Beaumont Hospital and RCSI Data Protection Impact Assessment for Research and Clinical Trials, March 2023
The Beaumont Hospital Data Protection Officer (DPO) and Royal College of Surgeons (RCSI) DPO released a Beaumont Hospital and RCSI DPIA for Research and Clinical Trials in March 2023. The effect of this is that Beaumont Hospital and RCSI now use the same template DPIA which will reduce the administative burden on researchers completing the DPIA for both organisations.
This DPIA replaces any previous research-specific DPIAs in use in RCSI and Beaumont Hospital, including Beaumont Hospital DPIA version 7.0, May 2022
A DPIA is required if at least two of these 10 criteria are reached:
Evaluation or scoring- especially to do with someone's work performance or health e.g. a biotechnology firm offering genetic testing to customers in order to predict disease/health risks;
Automated-decision making with legal or similar effect - the processing may lead to discrimination or exclusion;
Systematic monitoring - e.g. cctv in a public space;
Sensitive Data- e.g. health data, genetic data and all article 9 special categories of data;
Data Processing on a large scale;
Datasets that have been matched or combined;
Data concerning vulnerable data subjects - power imbalance between data controller and data subject e.g. patients,children, the elderly, employees, persons with disabilities;
Innovative use or applying technological or organisational solutions - e.g. fingerprint or facial recognition;
Data transfer outside the EU;
Where the processing itself prevents a data subject from accessing a service- e.g. credit screening by banks to decide whether to give someone a loan.
In terms of health research, criteria 4 & 7 nearly always apply, and sometimes 1,5 & 9 also.
As a result,
a DPIA is required in respect of all research and clinical trials taking place in Beaumont Hospital which involve the processing of personal data for health research. Please see the Beaumont Hospital DPO position on this
- Researchers applying for local research ethics committee approval from the local research ethics committee in Beaumont Hospital currently submit the DPIA to the Beaumont Hospital Ethics (Medical Research) Committee as part of the submission process - firstname.lastname@example.org
Submitting a DPIA as part of the submission process to Beaumont REC
Which Article 6 legal basis, and Article 9 condition should I choose in the DPIA?
In cases where Beaumont Hospital is the organisation which is the data controller for a specific research study, the appropriate article 6 legal basis is 'public interest', and the appropriate article 9 condition is 'scientific research purposes'. Beaumont Hospital does not generally use 'consent' as an article 6 legal basis, and does not use 'explicit consent' as an article 9 condition. (There can be exceptions to this however e.g. studies involving automated decision making, including profiling)
For many research studies taking place in Beaumont Hospital, Beaumont Hospital is not in fact the data controller for the research study.
In cases where an organisation other than Beaumont Hospital is the data controller for a specific research study, the data protection officer for the data controller organisation will advise on what article 6 legal basis to rely upon. Public organisations tend to rely on 'public interest' while private organisations often rely on 'legitimate interests.' All organisations can rely on 'scientific research purposes' as an article 9 condition. Very few, if any, organisations seek to rely on 'consent' as an article 6 legal basis, or on 'explicit consent' as an article 9 condition.
Please ensure consistency between the article 6 legal basis and art 9 condition in the DPIA, and bullet point 2, data protection section of the committee template patient information leaflet
North Dublin Mental Health Services
Aislin Centre (acute psychiatry in-patient unit located on the Beaumont Hospital Campus and operated by the HSE)
The HSE Data Protection Officer is the relevant DPO for research taking place in the Aislin Centre (i.e. not the Beaumont Hospital DPO). HSE Researchers applying to a REC, and proposing to conduct in-patient research in the Aislin Centre use the general HSE Privacy Impact Forms part of their submission to a HSE REC. The HSE has a PIA Process Guidance document which might assist - please contact the HSE for these documents.
Beaumont Hospital Ethics (Medical Research) Committee does not review research studies taking place in the Aislin Centre.