Research Using Health Related Personal

Research Using Health Related Personal Data   

Researchers should be aware that Ireland has introduced specific Health Research Regulations (HRR). Any research involving the use of personal health-related data must comply with these Regulations. The HRRs operate within the framework of the GDPR and reflect the discretion given to EU Member States to introduce national rules in certain areas.  

What are Special Category Data?  

Under data protection law (including the GDPR), special category data refers to particularly sensitive types of personal data that require a higher level of protection. These include personal data relating to:  

• a person’s racial or ethnic origin  
• political opinions  
• religious or philosophical beliefs  
• trade union membership  
• genetic data  
• biometric data, where used for the purpose of uniquely identifying an individual.  
• health data  
• a person’s sex life  
• a person’s sexual orientation  

Because of their sensitive nature, the processing of special category data is subject to stricter conditions and safeguards than standard personal data.  

Health‑Related Research and Special Category Personal Data  

In the context of the Health Research Regulations (HRR), it is particularly important for researchers to recognise that health‑related research will almost always involve special category personal data. Because this type of data is inherently sensitive, additional legal and ethical requirements apply.  

Health‑related research projects must:  

• be supported by at least one lawful basis for processing under Article 6 of the GDPR  
• identify, in addition to an Article 6 lawful basis, a separate condition for processing special category data under Article 9 of the GDPR. The lawful basis and the Article 9 condition do not need to correspond, and Article 9 sets out ten possible conditions (Article 9(a)–(j))  
• implement appropriate safeguards to protect the fundamental rights and freedoms of research participants, with the HRR specifying explicit consent as a key safeguard.  

Under the HRR, the processing of personal health data for research purposes is, as a rule, expected to rely on explicit consent as a safeguard. This requirement applies alongside other suitable and specific measures that must also be put in place to ensure data protection compliance.  

Where a health research project is of significant public interest and it is not practicable to obtain explicit consent, researchers must apply to the Health Research Consent Declaration Committee (HRCDC) for a consent declaration before proceeding.  

Key Considerations for Research Using Health‑Related Personal Data  

When planning or conducting research that involves health‑related personal data, researchers should take the following points into account:  

• Clarify responsibility for the data  
  Identify who is legally responsible for determining how and why personal data are processed. This may be a single organisation or, in collaborative projects, multiple organisations acting jointly. Where decisions are shared, a joint controller agreement should be put in place to clearly set out each party’s data protection roles and responsibilities.  
• Put appropriate governance arrangements in place  
  Ensure there is a designated governance structure or committee with oversight responsibility for confirming that the processing of personal data complies with legal and regulatory requirements.  
• Manage data sharing transparently  
  Be clear about who personal data will be shared with, both during the project and in the future. Where data sharing occurs, appropriate data sharing agreements should be established. Research participants must be informed from the outset about how and with whom their data will be shared.  
• Address the use of external service providers  
  Consider whether any data processing activities will be conducted by third parties, such as external specialists or service providers. Where this applies, researchers are legally required to manage the controller–processor relationship and have a formal written agreement in place.  
• Apply robust security measures  
  Implement strong technical and organisational safeguards to protect the confidentiality, integrity and security of all personal data processed as part of the research.  
• Document data flows and retention  
  Map how personal data move through the project and consider the full data lifecycle — from collection and use, through storage, to eventual secure deletion or anonymisation.  
• Provide clear information to participants  
  Prepare clear and comprehensive privacy notices and Participant/Patient Information Leaflets (PILs) and make these available to prospective participants before data collection begins. This enables individuals to make an informed decision about whether to take part.  
• Be mindful of international data transfers  
  Remember that personal data transfers outside the EEA are restricted. Any transfer to a third country must be supported by appropriate legal safeguards before it can take place.  
• Plan for a Data Protection Impact Assessment (DPIA
  In most cases, research involving health data will require a DPIA. This assessment should be conducted at an early stage, before the project design is finalised, and sufficient time should be built into the project plan to complete the process.  

Important Documents and Guidance for Health Researchers  

• GDPR Guidance for Health Researcher   
• Ethics and data protection  
• EDPB clarifications on the consistent application of the GDPR, focusing on health research  
• Health Research Data Protection Network (HRDPN) PRACTICAL GUIDE ON DATA PROTECTION FOR HEALTH RESEARCHERS  
• S.I. No. 314/2018 - Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018