Explicit consent required to use personal data for health research purposes
Explicit consent required to use personal data for health research purposes
New Regulations require organisations to obtain an individual’s explicit consent in advance of processing personal data for health research purposes. The Regulations, known as the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (SI 314/2018), set out a number of mandatory suitable and specific safeguards to be put in place when processing personal data for health research purposes. The Regulations came into effect on 8 August 2018.
The GDPR requires certain processing activities (including processing for scientific research purposes) to be subject to the implementation of “suitable and specific measures” to safeguard the fundamental rights and freedoms of individuals. Section 36(1) of the Data Protection Act 2018 provides a toolbox of measures for possible application in such cases, whilst section 36(2) provides that certain toolbox measures may be imposed by means of Regulations in respect of certain processing activities. The Regulations were made pursuant to section 36(2) and set out the safeguards to be put in place to process personal data for health research. These safeguards are separate from the requirements in the GDPR to have a lawful processing ground pursuant to Article 6 and to meet a special category processing condition in Article 9 of the GDPR in order to process health data.
What is “health research“?
“Health research” is defined as any of the following scientific research for the purpose of human health:
research with the goal of understanding normal and abnormal functioning, at molecular, cellular, organ system and whole body levels;
research that is specifically concerned with innovative strategies, devices, products or services for the diagnosis, treatment or prevention of human disease or injury;
research with the goal of improving the diagnosis and treatment (including the rehabilitation and palliation) of human disease and injury and of improving the health and quality of life of individuals;
research with the goal of improving the efficiency and effectiveness of health professionals and the health care system, and
research with the goal of improving the health of the population as a whole or any part of the population through a better understanding of the ways in which social, cultural, environmental, occupational and economic factors determine health status.
Health research may include action taken to establish whether an individual may be suitable for inclusion in the above types of research.
What “suitable and specific measures” must be in place?
A controller who is processing or further processing personal data for health research purposes must put the following “suitable and specific measures” in place:
(a) arrangements to ensure the personal data is not processed in a manner that causes or is likely to cause damage or distress to data subjects;
(b) appropriate governance structures including: (i) ethical approval of the health research by a research ethic committee; (ii) specification of the controller involved; (iii) compliance by joint controllers with Article 26 of the GDPR; (iv) specification of any data processors involved; (v) specification of any third party funding or otherwise supporting the project; (vi) specification of any other person with whom it is intended to share any personal data (including pseudonymised or anonymised data) and the purpose of such sharing; and (vii) provision of training in data protection law and practice to those individuals involved in carrying out the health research;
(c) the following processes and procedures: (i) carrying out an assessment of the data protection implications of the health research; (ii) where the assessment indicates a high risk to individuals’ rights, the carrying out of a Data Protection Impact Assessment (DPIA): (iii) data minimisation measures (e.g. pseudonymisation); (iv) access controls to prevent unauthorised consultation, alteration, disclosure or erasure of personal data; (v) audit trail logs; (vi) security measures; (vii) anonymisation, archiving or destruction of personal data once the health research has been completed; and (vii) other technical and organisational measures to ensure compliance with the GDPR;
(d) arrangements to ensure that personal data are processed in a transparent manner, and
(e) the data subject’s “explicit consent” prior to processing of his/her personal data for a specified health research purpose or more generally in that area.
What constitutes “explicit consent“?
The Article 29 Working Party Guidance on Consent states that the term ‘explicit‘ means that the data subject must give an express statement of consent of his or her consent. The Regulations require explicit consent to be obtained in accordance with the GDPR’s formal definition of consent in Article 4(11). The consent should also meet the conditions specified in Article 7 of the GDPR.
Is the explicit consent of a data subject always required in order to process personal data for health research purposes?
A controller, who processes or further processes personal data for health research purposes which commenced on or after 8 August 2018, may apply to a Committee (appointed by the Minister of Health) for a declaration that the data subject’s consent is not required where he or she is of the view that the public interest in carrying out the research significantly outweighs the public interest in requiring the explicit consent of the data subject.
A controller making such an application must carry out a Data Protection Impact Assessment (DPIA) and obtain ethical approval of the health research from a research ethics committee. The application must be made in writing to the Committee and the information furnished must:
(a) clearly identify that: (i) the controller has a lawful basis for the processing of the personal data under Article 6 of the GDPR, and (ii) that the controller meets one of the special category of data processing conditions in Article 9(2);
(b) clearly identify the controller or joint controllers and the division of responsibilities within the meaning of Article 26;
(c) demonstrate: (i) the health research requires the personal data to be obtained and processed rather than anonymised data; (ii) the processing of the personal data will not cause or likely cause the data subject any damage or distress; (iii) the personal data will only be collected and used to the extent necessary for the attainment of the research objective; (iv) the personal data will not be disclosed other than as required by law or where the data subject has given his/her explicit consent; (v) the suitable and specific measures required by the Regulations will be put in place before the health research commences (vi) a data protection officer has been appointed in relation to the health research, and (vii) ethical approval from a research ethics committee has been received;
(d) include a copy of the result of the DPIA, with reference to any possible data linkages and details of any consultations undertaken with potential data subjects, and
(e) demonstrate that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject, and include a statement setting out the reasons why it is not proposed to seek the consent of the data subject.
Is a controller who is carrying out health research that commenced prior to 8 August 2018 required to obtain the explicit consent of data subjects?
A controller who is carrying out health research that commenced prior to 8 August 2018, who processes or further processes personal data for that health research after 8 August 2018, must as soon as practicable, and no later than 30 April 2019, obtain the explicit consent of the data subject for the processing. Such a controller may apply to the Committee for a declaration that explicit consent by a data subject is not required where the controller – (a) is of the view that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject, or (b) obtained the consent of the data subject to his or her personal data being processed for health research purposes in accordance with the Data Protection Directive 95/46/EC (the Directive) and the Data Protection Acts 1988 and 2003 (the Acts) and that consent has not been withdrawn.
Where the controller’s application relates to the grounds specified in (b), the controller is required to provide written information to the Committee demonstrating that he/she has made reasonable efforts to contact the data subject who previously provided consent for the health research under the Directive or the Acts for the purposes of re-obtaining consent from that data subject.
Declaration by Committee
The Committee shall consider an application by a controller as soon as practicable following receipt of it, and may: (a) make a declaration; (b) make a declaration subject to certain conditions in order to protect the interests of data subjects; or (b) refuse to make a declaration. The Committee may revoke a declaration where the conditions it imposes are not being met. An applicant may appeal a decision of the Committee and request the Minister of Health to establish an Appeal Panel for the purposes of considering such an appeal. That Panel may confirm, vary or allow the appeal, and shall stand dissolved once it has made and notified its decision.
Consenting to participation in health research activities in clinical trials
Where a data subject consents to participation in health research activities in clinical trials, the relevant provisions of EU Regulation 536/2014 on Clinical Trials on Medicinal Products for Human Use, repealing Directive 2001/20/EC, shall apply and the processing of personal data related to those clinical trials shall be in accordance with those Regulations. Consent is covered in detail in those Regulations.
The Data Protection Commission (DPC) has always advocated anonymisation of patient records and/or freely given and informed patient consent as best practice in regard to the use of personal data for health research (see the DPC’s Guidance on research in the health sector, 2007). It will now be a mandatory requirement to obtain such consent prior to undertaking health research, subject to any declaration otherwise by the Committee.