The Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (S.I. No. 314/2018) (the "Health Research Regulations"), which contain stringent rules in relation to the collection, use and sharing of personal data for health research purposes, have been amended by the Minister for Health by way of the Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2021 (the "2021 Regulations").
As discussed in a 2019 briefing on the Health Research Regulations (available here) The Department of Health had identified retrospective chart reviews, pre-screening for the purpose of assessing eligibility/suitability for inclusion in health research, and a data subject's capacity to consent, as areas that would require further consideration in relation to the requirement for explicit consent / a consent declaration. The 2021 Regulations, which were developed in consultation with the Data Protection Commission, have clarified the position on these issues, as well as reformulating the definition of explicit consent, and providing for some procedural changes in relation to the consent declaration appeals process. The Department of Health's guidance on the 2021 Regulations (the "Guidance") is available here.
Regulation 3(1)(e) of the Health Research Regulations required data controllers to obtain data subjects' "explicit consent" prior to the commencement of health research for the processing of their personal data for the purpose of specified health research. This was broadly understood to mean that controllers needed to obtain "explicit consent" within the meaning of the GDPR, by way of an express statement of freely given, specific, informed and unambiguous consent (ideally via a written record), which could be withdrawn at any time.
Under the 2021 Regulations, in addition to retaining a copy of such consent (as they were already required to do to demonstrate compliance pursuant to Article 7(1) GDPR), controllers must provide data subjects with a copy of the consent, and the consent must be obtained "in accordance with international best practice on the ethical conduct of health research (which includes informed consent, transparency and independent ethical oversight)." The Guidance elaborates that best practice in conducting health research runs in favour of informed consent that:
- Identifies the scope of the specified research;
- Provides information, in a timely manner, in an intelligible and easily accessible form, using clear and plain language;
- Gives choices to individuals in terms of the areas of research that they want their information to be used in and third parties that they are willing to have their information shared or not shared with;
- Allows the withdrawal of consent in a convenient way and where that is not possible, explains the limits of withdrawal; and
- Is documented by the data controller in written, electronic or other format with a copy of the record of consent provided to the individual.
Further, the Guidance notes that consent must always be voluntary, and researchers must ensure that the data subject is advised that whether or not they give consent will not impact the care or treatment that they receive from a health practitioner.
In reality, it seems that the re-formulated requirement simply echoes the conditions of explicit consent under the GDPR. As such, this amendment should not impact data controllers who already endeavour to obtain freely given, specific, informed and unambiguous expressions of consent by way of written statements, which are securely retained to demonstrate that valid consent was obtained.
The 2021 Regulations introduce a concept of "deferred consent" for exceptional circumstances where an individual is unable to give consent because they are physically or mentally incapacitated. This exception will only apply where the principal purpose of the processing of the personal data by the data controller is necessary for the provision of health care to a data subject and to protect their vital interests. In such circumstances, the personal data may also be processed by the data controller for a related health research purpose, provided that the health research has been approved by a research ethics committee, until such time as the data subject concerned has the capacity to give their consent.
Importantly, deferred consent does not dispose of the requirement for explicit consent. As soon as the data subject regains decision-making capacity, the controller must inform the data subject, orally and in writing, of the processing of their personal data for health research purposes, provide information in relation to the sharing of their personal data, and seek explicit consent for the processing. If the data subject does not provide explicit consent, the processing must stop, and any personal data already processed must be erased, except where to do so would be likely to render impossible or seriously impair the achievement of the objectives of that processing (in alignment with Article 17(3)(d) GDPR and section 61 of the Data Protection Act 2018). In the event that the data cannot be erased, the data controller must inform the data subject as soon as practicable, orally and in writing, to provide the reasons why such data cannot be erased.
The Guidance notes that any controller with a consent declaration application awaiting consideration by the Health Research Consent Declaration Committee ("HRCDC") that is affected by this amendment should contact the committee secretariat to discuss their application.
Informed Consent obtained pursuant to the EU Data Protection Directive
Under Regulation 6 of the Health Research Regulations, data controllers carrying out research that commenced prior to 8 August 2018 who intended to process or further process personal data for the purposes of health research after 8 August 2018 were required to apply for a consent declaration from the HRCDC by 7 August 2019, even if they had obtained valid consent for the processing under the Data Protection Directive 95/46/EC and the Data Protection Acts 1988-2003 and that consent had not been withdrawn.
In a welcome recognition of the needless difficulties caused by Regulation 6, the 2021 Regulations acknowledge that consent will be considered valid if "informed" consent was obtained in accordance with the prior legislation pre-GDPR, and if that consent has not since been withdrawn. Further, the data controller must have a lawful basis for the processing of the personal data under Article 6 GDPR and meet one of the conditions for processing special categories of data under Article 9(2) GDPR.
Blanket consent will not be considered valid, as such consent would not have been in accordance with the Data Protection Directive 95/46/EC.
This amendment will be relevant to data controllers who have a re-consenting application awaiting consideration by the HRCDC.
Subject to compliance with Regulation 3(2) (as amended), the 2021 Regulations permit the processing of patient records for pre-screening purposes (to determine whether the individual is suitable or eligible for inclusion in a study) without the data subject's explicit consent and without the ethical approval of a research ethics committee.
Previously, only healthcare staff involved in the care and treatment of a data subject could access their patient records for pre-screening purposes without the data subject's explicit consent. Pre-screening may now be carried out by: (i) a health practitioner employed by the data controller or a person studying to be a health practitioner under the direction and control of the data controller; (ii) an employee of the data controller who would ordinarily have access to the personal data of individuals that is held by the controller in the course of their duties; or (iii) an "authorised person".
An "authorised person" may be an employee of:
- an institution of higher education;
- a body or person whose principal activity is the provision, management or development of a health practitioner; or
- a registered charitable organisation, one of whose objects is to support research and education in the health services,
who is under the direction and control of a health practitioner who is an employee of the controller.
In respect of "authorised persons," the 2021 Regulations require data controllers to implement and publicise an authorisation process, and to enter a contract with the employer of the authorised person that prohibits the use of personal data without explicit consent for purposes other than pre-screening purposes. Further, the 2021 Regulations require additional transparency measures to make patients aware of the fact that an authorised person is involved in the processing of their personal data for health research purposes.
Although the 2021 Regulations expand the categories of persons who may access personal data for pre-screening purposes without the data subject's explicit consent, the Guidance notes that it is best practice for the data subject's interest in the research to be gauged by a health practitioner. The Guidance also further elaborates on what is expected from data controllers in respect of the management of authorised persons.
Retrospective Chart Review
The 2021 Regulations facilitate the conduct of low risk retrospective chart reviews (studies in which pre-recorded patient personal data is used to answer a research question) without the data subject's explicit consent where such a review has been approved by a research ethics committee and meets specified transparency requirements.
While the Health Research Regulations already require data controllers to assess the data protection implications of proposed research (pursuant to Regulation 3(1)(c)(i)), to conduct a retrospective chart review without the data subject's consent, the risk assessment must conclude that the risk to the data subject is low, and the relevant research ethics committee must be satisfied with the data controller's assessment.
Retrospective chart reviews may only be conducted by: (i) health practitioners who are employed by the data controller or persons studying to be health practitioners who are under the direction and control of the data controller; or (ii) employees of the data controller who would ordinarily have access to the personal data of individuals that is held by the data controller in the course of their duties.
Again, the 2021 Regulations require enhanced (and relatively prescriptive) transparency measures to make patients aware that personal data collected by the data controller for the provision of health care to a patient may be used in a retrospective chart review study.
This is a welcome amendment that reflects the Department of Health's previous confirmation (in consultation with the Data Protection Commission) that the requirement for explicit consent for retrospective chart reviews would be deferred in these circumstances.
Updates to the Appeals Process
The 2021 Regulations also introduce changes to the appeals process that is available to data controllers who are unsuccessful in seeking a consent declaration from the HRCDC.
Where the Health Research Regulations were silent as to when the appellant would be required to provide written submissions (referring only to the need to provide notice of an appeal within 30 working days of receipt of the HRCDC's decision), the 2021 Regulations provide welcome clarification that the appellant has a full 30 working days from the establishment of the appeal panel to provide written information pertaining to the appeal.
Perhaps most interestingly, the 2021 Regulations give greater clarity to the scope of the appeal panel's review, and in doing so, also give the HRCDC more influence on the appeals process. Pursuant to Regulation 11(e), an appeal panel will now be required to request the HRCDC's observations on the appellant's submissions, and it may also "invite submissions from any person that it considers appropriate" and "consult with any person who it believes could assist in the consideration of an appeal."
Further changes include: increasing the size of the appeal panel from three to not less than five and no more than seven; increasing the time allowed to set up the appeal panel from forty working days to sixty working days from receipt of the notice of appeal; and not dissolving the appeal panel until thirty working days after it has made its decision so that it can provide formal clarification on any matters arising from its decision. The 2021 Regulations also explicitly provide that the HRCDC can revoke a consent declaration where it is satisfied that the conditions imposed by an appeal panel are not being met.
The 2021 Regulations address a number of issues that posed difficulties for data controllers engaged in health research. While the explicit consent of the data subject remains paramount, the 2021 Regulations have introduced some measures that address the realities faced by health practitioners and researchers that will facilitate health research while ensuring that the personal data of patients is handled safely and transparently.
The authors would like to thank Shannon Buckley Barnes for her contribution to this article.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.