General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) replaced the previous EU Data Protection Directive.  Unlike the Directive which required to be transposed into the national law of Member States, the Regulation became directly effective on 25 May 2018.  One difference between the GDPR and the Directive is that the Regulation expressly recognises genetic data as a special category of personal data deserving of a high level of protection.

An important feature of the GDPR is that it allows Member States flexibility in certain areas.  One of those areas is the processing of personal data for health research purposes and I used that flexibility to make, last August, the Health Research Regulations under section 36 of the Data Protection Act 2018. 

The Health Research Regulations are a coherent statement of public policy in the health research area based on internationally accepted best practice information principles for those carrying out health research and strong and focused safeguards for those whose personal data is being processed for health research.  The collecting, use, storage and disclosure of genetic data for health research purposes is, therefore, not only governed by the GDPR and the Data Protection Act 2018 but also wholly regulated by the Health Research Regulations.  Further, the preparation of the Regulations had full regard to the privacy and confidentiality dimensions of the Constitution, Common Law and the European Convention on Human Right (ECHR).

The Regulations emphasise explicit consent of the data subject as the default position, provide for high levels of transparency which is a new core data protection principle and for information security controls to limit access to the personal data of individuals as well as controls to log who has accessed the data. 

They also address the reality that those requirements for consent, transparency, security and other data subject’s rights mean very little if there is no clarity on where the responsibility lies for complying with them.  That is why they tackle the crucial issue of the relationships between the institutions that hold the data being used in the research and the health researchers that carry out the research using that data.  The rules and requirements in the Regulations are very clear especially when it comes to third party disclosures.   Accordingly, all involved in a health research project must ensure that they know whether they are the data controller, a joint data controller or data processors and comply fully not only with legal requirements but ethical ones too.

The consent declaration process provided for in the Regulations which is designed to facilitate publicly important health research where seeking consent is not possible - something found in other countries - is very tightly drawn and its criteria for when a consent declaration can be given is directed not only at GDPR considerations but also at the Common Law, Constitution and ECHR.  That was done to ensure that all relevant factors must be addressed both in the application for a consent declaration and in the consideration of that declaration.  It is the same reasoning that means that a declaration when granted can only ever extend to obtaining and using personal data required for the research or part of the research but such data cannot then be disclosed to anyone else without the consent of the data subject or a legal obligation to do so.  It is also important to emphasise that a consent declaration cannot be given where a data subject has refused his or her consent to the use of his or her personal information for the research involved.

Everything that is provided for in the Health Research Regulations was subject to a series of discussions with the Data Protection Commission.  The rigorous nature of that consultation process provided a very useful stress test.  In particular, the Department and the Commission had careful regard to the issue of genetic data against the backdrop both of scientific developments in the genomics area and the GDPR requirement that genetic data, as a special category of sensitive personal data, is subject to strong safeguards.

Health research is indisputably important to better patient care and the development of innovative and life-saving therapies.  As Minister, I want to support health research and I believe most people do.  I believe that the best way to do so is to promote and sustain greater public confidence in research through enhanced openness, transparency and patient empowerment so that no individual is surprised by who has access to his or her personal data and the research uses to which it is put.  Without that confidence, the necessary support for health research that has the potential to bring considerable benefits, especially in evolving areas like genetics and genomics, will not be forthcoming.  For that reason, it is in the interests of all those involved in health research to work with us in building that confidence.

One final point, the Minister for Health does not have the power to give anyone permission to collect DNA from Irish hospitals, GP practices or health centres.  Those samples, where collected, must be collected on the basis of informed consent and that informed consent determines who has access to the samples and what the samples and any related personal data can be used for.  Responsibility for proper governance in relation to those samples and the associated genetic data lies firmly with the institutions that collect and hold them.  Failure to adhere to proper governance may have significant consequences under law for the institutions and any employees or agents involved.  There will also be serious reputational damage affecting health research in Ireland generally.