By 30 April of this year, any organisation conducting health research in Ireland must either get consent to GDPR standard or else obtain a consent waiver. But in order to do the former, they need to know what explicit informed consent is (also known as GDPR-level consent). The problem is, a lot of people don’t know what’s involved. In this blog post, I’m going to try to clear up some of the misconceptions and outline the process involved in arriving at a conclusion.
This is a follow-up to the post I published in December about the changes that GDPR has brought to data protection impact assessments. The Health Research Consent Declaration Committee was established as part of the Health Research Regulations made under GDPR. In December, it launched its website at www.hrcdc.ie.
As yet, the committee itself has not been appointed but there is now a clear application process available to researchers who wish to apply for a consent waiver. So researchers need to ask themselves three questions:
- When did my research start (this date should be the date the research was approved by the medical ethics board)?
- Is my existing consent to the standard required by GDPR?
- Is my research in the public interest?
As the first question is relatively easy, let’s look at how you determine if your consent is good enough or if you will be required to reconsent your participants. The General Data Protection Regulation Article 4(11) defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Guidelines for GDPR consent
All existing health research projects must have this level of consent in place by April 30th or else have applied to the HRCDC for a waiver. For your consent to be considered explicit informed consent, you must be able to answer yes to all of the following 11 statements:
- The request for consent is prominent and separate from any other terms and conditions
- Individual are asked to positively opt in by ticking a box for each processing activity and signing the consent form
- There are no pre-ticked boxes on the consent form
- The language used in the consent form is clear, plain and easy to read
- The form specifies why the data is being collected, what you will do with it and who it will be shared with
- The form has had separate distinct (‘granular’) options to consent to each purpose and type of processing? Including a consent to anonymise if required
- Individuals are informed they can withdraw their consent; this process is easy and they are not penalised in any way for such withdrawal
- Where and when consent was given is recorded as well as the data and time associated with consent withdrawal
- Consents will be reviewed regularly to ensure the purpose and processing has not changed
- When we rely on parental consent for minors, we have a process in place to update that consent when the individual turns 18
- We have a process in place to refresh consents when necessary.
Alternatives to consent
In the event you can’t answer affirmatively to all these questions and you are not in a position to reconsent your research participants, you will need to apply using one of the three available forms from the HRCDC website before the April 30 deadline.
1. An application form in relation to new research (that is research that commenced on or after 8 August 2018).
2. An application form in relation to re-consenting of current research (that is research that began before 8 August 2018). A consent declaration in this case applies, if made, only to personal data that the data controller currently holds.
3. An application form in relation to current research (that is research that began before 8 August 2018) and for which no consent was obtained. A consent declaration in this case applies, if made, only to personal data that the data controller currently holds.
Each application requires you to carry out a Data Privacy Impact Assessment and provide a summary of the finding of that process.
Most organisations carrying out health research have a data protection officer (DPO). If they were already getting consent for their research projects by following the old data protection guidelines, they should be able to clear this new bar relatively easily. But there may be some cases where organisations were doing research using historical data without consent. In these cases, it’s worth going through the process rigorously of checking whether they can apply for a consent declaration.
Tracy Elliott is a senior data protection consultant with BH Consulting.