Introduction
Processing Personal Data presents inherent risks to the rights of research participants under the General Data Protection Regulation (GDPR) a Data Protection Impact Assessment (DPIA) must be conducted before carrying out any processing that is likely to result in a high risk to individual’s rights and freedom (whether it is physical, material, or non-material). The ULHG and CHO3 dataprotection function is provided by Allone Corporate Solutions Ltd and our dataprotection consultant is Annette Ridley.
HSE-DPIA Screening Tool
The HSE DPIA tool was developed to help the HSE (and its employees) to assess, determine, and minimise Data Protection risks associated with new projects. Using this tool and recording findings are part of your obligations under the GDPR and the requirements to ensure data protection by default and by design (meaning both at project and organisational level).
Instructions on using the HSE-DPIA Screening Tool
The HSE Screening & Record Tool (the Tool) will help you to determine if the level of risks associated with your Project requires you to complete a DPIA or not. It includes a list of close-ended questions linked to an automated scoring mechanism. A Result will automatically appear once you have completed the questionnaire.
You MUST:
1. Complete the Tool not later than at the start of your Project (at the very latest) and before you prepare your Ethics Application
2. Complete the Project General Information Green Section first (Project title & contact, & 10 close-ended questions)
3. Complete the Project Technical Information Part Blue Section of the Tool (10 close-ended questions)
4. The result of your scoring will automatically appear
5. Ensure you safely keep a copy of findings to fulfil your obligations under the GDPR.
6. The recorded findings can additionally be used for submission to HSE Reference RECs and/or other RECs when required
Recommendations will appear in the third column for some of the questions depending on the responses you give. If no recommendations appear, just continue to the next question. Examples are also provided in the third column where necessary to help you.
Please work through each of the questions below. Remember that you should focus on the data protection risks, meaning risk associated with the processing of your data only and If instructed to contact your HSE DDO/DPO, please only do so after completing the Tool (https://www.hse.ie/eng/gdpr/data-requests/data-protection-officer-and-deputy-data-protection-officer-contact-details.html) Want to test yourself? A self-assessment tool is provided in the separate sheet entitled ‘Self Assessment’. It is not mandatory to use this self-assessment tool. If you wish to test yourself complete the green Project General Information first, then the self-assessment tool, before completing the Blue Technical Information Section to compare findings.
There is useful guidance and information relating to Data Protection in Health and Social Care Research available at, https://hseresearch.ie/data-protection-and-research/.
As well as the ‘Risk Scoring Tool to Determine if a DPIA is Required or Not’ there have been two recent developments in the Data Protection sphere:
· Health Research Data Protection Impact Assessment Form
This new Health Research-specific DPIA should now be used by all researchers rather than the generic HSE template.
Anonymisation and pseudonymisation
‘Pseudonymisation’ of data (defined in Article 4(5) GDPR) means replacing any information which could be used to identify an individual with a pseudonym, or, in other words, a value which does not allow the individual to be directly identified.
Example of Pseudonymisation of Data:
| Student Name | Student Number | Course of Study | |
| Original Data | Joe Smith | 12345678 | History |
| Pseudonymised Data | Candidate 1 | XXXXXXXX | History |
Fully ‘anonymised’ data does not meet the criteria necessary to qualify as personal data and is therefore not subject to the same restrictions placed on the processing of personal data under the General Data Protection Regulation (GDPR).Data can be considered ‘anonymised’ when individuals are no longer identifiable. It is important to note that a person does not have to be named in order to be identifiable. If there is other information enabling an individual to be connected to data about them, which could not be about someone else in the group, they may still ‘be identified’. In this context, it is important to consider what ‘identifiers’ (pieces of information which are closely connected with a particular individual, which could be used to single them out) are contained in the information held.
Where data has been anonymised, the original information should be securely deleted to prevent any reversing of the ‘anonymisation’ process. In most cases, if this deletion does not take place then the data is classified as ‘pseudonymised’ rather than ‘anonymised’, and is still considered personal data.
Data protection law does not prescribe any particular technique for ‘anonymisation’, so it is up to individual data controllers to ensure that whatever ‘anonymisation’ process they choose is sufficiently robust.
Please see our guidance note on ‘anonymisation’ and ‘pseudonymisation’ for further information including identification risks and examples of anonymisation techniques.
USEFUL LINK:
Guidance Note and Anonymisation and Pseudonymisation.
Use of service generated datasets for research purposes
Anonymisation and Data Protection Safeguards
Access to service datasets under GDPR is permitted only where the dataset has been irreversibly anonymised prior to release to the researcher, such that the researcher does not at any time have access to identifiable or pseudonymised personal data.
Anonymisation must be carried out by an authorised data management function within the HSE and must ensure that:
- All direct identifiers (including but not limited to name, medical record number, PPSN, address, full date of birth) are removed;
- Indirect identifiers are generalised or suppressed to prevent singling out, linkage or inference;
- No re-identification key or code is retained or made available to the researcher;
- Re-identification of individuals is not reasonably likely by the researcher, or any third party, taking into account available data and technical means.
Only datasets meeting the standard of effective and irreversible anonymisation in accordance with GDPR Recital 26 and relevant guidance of the European Data Protection Board and the Irish Data Protection Commission may be released under this scheme.
Where anonymisation to this standard cannot be achieved, or where identifiable or pseudonymised data are required for the purposes of the research, the project must proceed through the full data governance, data protection and Health Research Regulations approval pathway, including where applicable explicit patient consent or a Consent Declaration.
The Research Directorate reserves the right to refuse access where anonymisation cannot be assured to the required standard.
Ethics Committee Notification and Oversight
All studies proposing to utilise service datasets must be notified to the relevant Research Ethics Committee by way of regular submission, pending the development of an agreed abbreviated application process – currently under consideration.
Reuse of Public Sector Information
Reuse of public sector information could be considered for anonymous or aggregate health statistics
(e.g., number of cases per region, published open health datasets without identifiers) as these can be reused under PSI if lawfully published.
Retrospective Chart Review
Where patient data are bing used as part of a retrospective chart review it is essential that the relevant clinical units display this notice in the units. Laminated versions are available by contacting the Research Directorate (aisling.nolan@hse.ie)