S.I. No. 18/2021 - Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2021


Notice of the making of this Statutory Instrument was published in

“Iris Oifigiúil” of 29th January, 2021.

I, STEPHEN DONNELLY, Minister for Health, in exercise of the powers conferred on me by section 36 (2) of the Data Protection Act 2018 (No. 7 of 2018), and having duly complied with subsections (5)(b) and (6) of section 36 of the Data Protection Act 2018 , hereby make the following regulations:

1. These Regulations may be cited as the Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2021.

2. In these Regulations, “Principal Regulations” means the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 ( S.I. No. 314 of 2018 ).

3. Regulation 2 of the Principal Regulations is amended, in paragraph (1), by the insertion of the following definition:

“ ‘health practitioner’ has the same meaning as it has in section 2 of the Health Identifiers Act 2014 (No. 15 of 2014);”.

4. Regulation 3 of the Principal Regulations is amended -

(a) in paragraph (1), by the substitution of the following paragraph for paragraph (e):

“(e) subject to Regulations 3A and 3B, explicit consent has been obtained from the data subject, as a suitable and specific measure recorded and retained by the controller, and a copy of which is provided to the data subject prior to the commencement of the health research in accordance with international best practice on the ethical conduct of health research (which includes informed consent, transparency and independent ethical oversight) for the processing of his or her personal data for the purpose of specified health research, either in relation to a particular area or more generally in that area or a related area of health research, or part thereof.”, and

(b) in paragraph (2), by the substitution of the following subparagraphs for subparagraph (b):

“(b) Health research referred to in clause (i) to (v) of subparagraph (a) shall include action taken by the controller that has obtained the personal data to establish whether an individual may be suitable or eligible for inclusion in the research and such action shall not require explicit consent or ethical approval by a research ethics committee where such action is in accordance with subparagraph (c).

(c) Explicit consent or ethical approval referred to in subparagraph (b) shall not be required where -

(i) the action is taken by a health practitioner employed by the controller or a person studying to be a health practitioner who is under the direction and control of the controller,

(ii) the action is taken by an employee of the controller (other than a health practitioner in clause (i)) who, in the course of his or her duties for the controller, would ordinarily have access to the personal data of individuals held by the controller that was obtained for the provision of health care to those individuals, or

(iii) subject to subparagraph (d), the action is taken by a person (in this clause referred to as an ‘authorised person’) who is an employee of -

(I) an institution of higher education within the meaning of section 1(1) of the Higher Education Authority Act 1971 (No. 22 of 1971),

(II) a body or person that has as its principal activity the provision, management or development of a health practitioner, or

(III) a registered charitable organisation within the meaning of the Charities Act 2009 (No. 6 of 2009), one of whose objects is to support research and education in the health services,

and that authorised person is under the direction and control of a health practitioner who is an employee of the controller.

(d) An authorised person referred to in subparagraph (c)(iii) may only undertake such action without explicit consent where -

(i) the controller has put in place and made public, including on its website, a process for authorising a person as an authorised person for the purposes of such action,

(ii) the arrangements made by the controller to ensure that personal data are processed in a transparent manner under Regulation 3(1)(d) include where a person has been authorised by the controller as an authorised person, notices and posters on display in those public areas of the data controller’s organisation where individuals attend for the provision of health care stating that -

(I) the controller has appointed an authorised person who may, without explicit consent, access and use the personal data held by the controller for the sole purpose of establishing whether an individual who has been provided with health care from the controller may be suitable or eligible for inclusion in specified health research, and

(II) that any personal data accessed and used by an authorised person without explicit consent shall be only such data that is required to assist in determining the suitability or eligibility of an individual for the inclusion in the research concerned, and

(iii) an agreement has been entered into by the controller with the employer of the authorised person providing that any processing of personal data, without explicit consent, that is not for the purpose of establishing whether an individual may be suitable or eligible for inclusion in specified health research shall be a breach of the terms and conditions of the authorised person’s employment carrying such sanctions as may be specified in the agreement.”.

5. The Principal Regulations are amended by the insertion of the following Regulations after Regulation 3:

“3A. (1) Subject to paragraph (2), the requirement for explicit consent in Regulation 3(1)(e) shall not apply in relation to a retrospective chart review study to be carried out by a controller and approved by a research ethics committee where the committee, as part of that approval, is satisfied and states in writing that the assessment under Regulation 3(1)(c)(i) of the data protection implications of the processing of personal data being carried out by the controller indicates a low risk to the rights and freedoms of individuals.

(2) Paragraph (1) shall apply only where the retrospective chart review study is carried out by -

(a) a health practitioner employed by the controller or a person studying to be a health practitioner who is under the direction and control of the controller, or

(b) an employee of the controller (other than a health practitioner in subparagraph (a)) who, in the course of his or her duties for the controller, would ordinarily have access to the personal data of individuals held by the controller that was obtained for the provision of health care to those individuals.

(3) Where the controller intends to carry out a retrospective chart review study, the arrangements by the controller to ensure that personal data are processed in a transparent manner under Regulation 3(1)(d) must include notices and posters on display in public areas of the data controller’s organisation where individuals attend for the provision of health care stating that -

(a) personal data collected by the controller for the provision of health care to an individual may be used but not disclosed to another person by the controller for the study,

(b) any findings from a study that are published shall not identify an individual whose personal data was used in the study, and

(c) a study will be reviewed and approved by a research ethics committee prior to commencement of the study.

(4) In this Regulation, ‘retrospective chart review study’ means a health research study carried out by a controller on personal data only for the purposes of health research that has already been obtained by that controller for the purposes of the provision of health care to an individual by the controller.

3B. (1) In exceptional circumstances, where the principal purpose of the processing or further processing of the personal data by a controller is necessary for the provision of health care to an individual and necessary to protect the vital interests of the individual, and where the individual is, by reason of his or her physical or mental incapacity, incapable of giving consent at that time, the personal data may also be processed by that controller for a related health research purpose, where that health research has been approved by a research ethics committee, and the requirement for explicit consent under Regulation 3(1)(e) will be deferred until such time as the individual concerned has the capacity to give such consent.

(2) Where the personal data is being processed under paragraph (1) for a health research purpose, the controller must -

(a) seek explicit consent for that processing from the individual as soon as practicable after the personal data is recorded for the health research purpose and the individual is capable of giving explicit consent,

(b) inform the individual as soon as practicable orally and in writing that the personal data is being so processed including information regarding any person that the personal data has been shared with, and where the individual informs the controller that he or she does not wish the personal data to be further processed for a health research purpose the data shall not be so processed and any personal data already processed for the health research purpose only shall be erased, except where to do so would be likely to render impossible or seriously impair the achievement of the objectives of that processing, and

(c) where the data cannot be erased as referred to in subparagraph (b), inform the individual as soon as practicable orally and in writing including the reasons why such data cannot be erased.”.

6. Regulation 4 of the Principal Regulations is amended, in paragraph (3)(d)(i), by the substitution of “health practitioner, or” for “health practitioner (within the meaning of the Health Identifiers Act 2014 (No. 15 of 2014)), or”.

7. Regulation 5 of the Principal Regulations is amended, in paragraph (4)(d), by the substitution of “data subjects, patients and the public” for “data subjects”.

8. Regulation 6 of the Principal Regulations is amended -

(a) in paragraph (1), by the substitution of “Subject to Regulation 6A and paragraph (9), a controller” for “Subject to paragraph (9), a controller”, and

(b) in paragraph (7)(d), by the substitution of “data subjects, patients and the public” for “data subjects”.

9. The Principal Regulations are amended by the insertion of the following Regulation after Regulation 6:

“6A. A controller who is carrying out health research that commenced prior to 8 August 2018 shall not be required to have explicit consent in accordance with Regulation 6 where -

(a) that controller has obtained the consent of the data subject, before that date, to his or her personal data being processed or further processed for the purpose of the specified health research, either in relation to a particular area or more generally in that area or a related area of health research or part thereof, in accordance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 19951 and the Data Protection Acts 1988 and 2003 and that consent has not been withdrawn, and

(b) that controller has a valid and lawful basis in Article 6 for the processing of the personal data, and the processing of that data meets one of the conditions specified in Article 9(2).”.

10. Regulation 10 of the Principal Regulations is amended, in paragraph (1), by the substitution of “imposed by it or by an appeal panel under these Regulations” for “imposed by it”.

11. Regulation 11 of the Principal Regulations is amended -

(a) in paragraph (2)(a), by the substitution of “60” for “40”, and

(b) in paragraph (3) -

(i) in subparagraph (a), by the substitution of “not less than 5 and not more than 7” for “3”, and

(ii) by the insertion of the following subparagraphs after subparagraph (c):

“(d) An appellant shall provide written information (including any documentation) relevant to the appeal panel within 30 working days of the establishment by the Minister of the appeal panel under paragraph (2).

(e) An appeal panel –

(i) shall request the Committee to forward observations, if any, in relation to an appeal before it, including on any documentation or other written information provided to the appeal panel by the appellant that was not provided to the Committee when it was considering the application which is the subject of the appeal,

(ii) may invite submissions from any person that it considers appropriate, and

(iii) may consult with any person who it believes could assist in the consideration of an appeal.”,

(c) in paragraph (6), by the substitution of “shall stand dissolved 30 working days after it has made such notification” for “shall stand dissolved”, and

(d) by the substitution of the following paragraph for paragraph (7):

“(7) (a) There may be paid by the Minister to the appeal panel such allowances in respect of reasonable expenses properly incurred by it in the performance of its functions as the Minister may, with the consent of the Minister for Public Expenditure and Reform, determine.

(b) The Minister shall provide, or cause to be provided, to the appeal panel such administrative and secretarial assistance as he or she considers appropriate for the appeal panel to carry out its functions under these Regulations.”.

/images/ls

GIVEN under my Official Seal,

21 January, 2021.

STEPHEN DONNELLY,

Minister for Health.

EXPLANATORY NOTE

(This note is not part of the Instrument and does not purport to be a legal interpretation)

These Regulations are made under section 36 of the Data Protection Act 2018 . They set out amendments to the Health Research Regulations (S.I. 314 of 2018) made under that same section in August 2018. The amendments apply to the processing of personal data for health research purposes. They also make certain changes to the appeals process from decisions of the Health Research Consent Declaration Committee.

1 OJ No. L 281, 23.11.1995, p. 31