Róisín Shortall (Dublin North West, Social Democrats)
Link to this: Individually | In context | Oireachtas source

840. To ask the Minister for Health further to Parliamentary Question No. 515 of 23 June 2020, if he is considering amending the health research regulations for the processing of personal data in emergency care situations; if so, if a commercial company retains ownership of a person's personal data until such a time as the person concerned has the capacity to give or refuse such consent; and if regulations are in place to prevent private companies using or transmitting this personal data until consent is obtained in these circumstances [14413/20]

Stephen Donnelly (Wicklow, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

It is my intention to amend the Health Research Regulations with regard to emergency care intervention in line with the answer given by the previous Minister for Health to Parliamentary Question No. 515 of 23 June 2020. The amendment has been the subject of consultation with the Data Protection Commission and those working in the emergency care area.

Data protection law does not deal with ownership of personal data. The General Data Protection Regulation, the Data Protection Act 2018 and the Health Research Regulations are concerned with data controllers -including joint data controllers- who determines the purposes and means of the processing of personal data.

The Health Research Regulations apply with equal force to public bodies and private sector commercial entities. The intended amendment in emergency care situations is limited, qualified and specific. It will make clear that it applies only in exceptional circumstances, where the principal purpose of the processing or further processing of the personal data by a controller is necessary for the provision of health care to an individual and to protect the vital interests of the individual, and where the individual is, by reason of his or her physical or mental incapacity, incapable of giving consent at that time.

In that very defined situation, the personal data may also be processed by the controller for a related health research purpose, where that health research has been approved by a research ethics committee.

In those circumstances, the requirement for explicit consent under the Health Research Regulations is not removed or waived but deferred until such time as the individual concerned has the capacity to give or refuse such consent and the hospital will be explicitly required to inform the individual as soon as practicable that the personal data is being processed for research. I intend to also ensure that the amendment will require the individual to be told of any persons that the data controller has shared his or her personal data with.

This amendment brings emergency care research in Ireland in line with the prevailing ethical and regulatory practices internationally and will provide consistency and clarity for all involved.

It is important to note that under GDPR and data protection law generally that the same rules and principles apply to the private commercial companies as apply to public bodies. When it comes to health research, the reality is that much health research in the EU, including Ireland, is collaborative between hospitals, academic institutions and industry. That collaboration is important as each partner brings a distinct value added to the research. All of them must comply with all legal requirements including data protection requirements and where they do not meet their data protection obligations it is a matter for the Data Protection Commission.

Róisín Shortall (Dublin North West, Social Democrats)
Link to this: Individually | In context | Oireachtas source

841. To ask the Minister for Health further to Parliamentary Question No. 516 of 23 June 2020, the measures his Department is taking to safeguard the rights and interests of data subjects and to create a robust governance structure in line with general data protection regulation, particularly in cases in which access to data will be determined by a commercial entity; and the instruments in place to grant data subjects their right to information and access with regard to their personal data. [14414/20]

Stephen Donnelly (Wicklow, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

The General Data Protection Regulation sets out the principles governing the processing of personal data, the obligations on data controllers and data processors in relation to their processing of personal data and the rights of data subjects in relation to their personal data, including rights to information about the processing of their personal data and access to it. The Data Protection Act 2018 gave further effect to those principles, obligations and rights. In the area of processing personal data for health research, the previous Minister for Health made Regulations setting out suitable and specific safeguards for data subjects in relation to such processing.

Data controllers, whether they are public bodies or private commercial companies, must meet their obligations which includes ensuring that individuals can exercise their data protection rights.

Compliance with data protection law is a matter for the Data Protection Commission and any specific concerns with compliance in respect of any aspect or any data controller should be brought to the attention of the Commission.