Skip to main content

Privacy Notice – Research

Privacy Notice – Research

About Children’s Health Ireland

Children’s Health Ireland (CHI) was established under the Children’s Health Act 2018. The objective of CHI is to improve, promote and protect the health, mental health and well-being of children in a manner that embodies the values of child-centred, compassionate and progressive care provided with respect, excellence and integrity.

Key functions of CHI under the 2018 Act are to plan, conduct, maintain, manage, provide and develop paediatric services in the hospital, and to facilitate, foster, promote and carry out research and innovation aimed at improving paediatric services and advancing medical and scientific knowledge relating to paediatric services through research and scientific investigation and inquiry.

Background

This Privacy Notice sets out how CHI processes you / your child’s (“you/your”) personal data in the process of conducting research in its role as a data controller, outlining:

  • What personal data CHI processes as part of its research activities;
  • The purposes for processing;
  • Who data may be shared with;
  • How long data will be retained for;
  • The security in place to protect your personal data;
  • Your rights and how to exercise them.

CHI respects the privacy of our research participants and processes your information in the manner described here and in the individual study information sheets

Page contents

On this page you will find information about:

1.0 Personal data

Personal data means any information that relates to an individual. Through the research we undertake, this can include the processing of personal data such as your age, DOB, contact details, gender, and health information. Some data such as health data, genetic data, racial or ethnic origin are defined as special categories of personal data, requiring additional safeguards to process them. All research projects are different and the information we collect will vary. Your study information sheet should provide additional detail on the types of information that will be processed.

Research data is generally pseudonymised/coded. This process removes directly identifiable data such as your name and replaces it with a code. Linking your name to the code and associated study data can only then be made by specific individuals with authorisation to access the key. Pseudonymised/coded data remains as personal data until the point of anonymisation, where data cannot be linked to the individual it relates to.

Research data can also be anonymised. This means that there is no way to re-identify individuals from the data. Where data is anonymised, it falls outside data protection legislation. This is because it is not possible to identify an individual based on anonymous data.

2.0 How do you use my personal data?

Your personal data (including any pseudonymised/coded data) will be processed for purposes including to:

  • Determine if you are eligible for the research and conduct pre-screening;
  • Carry out the study and process your information in line with the protocol and information sheet;
  • Carry out study support activities, such as arranging medical care and reimbursement of travel costs;
  • Verify that the study is conducted correctly, and that study data are accurate;
  • To collect and manage electronic study data, such as through medical devices and software;
  • Store, process and test biological samples collected from your child during the study;
  • Analyse study data and share findings;
  • Answer questions from government or regulatory agencies;
  • Deliver health and safety reporting;
  • Contact you during and after the study (if necessary);
  • To seek refreshed consent, additional consent, and/or child consent.
  • Inform your doctor and other healthcare professionals of your involvement in, and progress in the study.
  • Store, process and share your information.
  • To use your biological samples and personal data for future research.
  • Follow-up on your health status, including by contacting you through publicly available sources, should the study team be unable to contact you using information held on file.
  • Respond to data protection requests.
  • To anonymise or archive the data or ensure the secure destruction at the end of the research project lifecycle.

Under the GDPR, we must always have a lawful basis for processing personal data. CHI’s lawful basis for processing the personal data of research participants are as follows:

  • You have given explicit consent to the processing of your personal data for one or more specified purposes (Article 6(1)(a) & 9(2)(a) GDPR);
  • Processing is necessary for the performance of a task carried out in the public interest (Article 6(1)(e));
  • Processing is necessary for compliance with a legal obligation (Article 6(1)(c));
  • Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 9(2)(j)).

For health research, CHI is required under Irish Health Research Regulations 2018 to seek your explicit consent to participate in the research. There are some exceptions contained in the Health Research Amendments 2021 to this, such as when CHI is undertaking a low-risk retrospective chart review, on the basis of deferred consent, or where the Irish Health Research Consent Declaration Committee (HRCDC) has issued a consent declaration.

All health research studies conducted in CHI are first reviewed by CHI’s Research Ethics Committee (REC) and in some cases, the National Office for Research Ethics Committees (NREC).

3.0 What are my rights?

Under the GDPR, you have the following rights:

a) The right to be informed about our collection and use of your personal data. This privacy notice and your individual study Participant Information Leaflet (PIL) collectively meets this requirement, but you can always contact us to find out more or to ask any questions using the details in Section 12.0
b) The right to access the personal data we hold about you. Section 10.0 outlines how to exercise this right.
c) The right to have your personal data rectified if inaccurate or incomplete.
d) The right to be forgotten, i.e., the right to request that your personal data are deleted.
e) The right to restrict the processing of your personal data.
f) The right to object to us using your personal data for a particular purpose or purposes.
g) The right to data portability – to transmit your personal data to another data controller, where CHI is processing your information under a specific lawful basis.
h) Right to withdraw your consent
i) The right not to be subject to a decision based solely on automated processing, including profiling, unless certain conditions are met.
j) Right to make a complaint to the Data Protection Commissioner.

Please note: Some restrictions on your rights may apply where the exercise of any of those rights would be likely to render impossible, or seriously impair, CHI’s ability to achieve the purposes of the research. When your personal data has been anonymised, exercising your rights on this information will not be possible as the data can no longer be linked to you. Further, you may not be able to correct certain data e.g., genetic data.

Please contact us using the details in Section 12.0 to exercise your rights or to find out more.

4.0 Research Collaboration

Research has a vital role to play in the development of healthcare and health service delivery. CHI’s hospitals are academic teaching hospitals associated with Trinity College Dublin, University College Dublin, the Royal College of Surgeons, and DCU, all of which we collaborate with in research. CHI also collaborates with other institutions and organisations in research projects. Where there is collaboration in research, more detail can be found in your study’s information leaflet.

5.0 How do we obtain your personal data?

We may obtain your information from a variety of sources, such as directly from you, from health professionals, research coordinators, research collaborators, your medical records, family, parent/guardian, GP, or other parties external to CHI.

6.0 How do you keep my personal data secure and confidential?

We are committed to ensuring that your information is secure with us and with the third parties who act on our behalf. We have a number of safeguards in place to prevent the loss, misuse, alteration, unauthorised access to and disclosure of your personal data. Where appropriate, CHI conducts a Data Protection Impact Assessment (DPIA) on research studies to identify and assess risks and determine appropriate safeguards.

Under data protection law, specific principles govern our use of personal data and our requirement to ensure it is kept safe and secure. Your data may be stored within electronic or paper records, or a combination of both. Examples of safeguards to protect personal data include data encryption, pseudonymisation/coding, anonymisation and restricted access to study participant records. Further, CHI employees have committed themselves to confidentiality contractually and/or are under a statutory obligation of confidentiality.

7.0 How long will you keep my personal data?

CHI retain your personal data for the period required to carry out the function and operational purpose for which it was collected for, and where they have a legal basis to continue processing. Minimum retention periods can be defined by our legal obligations, depending on the type of research being undertaken.

For example, where you participate in a clinical trial, the trial master file containing your personal data is archived for a minimum period of 25 years, as required under clinical trials regulation. Please refer to your study’s information sheet or contact your study doctor for more specific guidance on your study’s retention period.

8.0 Data transfers outside the EEA?

We may transfer, store or otherwise process some or all of your personal data in countries outside of the European Economic Area (the “EEA” consists of all EU member states, plus Norway, Iceland, and Liechtenstein). Countries outside the EEA are known as “third countries” and may not have data protection laws that are equivalent to those within the EEA. Where data is transferred to a third country, CHI will take additional steps in order to ensure that your personal data is provided with an adequate level of protection.

Where a country has not been issued with an adequacy decision by the European Commission, CHI use specific contracts with external third parties; Standard Contractual Clauses (SCCs) approved by the European Commission. A copy of our SCCs can be obtained by contacting CHI’s Data Protection Office (Section 12.0). Where SCCs are not used, CHI may rely on another transfer mechanism to facilitate the data transfer.

9.0 Do you share my personal data?

As research often includes collaboration and external expertise, your personal data may be shared with parties outside of CHI. Such data sharing is governed by written contracts to ensure that each party commits to processing your data in line with data protection requirements. Your data may be shared with:

  • • The immediate health research project team who are authorised to work on the project and access the information. This may include staff or collaborators at other organisations authorised to work on the project. This will be clearly identified in your information sheet.
  • Investigating doctors, principal investigators and researcher collaborators (including industry partners).
  • External labs that test research biological samples e.g. blood, saliva.
  • Biobanks for sample storage and future research.
  • Where a student is undertaking the research, the data may be shared with their supervisors or that institution.
  • Medical device or software companies that support the study.
  • Parties auditing the study. Our research may be audited and access to the data may be required. CHI puts in place safeguards to ensure that audits are conducted in a secure and confidential manner.
  • Other collaborators on the study, which can include other hospitals, universities, and private organisations.
  • Third parties to monitor and support the study on our behalf, such as those responsible for organising travel and reimbursement.
  • Governmental agencies for regulatory and supervision purposes.
  • External parties in the case of a legal claim, in complying with our legal obligations, or court order, or the instructions of a government authority.
  • Tusla or Garda Síochána for child protection purposes where allegations of child abuse or neglect arise and relate to a child research participant.
  • Research Funders, sponsors or parties that otherwise supports the research project.
  • Providers hosting applications for CHI. For example, Microsoft hosts REDCap on behalf of CHI. CHI uses REDCap to manage research study data.

To communicate our research to the public and the academic community your anonymised data is likely to form part of a research publication or conference presentation or public talk. Where Researchers wish to use any information that would identify you, CHI will ensure there is a lawful basis today do so e.g., obtaining your explicit consent and ensuring that there are appropriate safeguards put in place to protect your information.

10.0 How can I access my personal data?

If you want to access the personal data that we hold on you, a request can be made in writing and sent to the email or postal addresses shown in Section 12.0.

We will respond to your subject access request within a month. Normally, we aim to provide a complete response, including a copy of your personal data within that timeframe. In some cases, particularly if your request is complex, additional time may be required up to a maximum of three months from the date we receive your request. You will be informed if such an extension is required.

11.0 Withdrawal of your consent at any time

Where CHI has asked for your consent, you can withdraw it at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent. Where that consent was to participate in a research study, CHI may have a lawful basis to continue processing the data that was collected until the point that consent was withdrawn. Withdrawal of consent can be for any or no reason, made at any time, and it will have no effect on your clinical care.

12.0 Contacting us, making a complaint or providing feedback

We hope you have found this privacy notice useful. To provide feedback in relation to any aspect of how CHI has handled your personal information, to exercise your rights, or if you have any questions and/or would like to make a complaint, you can contact our Data Protection Officer by post, email or phone through the contact details below.

CHI has appointed a Data Protection Officer (DPO) to oversee CHI’s compliance with its data protection obligations. If you have questions regarding CHI’s data protection practices, please do not hesitate to contact us as follows:

CHI at Crumlin
Email: dpo@childrenshealthireland.ie
Phone: +353 1 409 6100
Post: Data Protection Officer Children’s Health Ireland (CHI) at Crumlin, Crumlin, D12 N512, Ireland

CHI at Temple Street
Email: dpo@childrenshealthireland.ie
Phone: + 353 1 878 4200
Post: Data Protection Officer Children’s Health Ireland (CHI) at Temple Street, Temple Street, D01 YC67, Ireland

CHI at Tallaght
Email: dpo@childrenshealthireland.ie
Phone: +353 1 409 6100
Post: Data Protection Officer Tallaght University Hospital, Tallaght, Dublin 24 D24 NR0A

CHI at Connolly
Email: dpo@childrenshealthireland.ie
Phone: + 353 1 878 4200
Post: CHI at Connolly, Connolly Hospital, Mill Road, Blanchardstown, Dublin 15, D15 RRN1

13.0 Changes to this privacy notice

We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our practices in a way that affects personal data protection. Version: 002 Dated: 04/10/22

Share this page

Sign up for our newsletter