Since GDPR came into effect on 25 May this year, the health regulations have been updated to incorporate more stringent requirements around protecting personal information during healthcare research. The newly updated Health Research Regulations 2018 have raised the bar for carrying out a data protection impact assessment (DPIA). This post is the first in a series I’ll be writing about GDPR, privacy and health data.
We all know privacy by design is a cornerstone of the General Data Protection Regulation. The first building block to that foundation is carrying out a DPIA (commonly referred to as a privacy impact assessment). In November, the Data Protection Commissioner published guidance for data controllers and processors whose business activities may require them to carry out a DPIA. It is available as a free PDF here.
More specifically for the health sector, the Health Research Regulations 2018 make it mandatory to perform a DPIA in all cases that involve processing personal data for research purposes. They remove all risk to the data subject – and that is a good thing.
The revised rules apply to a wide variety of stakeholders, including research bodies, pharmaceutical companies, academic institutions, higher education institutes, and other research-related bodies such as those attached to hospitals. Equally, technology companies may carry out research involving health information and they too need to comply with this requirement.
The Health Research Board has published guidance for researchers to reflect the new data protection landscape. Broadly speaking, they compel researchers to take suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects.
This essentially breaks down into two key questions researchers need to ask ahead of any impact assessment exercise:
Is there a risk to the rights and freedoms of the data subject?
Consider this keeping in mind the data subject rights under GDPR, which includes the right to access, rectification, objection, and portability. The Data Protection Commissioner has published a free report which describes these rights.
Have you mitigated those risks?
Do you have policies in place, and are they published online in a transparent way? Have you done a data mapping or data inventory exercise? Do you have an appropriate legal basis for processing information? Are you archiving information in line with retention schedules? Do you have a process in place for a subject access request?
By definition, a DPIA involves assessing the impact of risks to the data subject, and to their rights and freedoms. The nature of research means you don’t know beforehand what the outcome will be. You may discover during the exploration process that there is the potential to use the same information for a different purpose.
The Health Research Regulations 2018 will lead to many, many more DPIAs in the future. Research groups are likely to need external assistance to carry them out. To get ready for this new level of compliance, it is worth familiarising themselves with the DPIA process.
At BH Consulting, we have developed a privacy impact assessment template which guides our clients in identifying the risks associated with data processing. Get in touch to find out how we can help.
Tracy Elliott is a senior data protection consultant with BH Consulting. Check back over the coming weeks for more posts about data protection and health research.