DPIA and TIA for Research and Clinical Trials, May 2023

The Beaumont Hospital Data Protection Officer (DPO) and Royal College of Surgeons (RCSI) DPO released a Beaumont Hospital and RCSI DPIA and TIA for Research and Clinical Trials in May 2023. The effect of this is that a Data Protection Impact Assessment and Transfer Impact Assessment can be conducted within the one document.

A DPIA is required if at least two of these 10 criteria are reached:
  1. Evaluation or scoring- especially to do with someone's work performance or health e.g. a biotechnology firm offering genetic testing to customers in order to predict disease/health risks;
  2. Automated-decision making with legal or similar effect - the processing may lead to discrimination or exclusion;
  3. Systematic monitoring - e.g. cctv in a public space;
  4. Sensitive Data- e.g. health data, genetic data and all article 9 special categories of data;
  5. Data Processing on a large scale;
  6. Datasets that have been matched or combined;
  7. Data concerning vulnerable data subjects - power imbalance between data controller and data subject e.g. patients,children, the elderly, employees, persons with disabilities;
  8. Innovative use or applying technological or organisational solutions - e.g. fingerprint or facial recognition;
  9. Data transfer outside the EU;
  10. Where the processing itself prevents a data subject from accessing a service- e.g. credit screening by banks to decide whether to give someone a loan.

In terms of health research, criteria 4 & 7 nearly always apply, and sometimes 1,5 & 9 also.

Beaumont Hospital

As a result,

a DPIA is required in respect of all research and clinical trials taking place in Beaumont Hospital which involve the processing of personal data for health research.
Please see the Beaumont Hospital DPO position on this here

  • Researchers applying for local research ethics committee approval from the local research ethics committee in Beaumont Hospital currently submit the DPIA to the Beaumont Hospital Ethics (Medical Research) Committee as part of the submission process - beaumontethics@rcsi.ie

Submitting a DPIA as part of the submission process to Beaumont REC

Which Article 6 legal basis, and Article 9 condition should I choose in the DPIA?

In cases where Beaumont Hospital is the organisation which is the data controller for a specific research study, the appropriate article 6 legal basis is 'public interest', and the appropriate article 9 condition is 'scientific research purposes'. Beaumont Hospital does not generally use 'consent' as an article 6 legal basis, and does not use 'explicit consent' as an article 9 condition. (There can be exceptions to this however e.g. studies involving automated decision making, including profiling)

For many research studies taking place in Beaumont Hospital, Beaumont Hospital is not in fact the data controller for the research study.

In cases where an organisation other than Beaumont Hospital is the data controller for a specific research study, the data protection officer for the data controller organisation will advise on what article 6 legal basis to rely upon. Public organisations tend to rely on 'public interest' while private organisations often rely on 'legitimate interests.' All organisations can rely on 'scientific research purposes' as an article 9 condition. Very few, if any, organisations seek to rely on 'consent' as an article 6 legal basis, or on 'explicit consent' as an article 9 condition.

Please ensure consistency between the article 6 legal basis and art 9 condition in the DPIA, and bullet point 2, data protection section of the committee template patient information leaflet


North Dublin Mental Health Services

Aislin Centre (acute psychiatry in-patient unit located on the Beaumont Hospital Campus and operated by the HSE)

The HSE Data Protection Officer is the relevant DPO for research taking place in the Aislin Centre (i.e. not the Beaumont Hospital DPO). HSE Researchers applying to a REC, and proposing to conduct in-patient research in the Aislin Centre use the general HSE Privacy Impact Forms part of their submission to a HSE REC. The HSE has a PIA Process Guidance document which might assist - please contact the HSE for these documents.

Beaumont Hospital Ethics (Medical Research) Committee does not review research studies taking place in the Aislin Centre.