By Janet Messer
It’s only one month now until the General Data Protection Regulation comes into force on 25 May 2018. When the legislation was being developed there were concerns that health and care research would be badly affected. In fact, because of input from the research community explaining the existing protections and arrangements for research, the legislation will have only limited implications for health and care research. However, some the of the details of the requirements for research have only recently become clear because they had to be set out in national legislation – and the Data Protection Act 2018 is still completing its passage through Parliament. So getting information out to you is still a work in progress.
We have already published information interpreting the legislation and setting out operational arrangements to support the transition to the new legislation. With one month to go, we have updated that guidance, which you can read here. We’ve simplified the information for organisations to help those responsible for corporate arrangements to understand the specific aspects relating to research, and added more detail to the operational guidance.
Importantly we’ve published recommended text to
be provided for research participants to ensure they have the required information
about processing of personal data for research studies they are invited to
participate in, or are already participating in. We’ve tried to keep the
process for achieving compliance with the new legislation as simple as
possible. By providing you with standard text you can bring existing studies in
line without needing to submit amendments for approval or re-consent
participants. And new studies can simply include the standard text as part of
the participant materials you include in your application.
Our operational guidance is aimed at chief investigators and sponsors, but it is important for those delivering and supporting studies at sites to be aware of the guidance too as they will be providing information to participants.
Our updated guidance includes explanation of the following topics based on feedback and queries:
- why consent is not an appropriate legal basis
for processing personal data in research, and how this is distinct from consent
to participate in research and other legal, common law and ethical reasons for
- why the research sponsor acts as controller in
relation to processing of personal data, and the role of care organisations
either as processors for the sponsor in relation to research, or separately as
controllers in their own right for processing of personal data for care
- data subject rights, and exemptions that may be
applied in research settings
- the distinction between obtaining personal data
directly from participants, and indirectly via a third party - and possible
exemptions from transparency requirements that may apply when information is
obtained indirectly from third parties
There are a few areas we are still working on – so please hold on before doing anything that you might need to unpick. These are:
- Guidance and standard text where personal data
is being transferred outside the EEA
- Handling of consent-for-consent registers (where
patients sign up to be informed about research studies) and other arrangements
for inviting potential participants
- Guidance for handling personal data of research
- Arrangements for putting in place or updating
agreements between controllers and processors
We are also developing a new template that will enable applicants to undertake a risk assessment of impact on privacy for new studies, to enable sponsors to have a documented record of the compliance arrangements. This is intended to avoid sponsors and participating sites developing lots of different forms for researchers to complete.
We know that others are providing guidance and support to the research community, like the MRC Regulatory Support Unit and the Information Governance Alliance, so please make use of their resources too. If you have any queries once you have read the guidance, please contact us at email@example.com.