Challenges in identifying Data Controllers - dated 25.5.21

The piece is entitled 'Challenges in identifying Data Controllers and Legal Bases and the developing role of hospitals in relation to research and data governance' and is dated 25.5.21

It marks a point in time, three years post-GDPR, in the journey of understanding and implementing GDPR in the area of research.

Always Remember: if you do not understand GDPR, you are not alone!

Beaumont Hospital

This piece is entitled Research and Data Governance in Beaumont Hospital and is dated 31st May 2021.

European Data Protection Board

The European Data Protection Board adopted Guidelines 07/2020 on the concepts of controller and processor in the GDPR on the 7th July 2021.

The examples on pages 22 and 23 are specific to scientific research.

Health Research Executive National Office for Research and Development

The HSE National Office for Research and Development launched the HSE National Framework for the Governance, Management and Support of Research (RGMS)on the 9th September 2021.

These quotes from the framework focus on:

  • data controllers and processors as 'Organisations' as opposed to Individuals
  • data controllers and processors as 'Organisations' as opposed to Employees
  • data controllers and processors as 'Organisations' as opposed to Principal Investigators
  • the sponsor as being the data controller in respect of a clinical trial (NB)

The RGMS Framework builds on the work of Irish Health Research Data Protection Network.

Beaumont Hospital - Step by Step Guides for Researchers

These Step by Step Guides (Pilot Guides) represent the most common study types submitted to the Beaumont Ethics Committee - Step One in each of the guides is to identify the data controller. In line with the HSE RGMS Framework, the data controller should be an organisation as opposed to an individual.

Once you have identified your data controller, the next challenge is to identify the legal basis for processing. If you want to explore this further, in particular, if challenges in other European Member States are of interest, see Panel Discussion - Computer Privacy and Data Protection Conference 2019

The HSE National Office of Research and Development webinar entitled Beginner's guide to completing a DPIA also discusses legal bases.