GMI is a commercial R&D genomics company and as such the Minister cannot speak definitively on specific matters pertaining to GMI.
The Minister is, however, very clear on the regulatory, ethical and other prevailing best practice conditions necessary for the conduct of health research in Ireland (academic-led, hospital-led or commercially-led) - all of which place participant consent as the critical cornerstone.
Health research is important. It means enhanced care for patients. It also promotes the recruitment and retention of outstanding clinicians, ensures better returns on healthcare expenditure and supports broader Government goals of employment and economic gain. For all those reasons, the Government is committed to the continued development of a research-active health system in Ireland. That commitment has already seen significant public investment in physical infrastructure, personnel, new skills and technology. At the same time, the Government is equally determined to ensure good research governance as well as appropriate and streamlined regulatory processes. The trust of patients is seen as critical to ensuring a vibrant, innovative and well-regulated health research sector.
The Health Research Regulations were made, last August, by the Minister for Health under section 36 of the Data Protection Act 2018. The purpose of the Regulations is to support health research by helping to build greater public confidence in the way individuals’ health data are collected, used and disclosed for health research. Building that confidence is seen by the Minister as essential to the long term success of health research in Ireland.
The Regulations set out for the first time in Irish legislation sound information governance principles that are in line with law and international best practice in health research. They also ensure that there is certainty, consistency and clarity for all health researchers on what the rules are. From the data subject’s perspective, the Regulations place a heightened emphasis on transparency. Further, given the sensitivity of personal health data and the fact that genetic data is now expressly referenced as a special category of personal data in GDPR, the regulations have a requirement for explicit consent as an Article 9(2)(j) “suitable and specific safeguard” for the processing of personal data for health research.
The Minister for Health made such Regulations in the area of processing personal data for health research for two related reasons:
- to bring certainly, clarity and consistency to the relevant rules (something the health research sector had been seeking for a long time) and
- to ensure that data subjects could be confident that the processing of their sensitive personal data was subject to safeguards that would encourage them to provide their information for health research projects.
The processing of personal data for health research purposes has an applicable legal framework that goes beyond data protection.
At international level, the European Convention on Human Rights (ECHR) and the case law of the court both attach considerable importance to privacy and confidentiality when it comes to medical records. The ECHR reflects the longstanding Common Law duty of confidentiality between health professionals and patients. Breach of the common law duty confidentiality (without justifiable reasons) would leave the health professional open to a civil action and a complaint to his or her professional regulatory body.
At the level of Bunreacht na hEireann, the Courts have held that the Constitution includes an unenumerated right to privacy.
In the last five-six decades recognition of the moral right of research subjects to make their own choice or to self-determine or decide on the research participation has been one of the most important developments in the field of ethics related to research involving human subjects. As such, all research projects involving human participants in Ireland are required to undergo a robust review by a Research Ethics Committee and approval from a REC is required to advance any study. As an ethical principle, a REC must be satisfied that the law has been followed and that the consent of the individual data subject has been obtained where it is intended to access and use his or her medical records.
The Article 29 Guidance on the GDPR prepared by the EU Data Protection Board makes clear that consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. It also makes clear that consent should cover all processing activities carried out for the same purpose or purposes and when the processing has multiple purposes, consent should be given for all of them. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.
This and further detailed guidance for the research community has been provided repeatedly and at numerous events and fora by Department officials, and with the support of the Health Research Board.
As the regulator in this area, the only organisation who can categorically assess and confirm whether the research-related activities of GMI, or any research investigator, satisfy the GDPR requirements of transparency and consent is the Data Protection Commission.