Notes from the IAPP Europe Managing Director, 21 June 2019
Greetings from Dublin, where summer has arrived at last â€¦ though that may change in a nanosecond!
Itâ€™s a busy time for privacy pros in Irelandâ€™s health care sector at the moment. They are working hard to not just comply with the EU General Data Protection Regulation, but also to roll out a new framework when processing data for health research.
The Irish governmentâ€™s Health Research Regulations 2018 apply in addition to the GDPR and the Data Protection Act 2018, so organizations are now creating processes to ensure that they comply with all regimes, in addition to any other regulations relating to health research and clinical trials (including the Clinical Trials Regulation â€” EU Regulation 536/2014 â€” due to commence in 2020).
In summary, the Health Research Regulations set out â€œsuitable and specific measuresâ€� to be implemented when processing personal data for health research. These measures include a requirement that personal data is not processed in such a way that causes damage or distress to data subjects. Governance structures must be in place, including processes for ethical approval; compliance with the GDPR; and specification of the controller, funders and those with whom the personal data will be shared (even where the data is anonymized or pseudonymized). There is also a requirement to provide data protection training to researchers.
Furthermore, specific processes must be in place for the management and conduct of health research, including DPIAs, data minimization, access controls, and security measures and compliance with the GDPR. An important issue is the requirement to obtain the explicit consent of data subjects. While consent is just one of the lawful bases under which health data can be processed under Articles 6 and 9 of the GDPR, under the Health Research Regulations in Ireland, organizations must obtain the explicit consent of data subjects to process their personal data for the purposes of health research, even where another lawful basis under Articles 6 and 9 of the GDPR exists.
There is an exemption to the requirement to obtain explicit consent under the regulations where organizations apply for a â€œconsent declaration.â€� This involves the governmentâ€™s Consent Declaration Committee assessing the proposed research and finding that explicit consent is not required because the public interest in carrying out the research outweighs the public interest in requiring explicit consent. Utilizing this exemption may prove to be an arduous task, however, due to the extent of the information to be provided with the application and the conditions to be fulfilled in advance of the application. There is also a transition period allowed for research that commenced before 8 Aug. 2018, when organizations must obtain the explicit consent of the data subjects before 7 Aug. 2019 or seek a consent declaration.
The regulations go over and above the GDPR and may result in delays to research projects, certainly at the beginning stages while organizations implement the necessary processes and await consent declarations from the Consent Declaration Committee. At this point, most organizations engaged in health research in Ireland should have assessed their ongoing health research projects and determined whether appropriate levels of consent have been obtained or whether they must make an application for an exemption before the August deadline. DPOs must make sure that they are included in the process also. Thereâ€™s never a dull moment for privacy pros!