GDPR: Implementing additional data protection rules in Health Research

The Health Research Regulations 2018 got the more specific effect by introducing data processing provided for in Section 36 of the draft Data Protection Act 2018.

Regulations on data processing occupy a privileged position for researches. By (Article 6(4); Recital 50) Organizations that process personal data for the purpose of research may avoid restrictions on personal data processing and on processing categories of sensitive data.

In addition to that, the GDPR may permit organizations to process personal data for research purposes without the data subject’s consent. In separate cases, these organizations can transfer personal data to third countries for research purposes, there is no need for other transfer mechanisms in place.

The key changes for the Regulations are: 1. Defining "Health Research"

1. prescribing a list of "Suitable and Specific Measures" to be taken when processing personal data for Health Research purposes, including that "explicit consent" be obtained; and
2. identifying exceptional circumstances in which the explicit consent of a data subject to the processing of their personal data is not required and laying down a detailed process to be followed in these cases.

There are many conditions for providing exemptions for health researches. Conditions For Research Exemptions:

• Controllers must implement appropriate safeguards * Technical and organizational measures * Every controller should act in keeping with recognized ethical standards for scientific research.

A number of provisions are there in GDPR that apply to health research. One of them is the mandatory additional requirements for health research were brought about through a consultation process between the Minister for Health and the Data Protection Commission, and also GDPR provides that processing for scientific research purposes Regulation for GDPR compliance

The Health Research Regulations 2018

• Outline the mandatory suitable and specific measures for the processing of personal data for the purposes of health research (Regulation 3(1)) * provide a definition of health research for the purposes of the regulation (Regulation 3(2)) * provide for the possibility of applying for a consent declaration for new research (Regulation 5) * provide for transitional arrangements in respect of the granting of consent declarations for health research that is already underway (Regulation 6) * provide for the establishment and operation of a committee of persons to make decisions on applications for consent declarations, including an appeals process (Regulation 7-13 and Schedule) * include a number of miscellaneous provisions (Regulations 14-16)

To the extent that the Regulations are silent on specific aspects of data processing, the GDPR and the Act continue to apply.

One thing is clear that the main aim of GDPR is to encourage innovation, as long as organizations implement the appropriate safeguards.

Gdpr will be affecting all organizations that do business within and outside EU, handling EU information. Under Gdpr, companies are moving away from the legacy systems towards a company-wide approach to the protection of personal data.