC-LS.
• An application that is not compliant with the Health Research Regulations and GDPR cannot be approved by the UCD HRECs (or AREC where appropriate). Data protection issues must be addressed in applications for ethical approval.

Please note, this is not legal advice.