Whereas much attention has been paid to the radical changes brought by Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and its aim to enhance and uniform the data protection legislation across Member States, very few words have been spent on national derogations and restrictions. Indeed, the GDPR also provides a margin of national discretion and action to the national legislators in particular domains. In fact, alongside its well-known and precise provisions, the GDPR also contained concepts and open-ended clauses, such as public interest and research, which need to be defined and regulated at a national level.
In this context, Ireland has taken the lead on defining and implementing the GDPR-provided national exceptions in health research. The relevant provisions are not contained in the Data Protection Act 2018 (DPA 2018) but in specialised Regulations. Section 36(1) DPA 2018 (which implements Section 89 GDPR on appropriate safeguards) defines suitable and specific measures such as pseudonymisation. In addition, Section 36(2) DPA 2018 enacts further sectorial exceptions and suitable and specific measures though secondary national legislation. In this context, S.I. No. 314/2018 – Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018, (hereinafter Health Research Regulations), were enacted and entered into force on 8 August 2018, providing for separate and independent requirements to those of Section 6 and 9 GDPR. In this article, we analyse the impact of this innovative piece of legislation on organisations who conduct health research in Ireland.
The concept of health research
Among national derogations, health research occupies a special position within the GDPR. Health research is contingent on the collection, reuse, linking and matching of personal data from various data subjects on an individual and collective basis. In fact, health research is information-driven, and is heavily reliant on personal data.
In data protection, health research falls under the broad definition of scientific research, as defined in Recital No 159 and, although it is still regulated by the GDPR, national legislation plays a significant role in defining its regime. In line with this Recital, Section 3(2) Health Research Regulations adopts a broad definition of health research as to include research relating to health-related strategies, devices, products and services, as well as the diagnosis, treatment or prevention of human disease or injury, the improvement of the efficiency and effectiveness of health professionals and the health care system and population health.
The concept of suitable and specific measures for the fundamental rights and freedoms of data subjects
The GDPR provides for direct and indirect limitations on the applicability of the rights of data subjects and the data protection principles under the safeguard requirement. Indeed, an array of exceptions is directly provided by the GDPR. For instance, the right to erasure and object, as well as principles such as purpose limitation, are significantly restricted when data is processed for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. Under the GPPR the processing of special categories of data does not require consent if this processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In addition to these provisions, the GDPR authorises the national legislators to specify their own criteria, conditions, and requirements in a number of cases. For instance, the GDPR states that Member States may maintain or introduce further conditions and limitations to the processing of genetic data, biometric data, or data concerning health. Moreover, it provides that the processing of special categories of data, such as data concerning health, for reasons of public interest in the area of public health is subject to ‘suitable and specific measures’ to safeguard the rights and freedoms of data subjects.
The Health Research Regulations provide for several of such safeguards. Under section 3(1), data processing agreements and appropriate governance structures must be enacted, such as prior approvals by research ethics committees and compulsory data protection training for researchers in aspects such as anonymisation and deletion policies, transparency requirements, data protection impact assessments, data minimisation and the integrity and security of personal data. The Health Research Regulations introduce an important provision regarding consent and data processing for health research reasons. Indeed, prior to processing personal data for health research purposes, data controllers should request and obtain the explicit and informed consent from data subjects. According to the Article 29 Working Party, explicit consent means an express indication of the data subject’s wishes. In this regard, it is highly advisable that organisations design, record and safely store written statements to document explicit consent.
Although the Health Research Regulations set the explicit consent as the norm, they allow for exceptions to consent if the data controller can demonstrate that the public interest in carrying out the research significantly outweighs the public interest in requiring the explicit consent of the data subject. Another reason that consent may not be necessary is if data controllers had obtained the data subject’s consent in accordance with the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 and the Data Protection Acts 1988 and 2003 and that consent has not been withdrawn. In both cases, this should be done through a declaration process to the competent Committee (appointed by the Minister of Health) for a declaration that the data subject’s consent is not required. The Health Research Consent Declaration Committee is currently being established to examine such requests. The remaining obligations and measures under section 3 continue to apply.
The same provisions apply to current health research projects. According to section 6 Regulations data controllers who carry out health research that commenced prior to 8 August 2018 and who process or further process personal data for health research purposes after 8 August 2018 should as soon as practicable and no later than 30 April 2019, obtain the explicit consent of the concerned data subjects, unless one of the above exceptions apply.
Enhanced obligations on data controllers
The Health Research Regulations do not replace GDPR obligations. On the contrary, data controllers should ensure that they comply both with the Health Research Regulations and the GDPR. To this end, it is necessary that organisations are aware of any national legislation implementing the GDPR, as well as of any official guidance issued by the competent authorities and of best practices and guidelines on the notion of public interest. Furthermore, organisations should liaise with data protection experts and receive assistance in carrying out and recording this public interest balancing test. Data controllers should be proactive in designing their data protection and privacy policies, and they should design appropriate privacy notices and consent forms in accordance with the relevant legal requirements. Data controllers should also apply adequate policies for managing and storing consent forms and records of data processing activities to be able to demonstrate that they complied with the existing legal requirements.
The importance of the Health Research Regulations goes beyond its actual scope of application. They are an example of how legislators decide to make use of the GDPR provisions on national implementation. The Health Research Regulations could be used as a model for subsequent sectorial legislation, as a guidance for other Member States to enact similar laws, and as a best practice for data controllers to demonstrate compliance.
Data processing in health research is heavily regulated and requires compliance with a variety of legal requirements and sources to ensure that a comprehensive, responsible and inclusive set of practices are put in place. GDPR is only a piece of the puzzle: national legislation complements and – to some extent – bends the GDPR requirements and standards. Therefore, the GDPR should be read together with any implementing national laws, and organisations should rely on their data protection experts and DPOs to liaise with the competent authorities and ensure compliance.
For more information please refer to our service pages or contact our Data Governance team.