S.I. No. 314/2018 - Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018


Notice of the making of this Statutory Instrument was published in

“Iris Oifigiúil” of 10th August, 2018.

I, SIMON HARRIS, Minister for Health, in exercise of the powers conferred on me by section 36 (2) of the Data Protection Act 2018 (No. 7 of 2018), and having duly complied with subsections (5)(b) and (6) of section 36 of the Data Protection Act 2018 , hereby make the following regulations:

1. (1) These Regulations may be cited as the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018.

(2) These Regulations shall come into operation on 8 August 2018.

2. (1) In these Regulations—

“appeal panel” means a panel established by the Minister under Regulation 11(2);

“appellant” has the meaning given to it by Regulation 11(1);

“applicant” has the meaning given to it by Regulation 8(1);

“Committee” means the committee of persons appointed by the Minister under Regulation 7;

“declaration” means a declaration referred to in Regulation 5(2) or 6(5);

“health research” has the meaning given to it by Regulation 3(2);

“Minister” means the Minister for Health;

“research ethics committee” has the meaning given to it by Regulation 4(3).

(2) Unless the context otherwise requires, a reference to a numbered Article is a reference to the Article so numbered in the Data Protection Regulation.

3. (1) A controller who is processing or further processing personal data for the purposes of health research shall ensure that the following suitable and specific measures are taken to safeguard the fundamental rights and freedoms of the data subject:

(a) arrangements are in place so that personal data shall be processed as is necessary to achieve the objective of the health research and shall not be processed in such a way that damage or distress is, or is likely to be, caused to the data subject;

(b) appropriate governance structures for the carrying out of the health research are in place, including—

(i) ethical approval of the health research by a research ethics committee,

(ii) specification of the controller involved,

(iii) in the case of joint controllers within the meaning of Article 26, compliance with Article 26,

(iv) specification of any data processors involved,

(v) specification of any person who provides funding for, or otherwise supports, the project,

(vi) specification of any person (other than a person in clause (iii) or (iv)) with whom it is intended to share any of the personal data collected (including where it has been pseudonymised or anonymised) and the purpose of such sharing,

(vii) provision of training in data protection law and practice to those individuals involved in carrying out the health research;

(c) the following processes and procedures relating to the management and conduct of the health research are in place:

(i) the carrying out of an assessment of the data protection implications of the health research;

(ii) where the assessment carried out under clause (i) indicates a high risk to the rights and freedoms of individuals, the carrying out of a data protection impact assessment;

(iii) measures that demonstrate compliance with the data minimisation principle in Article 5(1)(c);

(iv) controls to limit access to the personal data undergoing processing in order to prevent unauthorised consultation, alteration, disclosure or erasure of personal data;

(v) controls to log whether and by whom personal data have been consulted, altered, disclosed or erased;

(vi) measures to protect the security of the personal data concerned;

(vii) arrangements to anonymise, archive or destroy personal data once the health research has been completed;

(viii) other technical and organisational measures designed to ensure that processing is carried out in accordance with the Data Protection Regulation, together with processes for testing and evaluating the effectiveness of such measures;

(d) arrangements to ensure that personal data are processed in a transparent manner are identified and in place;

(e) explicit consent has been obtained from the data subject, prior to the commencement of the health research, for the processing of his or her personal data for the purpose of specified health research, either in relation to a particular area or more generally in that area or a related area of health research, or part thereof.

(2)(a) In paragraph (1), “health research” means any of the following scientific research for the purpose of human health:

(i) research with the goal of understanding normal and abnormal functioning, at molecular, cellular, organ system and whole body levels;

(ii) research that is specifically concerned with innovative strategies, devices, products or services for the diagnosis, treatment or prevention of human disease or injury;

(iii) research with the goal of improving the diagnosis and treatment (including the rehabilitation and palliation) of human disease and injury and of improving the health and quality of life of individuals;

(iv) research with the goal of improving the efficiency and effectiveness of health professionals and the health care system;

(v) research with the goal of improving the health of the population as a whole or any part of the population through a better understanding of the ways in which social, cultural, environmental, occupational and economic factors determine health status;

(b) Health research referred to in clause (i) to (v) of subparagraph (a) may include action taken to establish whether an individual may be suitable for inclusion in the research.

4. (1) Health research to which these Regulations apply shall be regarded as commencing on the day that the research receives ethical approval from a research ethics committee.

(2) For the purposes of these Regulations, any of the following issues associated with health research which form the basis of consideration for ethical approval by a research ethics committee shall be an ethical issue:

(a) whether the health research is likely to substantially assist in—

(i) the advancement or protection of human health, whether of the population as a whole or of any part of the population,

(ii) the scientific understanding of human health,

(iii) the understanding of social factors affecting human health,

(iv) the identification, prevention or treatment of illness, disease or other medical impairment, or

(v) the effective management of health services, including improvements in the delivery of those services;

(b) whether the controller proposing to carry out the health research has identified and assessed the potential benefits and risks associated with the health research;

(c) whether the controller proposing to carry out the health research will make every effort to ensure that the participation of individuals in the health research will be informed and voluntary;

(d) whether the controller proposing to carry out the health research is qualified to carry out the research concerned;

(e) whether there are adequate safeguards in place to protect the privacy of individuals participating in the health research and the confidentiality of their personal data;

(f) whether the research methodology proposed is, in the view of the research ethics committee, appropriate;

(g) whether any controller who will be carrying out the health research concerned is independent of any person who provides funding for, or otherwise supports, the project;

(h) any other matter relating to the health research concerned that, in the view of the research ethics committee, will undermine public confidence in health research generally.

(3) In this Regulation “research ethics committee” means a committee to consider the ethical issues associated with health research established by one or jointly by more than one person or body that—

(a) is a Minister of the Government,

(b) is a body established under—

(i) an Act of the Oireachtas,

(ii) a statute that was in force in Saorstát Eireann immediately before the date of the coming into operation of the Constitution and that continues in force by virtue of Article 50 of the Constitution, or

(iii) an instrument made under an Act of the Oireachtas or a statute referred to in clause (ii),

(c) is an institution of higher education within the meaning of section 1(1) of the Higher Education Authority Act 1971 (No. 22 of 1971),

(d) has as its principal activity—

(i) the provision, management or development of a health practitioner (within the meaning of the Health Identifiers Act 2014 (No. 15 of 2014)), or

(ii) the carrying out of social and economic or health research.

5. (1) A controller proposing to process or further process personal data for the purposes of health research which commenced on or after 8 August 2018 may apply to the Committee, in accordance with paragraph (4), for a declaration where he or she is of the view that the public interest in carrying out the research significantly outweighs the public interest in requiring the explicit consent of the data subject under Regulation 3(1)(e).

(2) A declaration for which a controller may apply under paragraph (1) is a declaration by the Committee that explicit consent by a data subject is not required by the controller.

(3) A controller making an application under paragraph (1) shall, prior to making that application—

(a) carry out a data protection impact assessment in accordance with Article 35(1), and

(b) obtain ethical approval of the health research from a research ethics committee.

(4) An application under paragraph (1) shall be made in writing to the Committee and the controller making the application shall as part of that application furnish the following to the Committee:

(a) written information that clearly identifies—

(i) that the controller has a valid and lawful basis for the processing of the personal data, and

(ii) that the controller meets one of the conditions in Article 9(2);

(b) written information that clearly identifies the controller and, where there are joint controllers, the division of responsibilities within the meaning of Article 26;

(c) written information demonstrating that—

(i) the health research requires that personal data of a type specified be obtained and processed rather than anonymised data,

(ii) the personal data will not be processed in such a way that damage or distress is, or is likely to be, caused to the data subject,

(iii) the collection and use of the personal data will go no further than is necessary for the attainment of the research objective,

(iv) there will be no disclosure of the personal data unless that disclosure is required by law or the data subject has given his or her explicit consent to the disclosure,

(v) measures set out in Regulation 3(1)(b)(iv) to (vii), 3(1)(c)(iii) to (viii) and 3(1)(d) have been identified and will be put in place before the health research commences,

(vi) a data protection officer has been appointed in relation to the health research, and

(vii) ethical approval from a research ethics committee has been received;

(d) a copy of the result of the data protection impact assessment that has been carried out, with particular reference to the possibility of data linkages and details of any consultations undertaken with potential data subjects;

(e) written information demonstrating that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject under Regulation 3(1)(e) together with a statement setting out the reasons why it is not proposed to seek the consent of the data subject for the purposes of the health research.

(5) The Committee may, only where it is satisfied that the public interest in carrying out the research significantly outweighs the public interest in requiring the explicit consent of the data subject, and that all the requirements in paragraphs (3) and (4) have been met, make a declaration.

(6) A declaration made under paragraph (5) shall be subject to such conditions as the Committee considers necessary to protect the interests of a data subject likely to be affected by the declaration.

6. (1) A controller who is carrying out health research that commenced prior to 8 August 2018 who processes or further processes personal data for the purposes of that health research after 8 August 2018 shall, as soon as practicable and no later than 30 April 2019, have explicit consent of the data subject for the processing of his or her personal data for the purpose of specified health research, either in relation to a particular area or more generally in that area or a related area of health research, or part thereof.

(2) For the purpose of this Regulation, explicit consent shall be consent obtained in accordance with Article 4.

(3) The explicit consent referred to in paragraph (1) shall be a suitable and specific measure for the purpose of safeguarding the fundamental rights and freedoms of the data subject.

(4) A controller referred to in paragraph (1) may apply to the Committee for a declaration where the controller—

(a) is of the view that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject under paragraph (1), or

(b) obtained the consent of the data subject to his or her personal data being processed for the purpose of the health research in accordance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 19951 and the Data Protection Acts 1988 and 2003 and that consent has not been withdrawn.

(5) A declaration for which a controller may apply under paragraph (4) is a declaration by the Committee that explicit consent by a data subject is not required by the controller.

(6) A controller making an application under paragraph (4) shall carry out a data protection impact assessment in accordance with Article 35(1).

(7) An application under paragraph (4) shall be made in writing to the Committee and the person making the application shall as part of that application furnish the following to the Committee:

(a) written information that clearly identifies—

(i) that the controller has a valid and lawful basis for the processing of the personal data, and

(ii) that the controller meets one of the conditions in Article 9(2);

(b) written information that clearly identifies the controller and, where there are joint controllers, the division of responsibilities within the meaning of Article 26;

(c) written information demonstrating that—

(i) the health research requires that personal data of a type specified be obtained and processed rather than anonymised data,

(ii) the personal data will not be processed in such a way that damage or distress is, or is likely to be, caused to the data subject,

(iii) the collection and use of the personal data will go no further than is necessary for the attainment of the research objective,

(iv) there will be no disclosure of the personal data unless that disclosure is required by law or the data subject has given his or her explicit consent to the disclosure,

(v) measures referred to in Regulation 3(1)(b)(iv) to (vii), 3(1)(c)(iii) to (viii) and 3(1)(d) have been identified and will be put in place before the health research continues,

(vi) a data protection officer has been appointed in relation to the health research, and

(vii) ethical approval from a research ethics committee has been received;

(d) a copy of the result of the data protection impact assessment that has been carried out, with particular reference to the possibility of data linkages and details of any consultations undertaken with potential data subjects;

(e) written information—

(i) where the application relates to the grounds specified in paragraph 6(4)(a), demonstrating that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject under paragraph (1) together with a statement setting out the reasons why it is not proposed to seek the consent of the data subject for the purposes of the health research,

(ii) where the application relates to the grounds specified in paragraph 6(4)(b), demonstrating that the controller has made reasonable efforts to contact the data subject who previously provided consent for the health research in accordance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 19952 and the Data Protection Acts 1988 and 2003 for the purposes of reobtaining consent from that data subject.

(8) The Committee may only make a declaration where it is satisfied that—

(a) all the requirements under paragraphs (6) and (7) have been met, and

(b)(i) the public interest in continuing to carry out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject, or

(ii) the data subject consented to their personal data being processed for the purpose of the health research in accordance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 19953 and the Data Protection Acts 1988 and 2003 and that consent has not been withdrawn.

7. (1) The Minister shall appoint a committee of persons (in this Regulation referred to as the “Committee”), to make a decision on an application under Regulation 5 or 6.

(2) The provisions of the Schedule shall apply to the Committee.

8. (1) The Committee shall consider an application by a controller (in this Regulation referred to as the “applicant”) under Regulation 5 or 6 as soon as practicable following receipt of it.

(2)(a) The Committee may, by notice in writing request further information from the applicant as it may require to consider the application, including any evidence that it may reasonably require to verify any particulars or information furnished as part of the application.

(b) Where an applicant does not comply with a request under subparagraph (a) within 15 working days of the request being made, the Committee shall refuse the application.

(3) The Committee may consult with any person who it believes can assist it in the consideration of an application.

(4) Having considered an application under Regulation 5 or 6, the Committee shall—

(a) make a declaration,

(b) make a declaration subject to such conditions as the Committee considers necessary to protect the interests of data subjects likely to be affected by the approval of the application, or

(c) refuse to make a declaration.

(5) The Committee shall give a notice in writing to the applicant notifying the applicant—

(a) of its decision and the reasons for making the decision, and

(b) where the Committee attaches conditions to a declaration or refuses to make a declaration, that the applicant may appeal that decision under Regulation 11(1).

9. A person who has been notified by the Committee that a declaration has been made in respect of his or her application under these Regulations shall confirm in writing to the Committee his or her acceptance of the declaration within 30 working days of the date of the notification of the decision and where such confirmation is not received by the Committee within that period the declaration shall lapse.

10. (1) The Committee may revoke a declaration where it is satisfied that the conditions imposed by it are not being met.

(2) Before proceeding under paragraph (1) the Committee shall give a notice in writing to the person to whom the declaration was made notifying the person—

(a) of the Committee’s intention to revoke the declaration,

(b) of the reasons for the proposed revocation, and

(c) that the person may make written representations to the Committee, within 10 working days of the date of the giving of the notice, as to why the declaration should not be revoked.

(3) The Committee shall not proceed under paragraph (1) before the expiry of the period referred to in paragraph (2)(c).

(4) The Committee shall consider written representations received under paragraph (2)(c) before deciding whether or not to revoke the declaration.

(5) The Committee shall, as soon as may be after it decides whether or not to revoke the declaration, give notice in writing to the person notifying the person—

(a) of its decision and the reasons for making the decision, and

(b) where a decision is made to revoke the declaration, that the person may appeal that decision under Regulation 11(1).

11. (1) Where the Committee—

(a) attaches conditions to a declaration under Regulation 8(4)(b),

(b) refuses to make a declaration under Regulation 8(4)(c), or

(c) revokes a declaration under Regulation 10(1),

the applicant or, as the case may be, person who is notified under Regulation 10(5) of the decision to revoke a declaration (in this Regulation referred to as the “appellant”), may within 30 working days from the date of the giving of the notice under Regulation 8(5) or 10(5), give a notice in writing to the Minister and the Committee of his or her intention to appeal that decision and request the Minister to establish a panel (in this Regulation referred to as the “appeal panel”) for the purposes of considering such an appeal by that appellant under this Regulation.

(2)(a) The Minister shall, within 40 working days of the date of the receipt of a request in writing from an appellant, establish an appeal panel to consider an appeal made under this Regulation.

(b) Where the Minister considers it appropriate in all the circumstances, an appeal panel may be established to hear and determine more than one appeal.

(3)(a) An appeal panel established under paragraph (2) shall consist of 3 persons, one of whom shall be appointed by the Minister to be the chairperson, who in the opinion of the Minister and having regard to the functions of the appeal panel are suitably qualified.

(b) None of the persons appointed to an appeal panel shall be a person who is a member of the Committee.

(c) An appeal panel shall determine its own procedure.

(4) An appeal made under paragraph (1) shall be considered by the appeal panel as soon as practicable following the establishment of the appeal panel under paragraph (2).

(5) Having considered an appeal under this Regulation the appeal panel shall—

(a) confirm the decision,

(b) vary the decision, or

(c) allow the appeal,

and shall notify the appellant and the Committee of the decision and the reasons for the decision.

(6) An appeal panel, having considered the appeal in relation to which it has been established under paragraph (2) and having made a decision and notified the appellant and the Committee under paragraph (5), shall stand dissolved.

(7) There may be paid by the Minister to the appeal panel such allowances in respect of reasonable expenses properly incurred by it in the performance of its functions as the Minister may, with the consent of the Minister for Public Expenditure and Reform, determine.

12. (1) The Committee shall, not later than 31 March in each year, furnish a report on its activities in the immediately preceding year to the Minister.

(2) The Committee shall publish on a website maintained by it the following—

(a) the names of its members and, where appropriate, their professional details,

(b) information on its processes and procedures,

(c) summary information about applications made to it and scheduled for consideration by the Committee,

(d) minutes of its meetings,

(e) decisions made by the Committee and the appeal panel under these Regulations and the reasons for them,

(f) guidance and other material that relates to its work, and

(g) the report furnished to the Minister under paragraph (1).

13. (1) The Committee may review the operation of declarations made by it or by an appeal panel under these Regulations from time to time and may, for the purpose of that review, seek information from a person to whom a declaration was granted in relation to any aspect connected with the operation of that declaration.

(2) A person to whom a declaration is made shall co-operate with any review carried out under paragraph (1).

14. Nothing in these Regulations shall be construed as imposing an obligation on a person to disclose personal data to a person who processes personal data for the purpose of health research under these Regulations but, where a declaration is made, any disclosure made by the first mentioned person shall not be in breach of any requirement to obtain consent under these Regulations provided that the disclosure is in accordance with the declaration or any condition to which it may be subject.

15. Where a data subject consents to participation in health research activities in clinical trials, the relevant provisions of Regulation (EU) 536/2014 of the European Parliament and of the Council of 16 April 20144 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC shall apply and the processing of personal data related to those clinical trials shall be in accordance with these Regulations.

16. The Minister shall review these Regulations no later than 3 years after the date they come into operation and shall publish a report of the review on a website maintained by him or her.

SCHEDULE

COMMITTEE

Membership

1. (1) The Committee shall have not fewer than 15 persons and not more than 21 persons, including a chairperson, and 2 deputy chairpersons.

(2) The chairperson, deputy chairpersons and ordinary members of the Committee shall be appointed by the Minister.

(3) The Committee shall consist of persons who in the opinion of the Minister, having regard to the functions of the Committee, are suitably qualified, including:

(a) persons with knowledge of data protection law, research ethics, statistics or other relevant knowledge;

(b) persons with experience in healthcare or health research;

(c) persons who are representative of data subjects.

(4)(a) The chairperson and the deputy chairpersons of the Board shall each hold office for the period of 4 years from the date of his or her appointment.

(b) An ordinary member of the Committee shall hold office for the period of 3 years from the date of his or her appointment.

(5) A member of the Committee whose term of office expires by the efflux of time shall be eligible for reappointment to the Committee.

(6) A person who is reappointed to the Committee in accordance with paragraph (5) shall not hold office for more than 2 consecutive terms.

2. (1) A member of the Committee may resign by written notice of resignation signed by him or her to the Minister and the resignation shall take effect on the date of the Committee meeting next held after written notice of resignation is received by the Minister.

(2) The Minister may at any time remove from office a member of the Committee if, in the Minister’s opinion—

(a) the member has become incapable through ill-health of performing his or her functions,

(b) the member has committed stated misbehaviour of a type that would make him or her unsuitable for membership of the Committee,

(c) the removal of the member appears to the Minister to be necessary for the Committee to perform its functions effectively and with public confidence.

(3) If a casual vacancy occurs among the members, the Minister shall appoint a person to fill the vacancy and the person so appointed shall hold office for that period of the term of office of the member who occasioned the casual vacancy concerned that remains unexpired at the date of his or her appointment, or such other period not exceeding 3 years as the Minister may specify.

Meetings

3. (1) The quorum for a meeting of the Committee shall be 7, and at least one of those present shall be the chairperson or a deputy chairperson.

(2) Subject to subparagraph (1), the proceedings of the Committee shall not be invalidated by any vacancy among its members.

4. (1) The chairperson or, in the absence of the chairperson, a deputy chairperson of the Committee, shall convene a meeting of the Committee—

(a) six or more times in any twelve month period,

(b) when requested to do so by a requisition signed by not less than 40 per cent of the members of the Committee, or

(c) when requested to do so by the Minister.

(2) At least 5 working days before a meeting of the Committee, a notice in writing, signed by or on behalf of the chairperson of the Committee, or in the absence of the chairperson, by or on behalf of a deputy chairperson, shall be sent to every member of the Committee which shall specify the agenda for that meeting.

(3) At a meeting of the Committee—

(a) the chairperson of the Committee shall, if present, be the chairperson of the meeting,

(b) if and so long as the chairperson of the Committee is not present, or if that office is vacant, a deputy chairperson shall be the chairperson of the meeting.

Decision Making

5. (1) Every question arising at a meeting of the Committee duly convened shall be determined by a majority of the votes of the members of the Committee present and voting on the question at a meeting of the Committee.

(2) In the case of an equal division of votes on any question arising at a meeting of the Committee, the chairperson of the meeting shall have a second or casting vote.

(3) Where a member of the Committee has a material interest in any matter which falls to be considered by the Committee he or she shall-

(a) disclose to the Committee the nature of the interest in advance of any consideration of the matter,

(b) neither influence nor seek to influence a decision relating to the matter,

(c) withdraw from a meeting or that part of a meeting at which the matter is being discussed or considered, and

(d) take no part in any deliberation or decision relating to the matter.

(4) Where a material interest is disclosed under subparagraph (3), the disclosure shall be recorded in the minutes of the meeting concerned and, for so long as the matter to which the disclosure relates is being dealt with by the meeting, the member of the Committee by whom the disclosure is made shall not be counted in the quorum for the meeting.

(5) Where, at a meeting of the Committee, a question arises as to whether or not a course of conduct, if pursued by a member of the Committee, would constitute a failure by him or her to comply with the requirements of subparagraph (3), the question may, subject to subparagraph (6), be determined by the chairperson of the meeting, whose decision shall be final, and where such a question is so determined, particulars of the determination shall be recorded in the minutes of the meeting.

(6) Where, at a meeting of the Committee the chairperson of the meeting is the person in respect of whom a matter to which subparagraph (3) applies falls to be determined, the other members of the Committee attending the meeting shall choose one of their number to be chairperson of the meeting for the purposes of subparagraph (5).

(7) Where the Minister is satisfied that a member of the Committee has not complied with subparagraph (3), the Minister may remove that member from office and that person shall then be disqualified from being a member of the Committee.

Minutes

6. (1) The chairperson of the meeting shall cause proper minutes of each meeting to be prepared which shall be approved by the Committee at the next Committee meeting and, after they are approved, published on the Committee’s website.

(2) The names of all members present at a meeting of the Committee shall be recorded in the minutes of the meeting.

Expenses

7. (1) The Minister shall provide, or cause to be provided, to the Committee such administrative and secretarial assistance as he or she considers appropriate for the Committee to carry out its tasks under these Regulations and may consult with the chairperson of the Committee on that matter.

(2) There may be paid by the Minister to the Committee such allowances in respect of reasonable expenses properly incurred by it in the performance of its functions as the Minister may, with the consent of the Minister for Public Expenditure and Reform, determine.

Procedures

8. Subject to these Regulations, the Committee shall determine its own procedures.

/images/ls

GIVEN under my Official Seal,

7 August 2018.

SIMON HARRIS,

Minister for Health.

EXPLANATORY NOTE

(This note is not part of the Instrument and does not purport to be a legal interpretation)

These Regulations are made under section 36 of the Data Protection Act 2018 . They set out mandatory suitable and specific safeguards that will apply to the processing of personal data for the purposes of health research and for related matters. These safeguards which arise under the General Data Protection Regulation (GDPR) are separate from the requirements in the GDPR to have a ground in Article 6 and to meet a condition in Article 9.

1 OJ No. L 281, 23.11.1995, p.31

2 OJ No. L 281, 23.11.1995, p.31

3 OJ No. L 281, 23.11.1995, p.31

4 OJ No. L 158, 27.5.2014, p.1