Introduction
Processing Personal Data presents inherent risks to the rights of research participants under the General Data Protection Regulation (GDPR) a Data Protection Impact Assessment (DPIA) must be conducted before carrying out any processing that is likely to result in a high risk to individual’s rights and freedom (whether it is physical, material, or non-material). The ULHG and CHO3 dataprotection function is provided by Allone Corporate Solutions Ltd and our dataprotection consultant is Annette Ridley.
HSE-DPIA Screening Tool
The HSE DPIA tool was developed to help the HSE (and its employees) to assess, determine, and minimise Data Protection risks associated with new projects. Using this tool and recording findings are part of your obligations under the GDPR and the requirements to ensure data protection by default and by design (meaning both at project and organisational level).
Instructions on using the HSE-DPIA Screening Tool
The HSE Screening & Record Tool (the Tool) will help you to determine if the level of risks associated with your Project requires you to complete a DPIA or not. It includes a list of close-ended questions linked to an automated scoring mechanism. A Result will automatically appear once you have completed the questionnaire.
You MUST:
1. Complete the Tool not later than at the start of your Project (at the very latest) and before you prepare your Ethics Application
2. Complete the Project General Information Green Section first (Project title & contact, & 10 close-ended questions)
3. Complete the Project Technical Information Part Blue Section of the Tool (10 close-ended questions)
4. The result of your scoring will automatically appear
5. Ensure you safely keep a copy of findings to fulfil your obligations under the GDPR.
6. The recorded findings can additionally be used for submission to HSE Reference RECs and/or other RECs when required
Recommendations will appear in the third column for some of the questions depending on the responses you give. If no recommendations appear, just continue to the next question. Examples are also provided in the third column where necessary to help you.
Please work through each of the questions below. Remember that you should focus on the data protection risks, meaning risk associated with the processing of your data only and If instructed to contact your HSE DDO/DPO, please only do so after completing the Tool (https://www.hse.ie/eng/gdpr/data-requests/data-protection-officer-and-deputy-data-protection-officer-contact-details.html) Want to test yourself? A self-assessment tool is provided in the separate sheet entitled ‘Self Assessment’. It is not mandatory to use this self-assessment tool. If you wish to test yourself complete the green Project General Information first, then the self-assessment tool, before completing the Blue Technical Information Section to compare findings.
There is useful guidance and information relating to Data Protection in Health and Social Care Research available at, https://hseresearch.ie/data-protection-and-research/.
As well as the ‘Risk Scoring Tool to Determine if a DPIA is Required or Not’ there have been two recent developments in the Data Protection sphere:
· Health Research Data Protection Impact Assessment Form
This new Health Research-specific DPIA should now be used by all researchers rather than the generic HSE template.
Anonymisation and pseudonymisation
‘Pseudonymisation’ of data (defined in Article 4(5) GDPR) means replacing any information which could be used to identify an individual with a pseudonym, or, in other words, a value which does not allow the individual to be directly identified.
Example of Pseudonymisation of Data:
| Student Name | Student Number | Course of Study | |
| Original Data | Joe Smith | 12345678 | History |
| Pseudonymised Data | Candidate 1 | XXXXXXXX | History |
Fully ‘anonymised’ data does not meet the criteria necessary to qualify as personal data and is therefore not subject to the same restrictions placed on the processing of personal data under the General Data Protection Regulation (GDPR).Data can be considered ‘anonymised’ when individuals are no longer identifiable. It is important to note that a person does not have to be named in order to be identifiable. If there is other information enabling an individual to be connected to data about them, which could not be about someone else in the group, they may still ‘be identified’. In this context, it is important to consider what ‘identifiers’ (pieces of information which are closely connected with a particular individual, which could be used to single them out) are contained in the information held.
Where data has been anonymised, the original information should be securely deleted to prevent any reversing of the ‘anonymisation’ process. In most cases, if this deletion does not take place then the data is classified as ‘pseudonymised’ rather than ‘anonymised’, and is still considered personal data.
Data protection law does not prescribe any particular technique for ‘anonymisation’, so it is up to individual data controllers to ensure that whatever ‘anonymisation’ process they choose is sufficiently robust.
Please see our guidance note on ‘anonymisation’ and ‘pseudonymisation’ for further information including identification risks and examples of anonymisation techniques.
USEFUL LINK: