· web viewunder gdpr, and the 2018 health research regulations, the university has a legal...

Data Protection Impact Assessment

For Health ResearchPurposeThe primary purpose of a Data Protection Impact Assessment (DPIA) is to identify whether what is being proposed gives rise to any high risks, from a data privacy perspective, to the rights and freedoms of an individual(s), to document those risks and to mitigate them where possible.

Health ResearchUnder GDPR, and the 2018 Health Research Regulations, the University has a legal obligation to perform a DPIA where a health research project (hereinafter referred to as ‘Project’) is to be conducted and it is possible that such research may give rise to high risks where there is an intention to collect, create or use personal data. If it is not possible to mitigate a project’s data protection risks to an acceptable level, then the intended project may have to be substantially altered, or even discontinued. For guidance on whether a project falls under the definition of ‘Health Research’ see the Appendix to this DPIA.

Instructions The first step in the DPIA process is to complete a ‘Screening Questionnaire’ and have it assessed by the Data Protection Unit (DPU). Where on review of that questionnaire it is then considered necessary to proceed to a DPIA for Health Research, the second step in the process is to complete this DPIA in Microsoft Word format, return it to the DPU for assessment and await feedback before beginning to collect or process any personal data as part of the project. Please complete sections (A), (B) & (C) in full. Do not leave blank spaces. If a section or question is not relevant or applicable then state ‘N/a’. Once complete, this DPIA in a Microsoft Word format, along with any additional documentation you feel relevant, is to be returned to the DPU at this email address - [email protected]. The DPU which will then assess the DPIA, document the risks in section (D) and will advise you of its recommendations which may entail changes to the project.

Responsibility Where a DPIA for Health Research is deemed necessary, it is the responsibility of the Principal Investigator to ensure that the DPIA is completed and returned to the DPU for assessment. The actual completion of the DPIA may be delegated to another member of the research team, who is familiar with the project and who also ideally has an understanding of the law regarding personal data and good data management practices.

https://www.dcu.ie/ocoo/data-protection.shtml#overlay-context=ocoo/committee-structures.shtml

While the DPU will assist with queries on the completion of a DPIA, you are encouraged in the first instance to also seek the advice of the GDPR Data Advocate for your unit, a list of whom can be obtained from the DPU Webpage. Ideally, all relevant stakeholders involved in the project should also be consulted where appropriate when completing the DPIA to ensure it is comprehensive and accurate. Additional guidance on personal data protection matters and health research can be found at the two external links below.

1) Health Research Board – Guidance for Health Researchers

2) Health Research Consent Declaration Committee

When to do a DPIAIf a DPIA is deemed necessary by the DPU then its completion should take place as early as possible in the life cycle of the project, once the project parameters are known and crucially before any personal data is collected or processed (to comply with the GDPR Principle of ‘Data Privacy by Design’). The DPIA should be completed in advance of applying for funding as there may be substantial financial costs in complying with good data governance and GDPR that should be factored into the application.

What happens to a completed DPIA?The DPU will consider the risks highlighted by the DPIA and, if appropriate, provide you with recommendations to be incorporated into the project. The final DPIA is to be held with the project’s records and a copy will be retained by the DPU.

Other points to note1) Freedom of Information (FOI)DCU is subject to FOI legislation. This DPIA, like all records of the University, may be subject to an FOI request. 2) Changes to a projectIf there are any material changes to the project as it progresses there may be a need to revise the DPIA. Should this arise please consult with the DPU. 3) Text in ItalicsThroughout this DPIA any text in italics is provided to assist and guide you in answering the questions asked.4) Screening QuestionnaireWhen completing any section in this DPIA you are free to re-enter any details or information already noted in the separate screening questionnaire where completed in line with step # 1 of the DPIA process.

1 | P a g e

https://hrcdc.ie/about-us/

https://www.hrb.ie/funding/gdpr-guidance-for-researchers/

ContentsA) Project Details............................................................................................................................................................................................................................... 3

B) Health Research............................................................................................................................................................................................................................ 5

C) Project Management.................................................................................................................................................................................................................... 5

1) Organisations involved in the project....................................................................................................................................................................................... 5

2) Governance............................................................................................................................................................................................................................... 7

3) Funding..................................................................................................................................................................................................................................... 8

4) People....................................................................................................................................................................................................................................... 8

5) Project Purpose....................................................................................................................................................................................................................... 11

6) Data Types.............................................................................................................................................................................................................................. 13

7) Data Formats........................................................................................................................................................................................................................... 15

8) Lawfulness of processing........................................................................................................................................................................................................ 16

9) Special categories of personal data.........................................................................................................................................................................................21

10) Transparency......................................................................................................................................................................................................................... 24

11) Re-use of existing data.......................................................................................................................................................................................................... 26

12) Accuracy................................................................................................................................................................................................................................ 26

13) Necessity............................................................................................................................................................................................................................... 27

14) Data Security......................................................................................................................................................................................................................... 29

15) Retention.............................................................................................................................................................................................................................. 34

16) Rights of the data subjects....................................................................................................................................................................................................35

17) Participant Information.........................................................................................................................................................................................................37

18) Locations............................................................................................................................................................................................................................... 37

19) Overview of the data flows during the lifetime of the project..............................................................................................................................................39

2 | P a g e

D) RISK ASSESSMENT & MITIGATION.............................................................................................................................................................................................. 39

E) DISCLAIMER................................................................................................................................................................................................................................ 41

F) Version Control........................................................................................................................................................................................................................... 41

A) PROJECT DETAILSRef Detail Required Answer

1 Project Title

2 Name of Principal Investigator Name: DCU Unit:

3 Your own details Name: Position / Title: DCU Unit:

4 Date of completion of this DPIA

5 Why, in your opinion, do you believe a DPIA for Health Research is needed for this project?

Reasons might be: a) the completion of the Step # 1 Screening Questionnaire indicated a DPIA for health research is necessary as this project qualifies as ‘Health Research’ (a list of indicators of health research is provided in the Appendix to this DPIA);b) my Unit’s GDPR Data Advocate, or the Data Protection Unit (DPU), requested it; c) this research project is similar to existing processing carried out by the research team and as such it is understood that for

3 | P a g e

similar reasons the research falls under the definition of ‘high risk’ processing;d) relevant sections of the ‘Health Research Board - Guidance for Health Researchers’ are quoted in support of the decision to carry out a DPIAe) Other?

6 Please confirm whether you have attended or taken:

a) the ‘Introduction to Data Protection for Staff’ training session provided by the DPU;

or

b) the online ‘Data Protection for Staff’ course which is available through DCU Loop;

or

c) any other form of personal data protection training (please elaborate).

Yes / No (Delete as appropriate)

When?

7 When is work on the project likely to begin?

8 When is the project expected to be completed?

4 | P a g e



B) HEALTH RESEARCH Health research involving personal data is a specific category of data processing that requires particular scrutiny and compliance with Health Research Regulations. To assist in determining whether the project qualifies as health research please consider the indicators in the table below.

Indicator of health research Yes / No

(i) research with the goal of understanding normal and abnormal functioning, at molecular, cellular, organ system and whole body levels;

(ii) research that is specifically concerned with innovative strategies, devices, products or services for the diagnosis, treatment or prevention of human disease or injury;

(iii) research with the goal of improving the diagnosis and treatment (including the rehabilitation and palliation) of human disease and injury and of improving the health and quality of life of individuals;

(iv) research with the goal of improving the efficiency and effectiveness of health professionals and the health care system;

(v) research with the goal of improving the health of the population as a whole or any part of the population through a better understanding of the ways in which social, cultural, environmental, occupational and economic factors determine health status;

Section 3(2) (b) Health research referred to in clause (i) to (v) of subparagraph (a) may include action taken to establish whether an individual may be suitable for inclusion in the research.

C) PROJECT MANAGEMENT

1) Organisations involved in the project

Which organisation(s) are the

5 | P a g e

‘Data Controllers’ in this project?

Data Controllers have responsibility for, and an influence over, the ‘purposes and means’ of the processing of the personal data.

Please list all controllers involved, including the relevant DCU School / Unit / Research Centre.

Which organisation(s) are ‘Data Processors’? ‘Data Processors’ are external entities that process personal data under strict instruction from the ‘Data Controller’.

Please list all Processors involved.

Are there agreements in place between all of the Controllers?

If yes, please list the ones that are in place.

If no, please state why agreements are not in place.

Y N

6 | P a g e

Are Controller-Processor contracts in place?

Such contracts are binding legal agreements between the organisation(s) in control and the organisation(s) working under instructions.

If yes, please list the ones that are in place.

If no, please state why agreements are absent.

Y N

Which of the following sectors are involved in the project?

☐ Academic ☐ Non-for-profit / voluntary

☐ Commercial ☐ Other, please state

2) Governance

Does the project have a Governance Committee?

If yes, please describe it.

If not, why was a committee not established?

If the project has several organisations that share

7 | P a g e

responsibility for the personal data in the project, which governance committees in each organisation makes decisions relating to the risk profile of the project?

Please list individually.

Has everyone processing personal data for the project taken data protection training?

Yes ☐ If yes, do you have documentation that they have done training?

Yes ☐ Is a specific person responsible for making sure everyone is trained in data protection?

If yes, who?

No ☐ No ☐

3) Funding

Who or what entity/entities are funding this project?

Please list all and specify if funding is external or internal.

Is your funder actively involved in the project?

4) People

Who leads the project, who is the

NameAffiliation 1 Role in

8 | P a g e

primary PI?

(Please indicate if more than one affiliation)

organisationAffiliation 2 Role in

organisation

If the PI/ project leader has more than one affiliation, which affiliation is associated with this project and in what role?

Who else has a key role in the project?

Name Role in projectAffiliation Role in

organisation

Who else has a key role in the project?


organisation

Please copy and paste boxes above as required.

For clinical settings: who in the hospital has authorised the collection of personal data for use in this project?

Name Affiliation Role in organisation

For clinical settings: who will collect the personal data?

Name Affiliation Role Location

For clinical settings: who will inform patients / participants about the details of the project and

Name Affiliation Role Location

9 | P a g e

collect consent forms?

Who is part of the lead research team that will process the personal data?

Job Function Affiliation Role in project

Please expand the table above as required.

Whose name is given to participants / patients as a contact for queries and Data Access Requests?


organisationName Role in project

Affiliation Role in organisation

Outside of those named above, who else do you intend sharing the personal data in the project with?

Name Connection to project


Outside of those named above, who

Name Connection to project

10 | P a g e

else do you intend sharing the personal data in the project with?



How would you describe your patient / participant cohort(s)?

Cross section of general public ☐ Vulnerable adults ☐

Children ☐ Other, please state

What is the size of your cohort(s)?

How often will you engage with your cohort?Will you engage with your cohort directly or via another party, e.g. their GP?

5) Project Purpose

Note: the establishment of a legal basis on which to process the personal data involved in the project will be addressed in Section # 8 below. This section (# 5) deals with the Project’s purpose(s) only.

What does the project try to achieve and what will be the benefits of the project?

Please give short description of approx. 150 words.

11 | P a g e

What insights does the project aim to gain?

Please give short description of approx. 100 words.

Which of the statement(s) or purposes listed below are correct (i.e. adequately describe) the reason for the processing of personal data in the project?

Please confirm all that apply based on supporting evidence.

The project is based on consent, where the individual has given clear consent for us to process their personal data for this specific purpose as stated in the PIL or participant information.

☐

The project is based on a contract we have with the participant(s) and the processing is necessary for us to fulfil the contract we have with the individual, or because they have asked us to take specific steps before entering into a contract with us.

☐

The project is undertaken because of a legal obligation we have. The processing is necessary for us to comply with the law (not including contractual legal obligations with the individual(s).

☐

The project is undertaken because the lead organisation fulfils a public task that has a clear basis in law. The processing is necessary for us to perform a task in the public interest or for our official function bestowed upon us by the State.

☐

The project is based on the legitimate interests of our organisation or a third party. The processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides our legitimate interests.

(Note: The basis of ‘legitimate interest’ cannot be applied in the case of DCU if, as a public authority, it is processing data to perform its official tasks. See Section # 8 for additional guidance.)

☐

Which of the statement(s) below are correct (i.e. adequately describe) the reasons for the processing of biometric, health, lifestyle, genetic, ethnic and racial origin, or sexual orientation personal data (i.e. designated as ‘special data’) in the project?

The condition or basis under which we process special category data in our project are: (tick one that applies)

12 | P a g e

Explicit, unambiguous and documented consent of participants / patients to use their personal data for a defined, specified purpose only has been received. ☐Reasons of substantial public interest (with a basis in law) ☐Archiving, research and statistics (with a basis in law) ☐

6) Data Types

What types of data will you collect directly from the participant or patient?

E.g. names, addresses, phone numbers, lifestyle data, other.

Please list all types.

If you collect biological samples, please list those as well.

Will the data collected directly from individuals include one or more of the categories below?

o Personal data revealing racial or ethnic origin

o Political opinionso Religious or philosophical beliefso Trade union membershipo Genetic data and biometric data o Data concerning healtho Data concerning sex life or sexual

orientation

13 | P a g e

Please list all types applicable.

What types of data will you collect from other sources?

E.g. names, addresses, phone numbers, lifestyle data, other.

If you collect biological samples, please list those as well.

Type of data Source of data Existing Newly collected

Will the data collected from other sources include one or more of the categories below?

o Personal data revealing racial or ethnic origin

o Political opinionso Religious or philosophical beliefso Trade union membershipo Genetic data and biometric data o Data concerning healtho Data concerning sex life or sexual

orientation

Type of special category personal data Source of special category personal data

What type of processing will you undertake?

Electronic Paper-based

14 | P a g e

Please list / detail as appropriate.

7) Data Formats

What formats will the data in your project have over the course of the project?

E.g. paper format, audio recordings, videos, medical data, text in digital format, samples, other.

Please list all formats.

Overview of formats of the data

At point of collection When shared with others When used by the project After the project ended

At what stage in the project will the data be -

Anonymised? Pseudonymised? Fully identifiable?

Who is responsible for anonymizing personal data?

Name Time point in project

15 | P a g e

Affiliation Method used

Who is responsible for pseudonymizing personal data?

Name Project stage

Affiliation Method used

If your project has a data master list linking fully identifiable personal data to their de-identified equivalent, who has access to this list?

Name Name

Affiliation AffiliationList kept in List kept in


8) Lawfulness of processing To legally process personal data, a legal basis upon which to do so must be established. This section deals with establishing the relevant legal basis to be invoked and, as such, it is a separate and distinct section from Section # 5 above which dealt with establishing the purpose of processing the data.

There must be at least one legal basis established for processing personal data. However, when processing ‘Special’ or ‘Sensitive’ personal data an additional legitimizing condition, from a prescribed list, is required. Without one of those conditions being met then the processing of special or sensitive data is expressly prohibited under law. The available legitimizing conditions for the processing of special or sensitive data are addressed in Section # 9. This section (i.e. # 8) deals exclusively with establishing a legal basis for processing personal data and its completion is mandatory.

From the panel options listed below at (A) to (G) select the applicable legal bases you believe are appropriate for the personal data to be processed or used in the project by selecting ‘Yes’ or ‘No’. Where you have selected ‘Yes’, indicate in the ‘Additional Comments’ panel why you have done so.

Note: Under Regulation 3 (1) (e) of the 2018 Health Research Regulations obtaining ‘Explicit Informed Consent’ <i.e. option (A) below> for

16 | P a g e

https://www.hrb.ie/funding/gdpr-guidance-for-researchers/health-research-regulations-2018/

health research purposes is mandatory. Guidance on ‘Explicit Informed Consent’ can be obtained at this link. In panel (A) you should indicate how the explicit and informed consent from the research participants for this project will be obtained. Where it cannot be obtained for whatever reason you have the option of applying to an external body known as the Health Research Consent Declaration Committee for what is known as ‘Consent Declaration’.

Applicable Legal Basis Yes No Additional Comments

A) Explicit & Informed Consent< GDPR 6 (1) (a) & GDPR Art 9 (2) (a) >

The project is based on the informed, explicit, unambiguous, freely given and documented consent of the individual(s) concerned to have their personal data used for a defined and specified purpose only.

Note: This is the most likely basis to be used for DCU Health Research and is mandatory under the 2018 Health Regulations.

Explicit consent should be the default position for all health research. However in some instances consent may not be possible. If it cannot be obtained you need to explain why.

The purpose of the project is usually stated by means of a ‘Data Privacy Notice’ or ‘Plain Language Statement’ and consent is documented via a ‘Consent Form’. Please note that where consent is used it also means that consent can be withdrawn at any time. If so, all processing of personal data obtained under consent must cease.

B) Performance of a task in the Public Interest Health Related

17 | P a g e


https://www.hrb.ie/fileadmin/1._Non-plugin_related_files/RSF_files/GDPR_guidance_for_researchers/Health_Research_Information_Principles.pdf

< GDPR Art. 6 (1) (e) >

It is our view that the public’s interest in carrying out the Health Research significantly outweighs the public interest in seeking explicit consent.

Note: This basis will be rarely, if ever, used in DCU for Health Research as processing based on explicit consent, as per (A) above is the default basis.

If it is not possible to obtain explicit informed consent then the basis of ‘Public Interest’ may be used provided you have obtained a Public Interest Waiver from the Health Research Consent Declaration Committee (HRCDC).

Have you done so?

C) Contractual necessity< GDPR Art. 6 (1) (b) >

The project is being undertaken based upon a contract with the individual(s) and the processing is necessary to fulfil the terms of that contract e.g. Employment Contract.

Note: This basis will be rarely, if ever, used in DCU for Health Research.

D) Legal obligation< GDPR Art. 6 (1) (c) >

The project is being undertaken because of a legal obligation on the University.

18 | P a g e



https://hrcdc.ie/apply/


An example would be to comply with legislation such as payroll taxes or health and safety law.

E) Performance of a task in the Public Interest Non-Health Related< GDPR Art. 6 (1) (e) >

The project is being undertaken so that the University can perform a task in the public interest or because of an official function bestowed on the University by the State.


An example would be non-health related research, as provided for under the Universities Act 1997.

F) Legitimate Interest< GDPR Art. 6 (1) (f) >

The project is being undertaken based upon a legitimate interest of the University and is necessary to perform that interest.


This is because a public body such as DCU cannot use ‘legitimate interest’ to process personal data if the data is

19 | P a g e

being processed in regard to one of its ‘Official Tasks’. There are however exceptions - see further guidance at this link.

G) Vital Interests< GDPR Art. 6 (1) (d) >

The project is being undertaken to protect the ‘Vital Interests’ of an individual or group of individuals i.e. to protect their lives and / or to prevent harm to their wellbeing.


This basis should not be used if another more applicable basis may do so. The processing must be necessary as opposed to optional. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not apply. You cannot rely on the basis of ‘vital interest’ for health data, or any other special category data, if the individual is capable of giving consent, even if they refuse their consent. If you rely on this basis document the circumstances where it will be relevant and ensure you can justify your reasoning.

9) Special categories of personal data

Where ‘Special’ or ‘Sensitive’ personal data is to be processed, in addition to invoking at least one of the mandatory legal bases set out in the panels above in Section # 8, one of the legitimizing conditions set out below must also be invoked. The ones listed are the most likely to arise in a university context, but there are others (see Article # 9 of GDPR). Please select the legitimizing condition you believe is appropriate for the special personal data to be processed by the project by selecting ‘Yes’ or ‘No’ from the options listed below in sections (A) to (D). Where you

20 | P a g e

https://gdpr-info.eu/art-9-gdpr/

https://www.privacy-regulation.eu/en/recital-47-GDPR.htm

have selected ‘Yes’, indicate in the ‘Additional Comments’ panel why you have done so.

‘Special’ or ‘Sensitive’ personal data is defined as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Applicable Legitimizing Condition Yes No Additional Comments

A) Public Interest in the Area of Public Health< GDPR Art. 9 (2) (i) >

If it is not possible to obtain explicit informed consent then the basis of ‘Public Interest’ may be used provided you have obtained a Public Interest Waiver from the Health Research Consent Declaration Committee (HRCDC).

Have you done so?

Examples are protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, which has a basis in law which provides for suitable and specific measures to safeguard the rights and freedoms of the Data Subject.

Recital 54 of GDPR states that “public health” is to be interpreted as per Regulation (EC) No 1338/2008, which defines “public health” as “all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision

21 | P a g e



https://hrcdc.ie/apply/

of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality”.

An additional strong argument can be made based on Recital 53 of GDPR (i.e. “personal data …should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular … for scientific research purposes”), that processing of Special data in a clinical trial context generally serves the public interest in areas of public health by advancing medical research. While the definition of “public health” refers broadly to “all elements related to health, it can be assumed that most health trials would specifically address “health status”, “the determinants having an effect on… health status”, “health care needs” and “the causes of mortality”. B) Substantial Public Interest, based in law< GDPR Art. 9 (2) (g) >

The project is being undertaken for reasons of substantial public interest, which has a basis in law. C) Manifestly Made Public< GDPR Art. 9 (2) (e) >

The processing relates to personal data which has been manifestly made public by the individual(s) to whom it belongs.

D) The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.< GDPR Art. 9 (2) (j) >

22 | P a g e

E) The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law.< GDPR Art. 9 (2) (h) >

F) Other

See the list of other available conditions under Section 9 of GDPR which may be used at this link. Select the one you believe is appropriate to this research project and explain why.

10) Transparency

How will the individuals, whose data is to be processed by project, be made aware of the intended processing?

Individuals must be informed as to how their data is to be processed. This may be achieved by setting out basic information such as the identity of the parties who carry out the processing (e.g. DCU, research partners, service providers etc.) and the purposes of the processing. In a health research project this can be achieved by use of ‘Consent Form’

23 | P a g e

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02016R0679-20160504

in combination with a ‘Plain Language Statement’ or a ‘Participant Information Statement’. In other cases a ‘Data Privacy Notice’ or ‘Data Protection Statement’ may be provided.

Please provide copies of the communication, in whatever format, which has or will provided to the individuals whose data will be used in the project.

Will the data be shared with, or processed by, a third party? If yes please list all parties involved.

In this context a third party is any other party other than DCU and the individual or organisation that will provide the data to be used in project. Typical examples are other collaborators in a research context, or where any element of the data processing is to be outsourced (e.g. the storage of data in a cloud provider, using translation services, etc.).


The third parties involved in the project are:

Where the data is to be shared or processed by a third party have the individuals who own the data been informed of this intention?

If not, why were they not informed?

Please provide copies of the communication,


24 | P a g e

in whatever format, which has or will be provided to the individuals.

Is it likely or possible that the individuals to whom the data belongs would be surprised to know that their data is to be processed by the project for the reasons, or in the manner, stated?


Have the DCU members of staff who will be involved in the project received or taken any recent training in data privacy or GDPR?

Training can be provided by DPU on request or alternatively the staff may access the online Data Protection Course for Staff available on Loop.


11) Re-use of existing data

Will the project reuse data already available, to hand or originally obtained for another purpose?

This question is relevant in for all projects but especially so in the case of research proposals which intend to reuse data for new research.


The project will:

25 | P a g e

https://loop.dcu.ie/course/view.php?id=44556

If the answer to the above is yes, for what purpose was the data originally obtained?

Will the project combine two or more anonymous (or pseudo-anonymous) datasets in such a way as to create a new dataset containing information about individuals that can no longer be considered anonymous?

In effect you will be creating, by ‘Reverse Engineering’, a new dataset of personal data as opposed to merely one with information that cannot be linked to a living individual i.e. it is no longer ‘fully anonymous’.

12) Accuracy

How will the project ensure that the personal data being used is reasonably accurate and up to date?

Relevant matters to consider are whether the data is being obtained from individuals directly or through an intermediate party, whether existing datasets are to being reused, and/or the length of time between the original data collection and its processing within the intended project.

Briefly describe the consequences, for both Potential consequences for an individual:

26 | P a g e

the individuals who own the data, and the University, if the data to be used in the project is found to be out of date or inaccurate.

Consider whether it will cause any financial, reputational or social harm to the individual or the University.

Potential consequences for the University:

13) Necessity

Is it essential to the project that it obtains and/or processes all of the categories of personal data as listed in your answers to the ‘Data Types’ section # 6 above?

It may be the case that some or all of the data can be fully anonymised before use by the project without substantially affecting the aim or purpose of the project.


Where any element of the processing of data is being outsourced to an external party have you considered whether this service can be provided by DCU instead?


Will information about individuals be disclosed to organisations or people who have not previously had routine access to that information?

This could be case where the project requires


27 | P a g e

the services of an external agent or organisation to assist in the processing of personal data in any way.

In preparing this DPIA did you consult with the relevant project stakeholders and who were they?

Internal examples in a DCU context might be a Unit/School GDPR Data Advocate, ISS or Finance Procurement, or Research Support.

External examples might be any 3rd party processors, research collaborators, the Irish Data Protection Commissioner or the Health Research Board.


The project’s stakeholders are:

Are the project’s stakeholders (e.g. the individuals who own the data, plus any other third parties) likely to have any privacy concerns about the project?

Please elaborate on why you believe ‘Yes’ or ‘No’ is the appropriate answer to the above question.


The reason being:

14) Data Security

What measures are in place to ensure the security of personal data, and specimen (if applicable), at the point of collection?

28 | P a g e



https://www.dataprotection.ie/

https://www.dataprotection.ie/

https://www.dcu.ie/researchsupport/index.shtml

https://www.dcu.ie/finance/intranet/procurement/index.shtml

https://www.dcu.ie/iss/index.shtml

https://www.dcu.ie/ocoo/dp/guides.shtml

Please specify measures in place for paper based and electronic data.

What measures are in place to limit access to the personal data undergoing processingin order to prevent unauthorised consultation, alteration, disclosure or erasure of personal data?


What measures are in place to log whether, and by whom, personal data has beenconsulted, altered, disclosed or erased?


What protocols and measures are in place to ensure the security of personal data, and specimen (if applicable), while in transit?

Please specify individually.

What measures are in place to protect personal data when stored?

a) In electronic formatb) In paper format

Protection means safeguarding the data

a) b)

29 | P a g e

from accidental or malicious loss, destruction, alteration, damage or the publication/disclosure of the data without authorisation.

Typical measures include:

- Pseudonymisation of the data- Encryption of devices used to store or

transmit data- Access controls to the data- Hierarchy of access depending upon

degree of sensitivity of data- Data sharing restrictions- Project team training in data protection- Regular & tested backups of the data

Do you have a protocol and system for identifying and tracking where electronic personal data in your project are processed? Is the processing restricted to a small number of dedicated devices?

If yes, please describe.

How do you determine that the systems you use to process electronic data are secure to a degree appropriate to the risks associated with the data?

What is the affiliation and professional expertise of the person confirming the appropriateness of your electronic security

30 | P a g e

measures?

Do you have a protocol and system for identifying and tracking where paper based personal data and biological samples in your project are processed?

If yes, please describe.

What protocols and requirements are in place for electronic data transfers?

oFor IT Security of wireless transfersoFor authorising transfers by key peopleoFor assessing the security measures of

recipientsoFor having appropriate contracts in place

Please describe all that apply.

Do you have criteria in place that regulate who will be authorised to access the data?

Please briefly describe the rationale for these criteria and who approves the decision.

Do you have protocols in place for what happens to the data if a team member leaves the team?

Do you have a system in place that tracks the following?

31 | P a g e

o Data origin/sourceo Data sharingo Purpose of sharingo Contractual arrangementso Locations of data

If yes, please give details

Will the project expose the personal data to an unusual level of security risk?

Examples include: - processing or transfer of data while using

unencrypted devices- data being shared with another unit of the

University for any purpose.


If ‘Yes’ please elaborate on the nature of the risks:

If, as part of the project, the data is to be processed or shared outside of the University, has a ‘Data Processing (or Sharing) Agreement’ being put in place with that external party?

The DPU can be contacted to advise on the appropriate form of agreement to put in place, should one be necessary.

Yes / No / Not Applicable (Delete as appropriate)

If ‘Yes’ please elaborate on the nature of the relationship:

Will the project involve the sharing or processing of personal data outside the EU or the EEA?


If ‘Yes’ please list each country where the personal data will be shared/processed:

32 | P a g e

E.g. the data being transferred / shared with a party outside of the EU or the EEA (the European Economic Area, i.e. the EU plus Norway, Liechtenstein and Iceland).

Does your project include the use of an app or other new technology?

Please give details.

If your project uses an app or other new technology, has it been tested for potentially ‘leaking’ personal data without people realising it? If yes, state by whom?

Does your app or technology have an EU recognised certification or approved standard?

If yes, please give details.

15) Retention

What plans do you have in place to delete or erase the personal data used by the project once its retention period has been exceeded?

The means of erasing or deleting the data will depend upon the medium in which it is

33 | P a g e

held e.g. hard copy (paper) or electronic (e.g. on an IT system). It may also be possible to fully anonymise the data at the end of the retention period as an alternative to deleting it.

What are the retention periods for the different types, formats of data or biological specimen and what is the rational for the retention period?

In general, personal data may only be held by the University for so long as it has a use or purpose (which must be the same as the one for which the data was originally obtained). There are exceptions to this general principle which the DPU can advise on.

Data type Retention period/criteria Rational for retention period

What plans do you have in place to delete or erase the personal data used by the project once its retention period has been exceeded?

The means of erasing or deleting the data will depend upon the medium in which it is held e.g. hard copy (paper) or electronic (e.g. on an IT system). It may also be possible to fully anonymise the data at the end of the retention period as an alternative to deleting it.

Data type per format Intended process/method Responsible function or person

Who is in charge of assuring that the data or samples are disposed of, or archived, as

Data type per format Intended process/method Responsible function or person

34 | P a g e

prescribed?

16) Rights of the data subjects

Please describe the arrangements within the project to cater for the following legal rights of the individuals who own the data:

- Right to a copy to their data (aka. ‘Data Access Request’)- Right to correct errors within the data- Right to erase their data on request- Right to object to processing of their data

(where based on consent or legitimate or public interest)

- Right to have their data transferred to another organisation (aka. ‘Data Portability’)

- Right to object to profiling or automated decision-making

While the above are legal rights but they are not absolute. There are exceptions to some which the DPU can advise on.

Will the data processing in itself prevent individuals from exercising a right under GDPR, or from using a service, or exercising a contract?

35 | P a g e

a) An example could be a large-scale or extensive processing operation (e.g. CCTV) which aims to process a considerable amount of personal data at a regional, national or supranational level which could affect a large number of data subjects and which is likely to result in a high risk to their rights and freedoms.

or

b) It could also include data processed for taking decisions regarding individuals following a systematic and extensive evaluation of the personal aspects relating to them based on profiling - especially of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures.

17) Participant Information

Does your participant / patient information contain the following?

Please tick all that apply.

☐ Has the research participant given an unambiguous indication of her/his wishes? ☐ Has the consent been freely given?☐ Have you ensured that there is no imbalance of power when seeking consent? ☐ Have you made the request for consent prominent and separate from your other documents?☐ Have you included the purpose of each of the processing operations for which consent is sought?☐ Where multiple purposes exist in the research project, have you given separate distinct (‘granular’) options to consent separately to

different purposes and types of processing?☐ Have you included what (type of) data will be collected and used?☐ Have you informed participants of all organisations that have decision making influence over the use of their data they provide to the

project?☐ Have you provided a full list of the categories of recipients of their personal data, including service providers, to allow individuals to

36 | P a g e

genuinely understand the processing operations at hand?☐ If applicable: Have you included information about the use of the data for automated decision-making?☐ If applicable: Have you included information on the possible risks of data transfers outside the EEA due to absence of an adequacy

decision and of appropriate safeguards?☐ Can individuals refuse to consent without detriment?☐ Has the option to withdraw consent been communicated to the data subject? ☐ Have you used clear, plain language that is easy to understand?☐ Can you demonstrate that consent has been actively given?

18) Locations

Is this a multi-site project? Yes ☐ How many sites are involved?

If it is a multi-site project, is there a main site or are all sites equally important?Where is the personal data collected?Please list all collection points.

Where is the personal data analysed or assessed in the context of the project?Please list all locations.

Where is the personal data stored? Please list all device, processing, repository locations, including any server locations, if cloud provider are used.

Are personal data shared with collaborators, processors or other stakeholders based outside the European Economic Area (EEA) or a country without adequacy decision?

If yes, please list all that apply.

37 | P a g e

If personal data is transferred or otherwise accessible to stakeholders outside the EEA, what data protection mechanisms for international data transfers are in place?

Please list all that apply.

If personal data is transferred or otherwise accessible to stakeholders outside the EEA, do your patients / participants know and do you have their explicit consent to do this?

19) Overview of the data flows during the lifetime of the project

Purpose Organisation Location Shared? Yes ☐

If shared, who with?

1 Data collection234567

Please expand the table above as required.

38 | P a g e

D) RISK ASSESSMENT & MITIGATION

This section is for completion by the DCU Data Protection UnitThis section summarises the significant data protection risks of the project as identified by the DPU after its review of sections (A), (B) & (C) above. As already stated the primary purpose of the DPIA is to identify and mitigate the data protection risks related to a project. Such risks may relate to the rights of a Data Subject as well as non-compliance with data protection legislation in general. Where a risk is identified an assessment of its potential likelihood and impact is made to determine whether the risk is high, medium or low after consideration of any identified controls or solutions already implemented (i.e. a residual risk model) within the project.

Where, in the opinion of the DPU, additional controls or solutions are required for each risk these tailored recommendations are to be documented and communicated back to the Project Lead (i.e. the Principal Investigator) for incorporation into the project plan. Where the recommendations are not accepted by the Project Lead, the DPU must document this and have the Lead explain why.

Ref

Identified RiskPotential

Impact

(Note 1)

Potential Likelihood

(Note 1)

Risk Weighting

H/M/L(Note 2)

DPU Recommendations

123456789

10

39 | P a g e

Note 1 – Key to Impact & Likelihood

Level Impact Likelihood1 Minor Rare2 Limited Unlikely3 Serious Possible4 Very Serious Likely5 Catastrophic Occurring or almost certain to occur

Note 2 – Key to Risk Weighting

The risk weighting value is obtained by multiplying the value for ‘Impact’ by the value for ‘Likelihood’. This results in a range of 1 – 25 and the key below determines whether the risk is to be rated as High, Medium or Low.

Range Priority16 – 25 High8 - 15 Medium1 - 7 Low

DPU Staff Member Sign Off

Reviewed By Date of review Did the DPO review and approve (Yes or No)Did the Principal Investigator (PI) accept recommendations?

40 | P a g e

E) DISCLAIMER

The material contained in this DPIA is for general information purposes only and does not constitute legal advice. It is not intended to provide a comprehensive or detailed statement of the law pertaining to Data Privacy. No liability whatsoever is accepted by Dublin City University for any action taken or not taken in reliance on the information contained in this DPIA. You should not act, or refrain from acting, on the basis of information provided in this DPIA. You should always seek specific legal or professional advice. Any and all information in this DPIA is subject to change without notice.

F) VERSION CONTROL

Document Name DPIA for Health ResearchVersion Reference V1.0Authors Data Protection Co-ordinator

&Risk & Compliance Officer

Approved by Data Protection OfficerDate 11th June 2020

End.

41 | P a g e

· web viewunder gdpr, and the 2018 health research regulations, the university has a legal...

Documents