Louise O'Reilly (Dublin Fingal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

696. To ask the Minister for Health further to Parliamentary Question No. 1129 of 23 July 2019, if the issue of informed consent regarding genetic material and data has been addressed in respect of the transfer of data to a company (details supplied). [11479/20]

Simon Harris (Wicklow, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The Data Protection Commission is the statutory body charged with responsibility to ensure protection of data subjects’ rights and compliance by data controllers with data protection law in this country, including the Health Research Regulations.

In line with established international best practice on informed consent in health research, the Regulations require any data controller, in the private or public sector, proposing to process personal data for health research to obtain the explicit consent of the individuals concerned.  Explicit consent is informed consent that is recorded and documented.

As with other countries, the Regulations provide for a clearly defined and limited statutory consent declaration process. The process, which  emerged after extensive engagement with the Data Protection Commission, enables a data controller proposing to carry out health research using personal data to apply for a consent declaration which means that the consent of the individual is not required for the obtaining and use of his or her personal information for the health research concerned.

To be successful, the applicant must be able to demonstrate to the independent Health Research Consent Declaration Committee or Appeal Panel that the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the data subject, that it would not be feasible to obtain such consent and that the applicant is willing to ensure a wide range of specified safeguards will be put in place, including carrying out a full Data Protection Impact Assessment, securing ethical approval from a research ethics committee and having a lawful basis for carrying out the research.

As a further safeguard, the Regulations contain an express provision stating that there will be no disclosure of the personal data obtained by a person with a consent declaration unless that disclosure is required by law or the data subject has given his or her explicit consent to the disclosure.  That provision is purposely designed to stop data controllers who obtain a consent declaration from revealing, including by way of selling, any personal data they have obtained as a result of the declaration.

The company referred to in the question is a commercial R&D genomics company.  Given the role and responsibilities of the Data Protection Commission it is not for the Minister to assess data protection matters relating to it except to say that the same data protection rules apply to it as apply to other data controllers when it comes to meeting the requirements of the Health Research Regulations.