Health Check for Health Research Regulations 2018
The Department of Health recently published an update on the Health Research Regulations 2018, which will be of significant interest to those involved in “health research”, including in the area of clinical trials.
This is to be welcomed and represents an opportunity for the Department to address some of the more challenging aspects of the Health Research Regulations based on input from relevant stakeholders, including hospitals and the wider research community.
1. The Health Research Regulations – A recap
The Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (S.I. 314/2018) (the “Health Research Regulations” or the “Regulations”) were adopted on 8 August 2018, just three months after commencement of the General Data Protection Regulation (“GDPR”). As explained in our previous briefing (available here), the Regulations introduced material changes to the rules governing how health research can be conducted in Ireland.
The key changes introduced were as follows:
- A new statutory definition of “Health Research”;
- Prescribing a list of mandatory “suitable and specific measures” that must be adopted when processing personal data for Health Research purposes, including a general requirement that “explicit consent” be obtained from data subjects; and
- Identifying exceptional circumstances in which the explicit consent requirement is not required and laying down a detailed process to be followed in such cases.
2. The legislative backdrop to the Health Research Regulations
Before considering the Department’s recent update, it is worth briefly considering the legislative backdrop to the Health Research Regulations. The GDPR defines genetic data as “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question”.
The GDPR expressly includes such “genetic data” as a special category of personal data (“SCPD”), meaning it is subject to a higher standard of data protection. In particular, this requires that one or more of the conditions under Article 9 of the GDPR must be met in order to legitimise the processing of genetic data. Article 9(2)(a) provides that explicit data subject consent is one such condition, while others potentially suitable in a Health Research context are as follows:
- Article 9(2)(i), which permits such processing where “necessary for reasons of public interest in the area of public health… ensuring high standards of quality and safety of health care and of medicinal products or medical devices”; and/or
- Article 9(2)(j), which permits processing that is “necessary for …scientific research purposes… in accordance with Article 89(1)” (and subject to various obligations flowing from Article 89 GDPR).
Under the Irish Data Protection Act 2018 (the “2018 Act”), the processing of SCPD, including for the purpose referenced above is subject to the adoption of “suitable and specific measures” (or “SSMs”). Section 36 of the 2018 Act contains a non-exhaustive list of SSMs intended to “safeguard the fundamental rights and freedoms of data subjects”. Significantly, section 36(2) also allows for the adoption of Ministerial regulations prescribing additional SSMs applicable to certain categories of personal data or types of processing. Relying on this enabling provision, the Minister for Health introduced the Health Research Regulations in August 2018.
3. Taking the temperature of the Health Research Regulations
To be clear, section 36(2) of the 2018 Act is an enabling provision and does not require the Minister to introduce measures further to those already required by:
- Article 9 of the GDPR, which specifies the conditions for processing SCPD generally;
- Article 89 of the GDPR, which imposes additional requirements when processing personal data for research purposes including Health Research purposes; and
- The various provisions of the 2018 Act, including sections 36, 42, 53 and 54, which already impose specific obligations on data controllers when processing SCPD for Health Research purposes.
In a recent paper published by the Irish Journal of Medical Science and commissioned by the Irish Academy of Medical Science (“GDPR: an impediment to research”, available here), eight prominent physicians involved in medical research addressed some of the difficulties generated by the Health Research Regulations from a clinical perspective. While the paper considers the operational issues surrounding the workload, resourcing and structure of the Health Research Consent Declaration Committee (the “Committee”), it also addresses the clinical challenges now posed in relation to medical research involving: (i) retrospective chart reviews; (ii) biobanks; and (iii) where data subjects lack capacity to give consent (such in the field of emergency medicine). The paper ultimately proposes a set of proposals that the authors state would “safeguard patients’ rights while at the same time protecting their access to newer treatments and diagnostics”. In this context it worth recalling that the GDPR articulates the principle that “the processing of personal data should be designed to serve mankind” and “must be considered in relation to its function in society and be balanced against other fundamental rights” (Recital 4, GDPR). While the Department of Health’s recent update on the Health Research Regulations is therefore to be welcomed, any proposals should be framed to strike an appropriate balance between data protection and the important public interest benefits of Health Research.
4. The Department’s Update – extension for ongoing Health Research
As noted above, in certain circumstances, the Regulations allow for an exception to the requirement to obtain explicit data subject consent for Health Research. Instead data controllers may seek a declaration from the Committee (officially known as the “Health Research Consent Declaration Committee”), and appointed by the Minister for Health, where the public interest in carrying out the research is deemed to significantly outweigh the public interest in requiring the explicit consent of the data subject (a “Committee Declaration”). However, obtaining a Committee Declaration is quite an involved process under the procedures set out in Regulations 5 and 6 (and may take considerable time given the expected workload, resourcing and structure of the Committee). Eligibility for this exception is dependent on whether the Health Research commenced on, before or after 8 August 2018.
To be clear, a Committee Declaration does not remove the requirement to put in place the other SSMs mandated by the Regulations; it merely removes the explicit consent requirement.
For present purposes, where the Health Research was commenced prior to 8 August 2018, but the controller processes or further processes personal data after this date, in these circumstances, the controller must either:
a) apply for a Committee Declaration that explicit consent from the data subject is not required on one of two grounds; or
b) obtain explicit consent of data subject as soon as practicable and no later than 7 August 2019.
In light of delays in establishing the Committee, the Department of Health has now stated it is in the process of seeking an extension to the period under Regulation 6 for consent in relation to ongoing research and related applications to the Committee. As the Department’s update explains, extending the specified date requiring explicit consent for ongoing research beyond 30 April would allow for applications for a Consent Declaration to be made in an orderly and timely way to the Committee and importantly will allow the recently appointed Committee further time to conduct its deliberations. Given that the Committee held its first meeting and induction session on 27 March last this extension is sensible. This proposed change will be welcomed by those undertaking ongoing Health Research that commenced prior to 8 August 2018.
It is worth noting that the Committee publishes on its website a list of all applications for Committee Declarations that it considers (available here).
5. Proposed amendments – A clean Bill of Health for the health Research Regulations?
Separately, arising from its active engagement with relevant stakeholders in the research community, the Department of Health has also confirmed that it is currently consulting with the DPC on certain matters, an exercise which the Department has said “may” lead to amendments to the Health Research Regulations.
The specific areas of the Regulations, which the Department’s update confirmed are under consideration include:
5.1 Optimisation of the use of administrative data:
An amendment to facilitate disclosure of pseudonymised personal data for secondary Health Research purposes in the absence of explicit consent and where re-identification is not permitted (which is in keeping with several provisions of the GDPR and 2018 Act on research purposes).
5.2 Mechanism for retrospective chart review studies:
The Department has advised that it is seeking to introduce a mechanism that allows for retroactive chart review studies to be carried out in the data controller’s organisation and by health practitioners and employees of that organisation. Under this proposal, healthcare staff involved in the care and treatment of patients (plus other employees subject to a duty of confidentiality), would be permitted to engage in pre-screening without the explicit consent of the relevant data subject(s).
5.3 Greater clarity regarding pre-screening:
Greater clarity will be sought as to pre-screening for the purpose of assessing eligibility and suitability for inclusion in Health Research. The amendment will also seek to facilitate other “approved” researchers engaging in pre-screening subject to specified privacy safeguards.
5.4 Consent in emergency care intervention studies:
An amendment is sought to address the challenge of collecting explicit consent versus “deferred” consent in emergency care intervention studies.
5.5 Processing data where an adult lacks capacity:
The Department has also requested that a workable basis for processing personal data for Health Research where an adult lacks the capacity to consent to the processing be found (reflecting the values and principles as set out in the Assisted Decision-Making (Capacity) Act 2015).
6. Next Steps
While informed data subject consent should remain the bedrock of Health Research, subject to appropriate safeguards being put in place, it is important that the law facilitates Health Research in circumstances where it is not feasible or appropriate to obtain a GDPR standard of explicit consent. Otherwise there is a risk that a consent-only based approach would represent an impediment to important health research without enhancing the protection of patients’ or trial participants’ personal data.
In any event, before becoming law, any amendments to the Health Research Regulations will have to undergo a formal consultation process, involving the Department of Health as well as the DPC, the Department of Justice and Equality and the Attorney General’s Office. The Department has stated that it will seek to keep the research community updated and informed as a matter of priority through the Health Research Consent Declaration Committee website: https://hrcdc.ie/. In making such amendments it would be sensible for these parties to take on board the insights and practical challenges faced by the wider research community. Accordingly, it may yet be some time yet before these amendments get a clean bill of health!
 Such measures already include: (i) data minimisation; (ii) de-identification, to the extent possible; (iii) access controls and logging mechanisms; and (iv) enhanced security measures such as encryption and pseudonymisation of personal data.