NREC - Guidance on Data Protection for Research Purposes for Applicants - published 6 September 2021

The National Office for Research Ethics Committees published Guidance on Data Protection for Research Purposes for Applicants (to the National RECs) on its website on the 6 September 2021.

The following are quotes from the Guidance: -

  1. The NRECs require that DPIAs are submitted with an application for research ethics review. Alternatively, Applicants have the option to submit a statement outlining why a DPIA is not required.
  2. For the purposes of NREC review, the DPIA will need to be completed by the Data Controller of the research study and reviewed by its Data Protection Officer (DPO).
  3. The advice of the DPO must be documented as part of the DPIA process.
  4. The Participant Information Leaflet should include the names and contact details of the Data Controller(s), Data Processor(s) and the DPO associated with the research study.
  5. Where there are Joint Data Controllers, the advice of the DPOs from all of the data controllers is required.
  6. Where the Data Controller is based in a non-EU country, the National Office will accept DPIAs reviewed by a person with equivalent roles and responsibilities to a DPO.
  7. Additionally, where the Data Controller is situated outside Ireland, the National Office strongly advises that the DPO of the lead-Irish based institution should be given the opportunity to review and provide comment on the DPIA to ensure the data protection rights of Irish research participants are safeguarded.
  8. Applicants who require further information on completion of a DPIA, are advised to review the resources available on the Data Protection Commission Website and to consult with their institutional DPO.

Comment: Please note that while the NREC position will become best practice over time, that resources may not currently be available to DPOs in hospitals and universities in order for local (institutional) research ethics committees to adopt this approach straight away. The DPOs in hospitals and universities have many aspects to their role. While their institution may be a 'data controller' in respect of a particular research study, in many cases, it is not. It is often the case that an external data controller is seeking to conduct a study at the hospital or university site.