Ireland: Health Check For Health Research Regulations 2018

Last Updated: 12 June 2019
Article by Colin Rooney, Hugh McCarthy and Eoghan Clogher
Most Read Contributor in Ireland, July 2019

The Department of Health recently published an update on the Health Research Regulations 2018, which will be of significant interest to those involved in "health research", including in the area of clinical trials.

This is to be welcomed and represents an opportunity for the Department to address some of the more challenging aspects of the Health Research Regulations based on input from relevant stakeholders, including hospitals and the wider research community.

1. The Health Research Regulations – A recap

The Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (S.I. 314/2018) (the "Health Research Regulations" or the "Regulations") were adopted on 8 August 2018, just three months after commencement of the General Data Protection Regulation ("GDPR"). As explained in our previous briefing (available here), the Regulations introduced material changes to the rules governing how health research can be conducted in Ireland.

The key changes introduced were as follows:

  1. A new statutory definition of "Health Research";
  2. Prescribing a list of mandatory "suitable and specific measures" that must be adopted when processing personal data for Health Research purposes, including a general requirement that "explicit consent" be obtained from data subjects; and
  3. Identifying exceptional circumstances in which the explicit consent requirement is not required and laying down a detailed process to be followed in such cases.

2. The legislative backdrop to the Health Research Regulations

Before considering the Department's recent update, it is worth briefly considering the legislative backdrop to the Health Research Regulations. The GDPR defines genetic data as "personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question".

The GDPR expressly includes such "genetic data" as a special category of personal data ("SCPD"), meaning it is subject to a higher standard of data protection. In particular, this requires that one or more of the conditions under Article 9 of the GDPR must be met in order to legitimise the processing of genetic data. Article 9(2)(a) provides that explicit data subject consent is one such condition, while others potentially suitable in a Health Research context are as follows:

  • Article 9(2)(i), which permits such processing where "necessary for reasons of public interest in the area of public health... ensuring high standards of quality and safety of health care and of medicinal products or medical devices"; and/or
  • Article 9(2)(j), which permits processing that is "necessary for ...scientific research purposes... in accordance with Article 89(1)" (and subject to various obligations flowing from Article 89 GDPR).

Under the Irish Data Protection Act 2018 (the "2018 Act"), the processing of SCPD, including for the purpose referenced above is subject to the adoption of "suitable and specific measures" (or "SSMs"). Section 36 of the 2018 Act contains a non-exhaustive list of SSMs intended to "safeguard the fundamental rights and freedoms of data subjects". Significantly, section 36(2) also allows for the adoption of Ministerial regulations prescribing additional SSMs applicable to certain categories of personal data or types of processing. Relying on this enabling provision, the Minister for Health introduced the Health Research Regulations in August 2018.

3. Taking the temperature of the Health Research Regulations

To be clear, section 36(2) of the 2018 Act is an enabling provision and does not require the Minister to introduce measures further to those already required by:

  • Article 9 of the GDPR, which specifies the conditions for processing SCPD generally;
  • Article 89 of the GDPR, which imposes additional requirements when processing personal data for research purposes including Health Research purposes; and
  • The various provisions of the 2018 Act, including sections 36, 42, 53 and 54, which already impose specific obligations on data controllers when processing SCPD for Health Research purposes (1).

In a recent paper published by the Irish Journal of Medical Science and commissioned by the Irish Academy of Medical Science ("GDPR: an impediment to research", available here), eight prominent physicians involved in medical research addressed some of the difficulties generated by the Health Research Regulations from a clinical perspective. While the paper considers the operational issues surrounding the workload, resourcing and structure of the Health Research Consent Declaration Committee (the "Committee"), it also addresses the clinical challenges now posed in relation to medical research involving: (i) retrospective chart reviews; (ii) biobanks; and (iii) where data subjects lack capacity to give consent (such in the field of emergency medicine). The paper ultimately proposes a set of proposals that the authors state would "safeguard patients' rights while at the same time protecting their access to newer treatments and diagnostics". In this context it worth recalling that the GDPR articulates the principle that "the processing of personal data should be designed to serve mankind" and "must be considered in relation to its function in society and be balanced against other fundamental rights" (Recital 4, GDPR). While the Department of Health's recent update on the Health Research Regulations is therefore to be welcomed, any proposals should be framed to strike an appropriate balance between data protection and the important public interest benefits of Health Research.

4. The Department's Update – extension for ongoing Health Research

As noted above, in certain circumstances, the Regulations allow for an exception to the requirement to obtain explicit data subject consent for Health Research. Instead data controllers may seek a declaration from the Committee (officially known as the "Health Research Consent Declaration Committee"), and appointed by the Minister for Health, where the public interest in carrying out the research is deemed to significantly outweigh the public interest in requiring the explicit consent of the data subject (a "Committee Declaration"). However, obtaining a Committee Declaration is quite an involved process under the procedures set out in Regulations 5 and 6 (and may take considerable time given the expected workload, resourcing and structure of the Committee). Eligibility for this exception is dependent on whether the Health Research commenced on, before or after 8 August 2018.

To be clear, a Committee Declaration does not remove the requirement to put in place the other SSMs mandated by the Regulations; it merely removes the explicit consent requirement.

For present purposes, where the Health Research was commenced prior to 8 August 2018, but the controller processes or further processes personal data after this date, in these circumstances, the controller must either:

  • apply for a Committee Declaration that explicit consent from the data subject is not required on one of two grounds; or
  • obtain explicit consent of data subject as soon as practicable and no later than 30 April 2019.

In light of delays in establishing the Committee, the Department of Health has now stated it is in the process of seeking an extension to the period under Regulation 6 for consent in relation to ongoing research and related applications to the Committee. As the Department's update explains, extending the specified date requiring explicit consent for ongoing research beyond 30 April would allow for applications for a Consent Declaration to be made in an orderly and timely way to the Committee and importantly will allow the recently appointed Committee further time to conduct its deliberations. Given that the Committee held its first meeting and induction session on 27 March last this extension is sensible. This proposed change will be welcomed by those undertaking ongoing Health Research that commenced prior to 8 August 2018.

It is worth noting that the Committee publishes on its website a list of all applications for Committee Declarations that it considers (available here).

5. Proposed amendments – A clean Bill of Health for the health Research Regulations?

Separately, arising from its active engagement with relevant stakeholders in the research community, the Department of Health has also confirmed that it is currently consulting with the DPC on certain matters, an exercise which the Department has said "may" lead to amendments to the Health Research Regulations.

The specific areas of the Regulations, which the Department's update confirmed are under consideration include:

5.1 Optimisation of the use of administrative data:

An amendment to facilitate disclosure of pseudonymised personal data for secondary Health Research purposes in the absence of explicit consent and where re-identification is not permitted (which is in keeping with several provisions of the GDPR and 2018 Act on research purposes).

5.2 Mechanism for retrospective chart review studies:

The Department has advised that it is seeking to introduce a mechanism that allows for retroactive chart review studies to be carried out in the data controller's organisation and by health practitioners and employees of that organisation. Under this proposal, healthcare staff involved in the care and treatment of patients (plus other employees subject to a duty of confidentiality), would be permitted to engage in pre-screening without the explicit consent of the relevant data subject(s).

5.3 Greater clarity regarding pre-screening:

Greater clarity will be sought as to pre-screening for the purpose of assessing eligibility and suitability for inclusion in Health Research. The amendment will also seek to facilitate other "approved" researchers engaging in pre-screening subject to specified privacy safeguards.

5.4 Consent in emergency care intervention studies:

An amendment is sought to address the challenge of collecting explicit consent versus "deferred" consent in emergency care intervention studies.

5.5 Processing data where an adult lacks capacity:

The Department has also requested that a workable basis for processing personal data for Health Research where an adult lacks the capacity to consent to the processing be found (reflecting the values and principles as set out in the Assisted Decision-Making (Capacity) Act 2015).

6. Next Steps

While informed data subject consent should remain the bedrock of Health Research, subject to appropriate safeguards being put in place, it is important that the law facilitates Health Research in circumstances where it is not feasible or appropriate to obtain a GDPR standard of explicit consent. Otherwise there is a risk that a consent-only based approach would represent an impediment to important health research without enhancing the protection of patients' or trial participants' personal data.

In any event, before becoming law, any amendments to the Health Research Regulations will have to undergo a formal consultation process, involving the Department of Health as well as the DPC, the Department of Justice and Equality and the Attorney General's Office. The Department has stated that it will seek to keep the research community updated and informed as a matter of priority through the Health Research Consent Declaration Committee website: https://hrcdc.ie/. In making such amendments it would be sensible for these parties to take on board the insights and practical challenges faced by the wider research community. Accordingly, it may yet be some time yet before these amendments get a clean bill of health!

(1) Such measures already include: (i) data minimisation; (ii) de-identification, to the extent possible; (iii) access controls and logging mechanisms; and (iv) enhanced security measures such as encryption and pseudonymisation of personal data.

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions