By 30 April of this year, any organisation conducting health research in Ireland must either get consent to GDPR standard or else obtain a consent waiver. But in order to do the former, they need to know what explicit informed consent is (also known as GDPR-level consent). The problem is, a lot of people don’t know what’s involved. In this blog post, I’m going to try to clear up some of the misconceptions and outline the process involved in arriving at a conclusion.
This is a follow-up to the post I published in December about the changes that GDPR has brought to data protection impact assessments. The Health Research Consent Declaration Committee was established as part of the Health Research Regulations made under GDPR. In December, it launched its website at www.hrcdc.ie.
As yet, the committee itself has not been appointed but there is now a clear application process available to researchers who wish to apply for a consent waiver. So researchers need to ask themselves three questions:
As the first question is relatively easy, let’s look at how you determine if your consent is good enough or if you will be required to reconsent your participants. The General Data Protection Regulation Article 4(11) defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
All existing health research projects must have this level of consent in place by April 30th or else have applied to the HRCDC for a waiver. For your consent to be considered explicit informed consent, you must be able to answer yes to all of the following 11 statements:
In the event you can’t answer affirmatively to all these questions and you are not in a position to reconsent your research participants, you will need to apply using one of the three available forms from the HRCDC website before the April 30 deadline.
1. An application form in relation to new research (that is research that commenced on or after 8 August 2018).
2. An application form in relation to re-consenting of current research (that is research that began before 8 August 2018). A consent declaration in this case applies, if made, only to personal data that the data controller currently holds.
3. An application form in relation to current research (that is research that began before 8 August 2018) and for which no consent was obtained. A consent declaration in this case applies, if made, only to personal data that the data controller currently holds.
Each application requires you to carry out a Data Privacy Impact Assessment and provide a summary of the finding of that process.
Most organisations carrying out health research have a data protection officer (DPO). If they were already getting consent for their research projects by following the old data protection guidelines, they should be able to clear this new bar relatively easily. But there may be some cases where organisations were doing research using historical data without consent. In these cases, it’s worth going through the process rigorously of checking whether they can apply for a consent declaration.
Tracy Elliott is a senior data protection consultant with BH Consulting.