Research Data Management: Data Protection

Bringing together University resources and services to facilitate researchers in the production of high quality data.

At a Glance

The General Data Protection Regulation (GDPR) came into force 25 May 2018.
GDPR applies to any research that uses personal data, including scientific research and studies in the arts and humanities.
It is important to know that Ireland has introduced detailed Health Research Regulations that anyone, who works with health related personal data needs to be aware of.
Informed consent must be gained for preservation and/or sharing of personal data.
Consider anonymisation of personal data for preservation and/or sharing (truly anonymous data are no longer considered personal data).

Help@UCD: UCD Data Protection

UCD GDPR - Personal Data & Research
Find out how GDPR will impact research that uses personal date and what measures can be taken to protect the rights of the individual data subjects concerned.
UCD GDPR - Irish Health Research Regulations
It is important to know that Ireland has introduced detailed Health Research Regulations (HRR) that anyone, who works with health-related personal data needs to be aware of. Any research using personal health data needs to comply with the Health Research Regulations.
UCD Data Protection Policy [pdf]
This policy applies to all personal data created or received in the course of University business in all formats, of any age.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) came into force in May 2018. It aims at empowering the citizens and provides a modernised, single set of data protection and privacy rules across Europe.

Data protection law covers most situations in which information about somebody (the ‘personal data’ of a ‘data subject’) is used in some way (‘processed’) by some other person or organisation (the ‘data controller’), other than in a purely personal context.

Organisations, which includes universities, that process personal data in the context of their activities, are classed as data controllers, when they decide the ‘why’ and ‘how’ of the processing. Data processors, on the other hand, are those organisations or bodies, that process personal data ‘on behalf of’ one or more data controllers. Under GDPR, both controllers and processors are subject to increased obligations, especially in terms of accountability for their processing.

Individuals whose personal data are used have a fundamental right to privacy. It is important for organisations, which process personal data, to be cognisant of any data subject rights and of how to best facilitate individuals to make use of their rights.

Any processing of personal data needs to be based on one or more legal basis. This means in data protection terms a ‘legal basis’ (also referred to as a ‘lawful basis’ or ‘lawful reason’) the legal justification for the processing of personal data. A valid legal basis is required in all cases if a data subject’s personal data are to be lawfully processed in line with data protection law.

GDPR also applies to any research that uses personal data, including scientific research and studies in the arts and humanities. Anytime sensitive, special category personal data are processed, researchers need to be aware that the processing of such data is generally prohibited, unless certain conditions apply as per GDPR Article 9 (2).

Please note, this is not legal advice.

Data Protection Commissioner (DPC) - Special Category Data
Certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. Processing of these special categories is prohibited, except in limited circumstances set out in Article 9 of the GDPR.
Data Protection Commission (DPC) - Data Protection Basics
This guidance note, on ‘Data Protection Basics’, aims to address some of the most common questions about data protection law and to clarify the basic principles underlying data protection. This guidance covers the different laws which apply in a data protection context and when they apply, as well as the meaning of ‘personal data’ and ‘processing’, and how to identify a ‘data controller’ and what their obligations are. It aims to explain the requirement for a ‘legal basis’ to justify the processing of personal data, and outline the rights which individual ‘data subjects’ have and how they can exercise them. It also sets out the basics of the rules around electronic direct marketing as well as the use of cookies and other similar technologies. This guidance should assist both data subjects, as well as data controllers.
Data Protection Commission (DPC) - Anonymisation and pseudonymisation
European Citizens have a fundamental right to privacy, it is important for organisations which process personal data to be cognisant of this right. When carried out effectively, anonymisation and pseudonymisation can be used to protect the privacy rights of individual data subjects and allow organisations to balance this right to privacy against their legitimate goals. The Data Protection Commission has prepared the following guidance on the use of these techniques.
Data Protection Commission (DPC) - Data Processing Operations that require a Data Protection Impact Assessment
The Data Protection Commission has published guidance for controllers and processors (PDF) whose business activities may require them to carry out a Data Protection Impact Assessment.
Data Protection Commission (DPC) - Five Steps To Secure Cloud-based Environments
Cloud-based environments offer many advantages to organisations; however, they also introduce a number of technical security risks which organisations should be aware of, including data breaches, hijacking of accounts, and unauthorised access to personal data. Organisations should determine and implement a documented policy and apply the appropriate technical security and organisational measures to secure any cloud-based environments they utilise. The DPC has prepared guidance to assist organisations understand their obligations with regard to the security of personal data, and to mitigate their risks when utilising a cloud-based environment.
Data Protection Commission (DPC) - Guidance for Controllers on Data Security
Data controllers in the private and public sectors hold increasing amounts of personal data on individuals. The decreasing cost of electronic storage and processing has greatly contributed to this. Organisations also increasingly outsource data processing to third party processors to undertake on their behalf. Many organisations also continue to hold large quantities of personal data in manual form - often in off-site locations. The following guidance has been prepared to aid data controllers and processors to ensure they meet their obligations with regard to the security of personal data they process.
Data Protection Commissioner (DPC) - Transfers of Personal Data from Ireland to the UK in the Event of a No-Deal Brexit
Brexit, particularly in the case of a 'No Deal' scenario, may have an impact on the data protection obligations of Irish entities which transfer personal data to the UK (including Northern Ireland). The DPC has prepared this guidance note to assist those who might transfer personal data to the UK to understand the impact of a 'No Deal' Brexit on their data protection obligations.
Data Protection Commissioner - Transfers of Personal Data to Third Countries or International Organisations
The transfer of personal data from the EU to controllers and processors located outside the EU in third countries should not undermine the level of protection of the individuals concerned. Therefore, transfers to third countries or international organisations should be done in full compliance with Chapter V of the General Data Protection Regulation (GDPR), which covers 'Transfers of personal data to third countries or international organisations'. The DPC has prepared the following guidance on the provisions in Chapter V GDPR.
UK Data Service - GDPR Research & Archiving FAQ
This document seeks to answer many of the frequently asked questions which researchers may have about the General Data Protection Regulations (GDPR).
Health Research Board (HRB) - GDPR guidance for health researchers
HRB guidance for educational and informational purposes only. Please note, this is not legal advice.

Irish Health Research Regulations

Research using health related personal data

Ireland has introduced detailed Health Research Regulations (HRR) that anyone, who works with health - related personal data needs to be aware of.

Key messages

The Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018, commonly referred to as the Health Research Regulations (HRR) apply to all health research being carried out in Ireland. These regulations have been brought in under the GDPR which gives EU Member States the right to modify rules for research.
Under the Irish regulations, there is a firm requirement to have explicit consent of data subjects for health research as a ‘safeguard’. This is in addition to other suitable and specific measures. Health research projects of substantial public interest, where explicit consent is not feasible to obtain, need to apply to the Health Research Consent Declaration Committee (HRCDC)
Any collaborative research where more than one organisation can make decisions on how and why personal data is processes, should put joint controller agreements in place, which clearly define each party’s roles and responsibilities in terms of data protection obligations.
A Data Protection Impact Assessment (‘DPIA’) will normally be required for Health Research under the Health Research Regulations and as part of your ethics application. DPIAs need to outline the rationale for the research you plan to undertake. They identify and assess risks to data subjects and develop risk mitigating measures to ensure compliance with data protection. The types of items that will be considered in a DPIA are: types and quantities of data collected; data flows and disclosures; data minimisation technologies and security.
You should ensure you and your research partners have considered all your obligations in terms of the legislation and that you have agreed processes and procedures in place for handling of any requests, such as access requests, and these are documented within agreements as needed.
Researchers are required to submit health research projects to an appropriate UCD research ethics committee for ethical review i.e., HREC-HS and HREC-LS.
An application that is not compliant with the Health Research Regulations and GDPR cannot be approved by the UCD HRECs (or AREC where appropriate). Data protection issues must be addressed in applications for ethical approval.

Please note, this is not legal advice.

UCD GDPR - Irish Health Research Regulations
Department of Health - Guidance on information principles for informed consent for the processing of personal data for health research [pdf]
S.I. No. 314/2018 - Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018
Health Research Consent Declaration Committee (HRCDC)
UCD Office of Research Ethics
Policies and guidelines for researchers at UCD, as well as information on ethical best practice.
Health Research Board (HRB) Guidance on Health Research Regulation
Guidance on Health Research Regulation
Health Research Board (HRB) - Explicit consent
Explicit consent in GDPR
Health Research Board (HRB) - Suitable and specific measures
Required to safeguard an individual's fundamental rights and freedoms when undertaking the processing of personal data for health research purposes - Health Research Regulations 2018, Regulation 3(1)(a)-(e)