Choosing a course is one of the most important decisions you'll ever make! View our courses and see what our students and lecturers have to say about the courses you are interested in at the links below.
Each year more than 4,000 choose NUI Galway as their University of choice. Find out what life at NUI Galway is all about here.
About NUI Galway
About NUI Galway
Since 1845, NUI Galway has been sharing the highest quality teaching and research with Ireland and the world. Find out what makes our University so special – from our distinguished history to the latest news and campus developments.
Colleges & Schools
Colleges & Schools
NUI Galway has earned international recognition as a research-led university with a commitment to top quality teaching across a range of key areas of expertise.
- Research & Innovation
- Business & Industry
- Alumni, Friends & Supporters
At NUI Galway, we believe that the best learning takes place when you apply what you learn in a real world context. That's why many of our courses include work placements or community projects.
The Health Research Regulations 2018 - The Health Research Regulations 2018 are formally called the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018. The Health Research Regulations 2018 govern the use of personal data for health research purposes. These important new regulations outline mandatory suitable and specific measures that ensure that health research in Ireland is conducted using best practice principles of information governance in line with GDPR requirements. The regulations also introduce for the first time a lawful mechanism that allows the processing of personal data for health research purposes in exceptional circumstances without the explicit consent of the individual concerned. Please note that as part of your Ethic Committee application you will be likely required to complate a Data Protection Impact Assessment.
The following resources will be of use to NUI Galway Health Researchers.
This checklist can be used to ensure your patient consent form is GDPR compliant:Consent Checklist for Health Research
GDPR Information to be included in a Patient Information Leaflet This checklist can be used to ensure your Patient Information leaflet has all the necessary detail to be GDPR compliant. It also contains the principles(with some modifications) of the Department of Health Information Principles.
You must carry out in writing an assessment of the data protection implications of the health research. Where the assessment carried out indicates a high risk to the rights and freedoms of individuals you must complete a data protection impact assessment using this template: NUI Galway Data Protection Impact Assessment Template
Health Research falls under scientific research in the GDPR where it is not defined. Health Research is defined for the purposes of the Health Research Regulations 2018 in Regulation 3(2): http://www.irishstatutebook.ie/eli/2018/si/314/made/en/pdf “health research” means any of the following scientific research for the purpose of human health:
(i) research with the goal of understanding normal and abnormal functioning, at molecular, cellular, organ system and whole body levels;
(ii) research that is specifically concerned with innovative strategies, devices, products or services for the diagnosis, treatment or prevention of human disease or injury;
(iii) research with the goal of improving the diagnosis and treatment (including the rehabilitation and palliation) of human disease and injury and of improving the health and quality of life of individuals;
(iv) research with the goal of improving the efficiency and effectiveness of health professionals and the health care system;
(v) research with the goal of improving the health of the population as a whole or any part of the population through a better understanding of the ways in which social, cultural, environmental, occupational and economic factors determine health status;
Health research referred to in clause (i) to (v) of subparagraph (a) above may include action taken to establish whether an individual may be suitable for inclusion in the research.
Consent - A project proposing to process personal data for health research purposes requires the explicit consent of any individual (data subject) whose data he or she is proposing to process and in order that such consent should be valid and lawful it must be (a) informed and (b) appropriately recorded (thereby making it explicit).
Consent is defined in Article 4 of the General Data Protection Regulation (GDPR)- ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Informed consent means just that: namely that the individual concerned has enough information provided to him to her to allow them to make an informed decision. It is also important that they are allowed sufficient time to digest and assess that information before being expected to make a decision. Most importantly, they must be assured: (a) that consent is freely given and voluntary (and even if initially given can be subsequently withdrawn), (b) that only the minimum amount of personal data necessary for the study is being sought, and (c) that a decision not to consent will not impact on any care or treatment they receive.
Please carefully review the following HRB Guidance Note regarding consent for Health Research Projects: https://www.hrb.ie/funding/gdpr-guidance-for-researchers/gdpr-and-health-research/consent/ . Please in particular if you have an existing research project satisfy yourself that your "consent" obtained meets the required standard(see further details below).
What are “Suitable and Specific Measures”? Regulation 3(1)(a)-(e) of the Health Research Regulations 2018 specifies the mandatory "suitable and specific measures" that must be taken when the processing of personal data (including health data) is undertaken for the purposes of health research specifically.
3. (1) A controller who is processing or further processing personal data for the purposes of health research shall ensure that the following suitable and specific measures are taken to safeguard the fundamental rights and freedoms of the data subject:
(a) arrangements are in place so that personal data shall be processed as is necessary to achieve the objective of the health research and shall not be processed in such a way that damage or distress is, or is likely to be, caused to the data subject;
(b) appropriate governance structures for the carrying out of the health research are in place, including— (i) ethical approval of the health research by a research ethics committee, (ii) specification of the controller involved, (iii) in the case of joint controllers within the meaning of Article 26, compliance with Article 26, (iv) specification of any data processors involved, (v) specification of any person who provides funding for, or otherwise supports, the project, (vi) specification of any person (other than a person in clause (iii) or (iv)) with whom it is intended to share any of the personal data collected (including where it has been pseudonymised or anonymised) and the purpose of such sharing, (vii) provision of training in data protection law and practice to those individuals involved in carrying out the health research;
(c) the following processes and procedures relating to the management and conduct of the health research are in place: (i) the carrying out of an assessment of the data protection implications of the health research; (ii) where the assessment carried out under clause (i) indicates a high risk to the rights and freedoms of individuals, the carrying out of a data protection impact assessment; (iii) measures that demonstrate compliance with the data minimisation principle; (iv) controls to limit access to the personal data undergoing processing in order to prevent unauthorised consultation, alteration, disclosure or erasure of personal data; (v) controls to log whether and by whom personal data have been consulted, altered, disclosed or erased; (vi) measures to protect the security of the personal data concerned; (vii) arrangements to anonymise, archive or destroy personal data once the health research has been completed; (viii) other technical and organisational measures designed to ensure that processing is carried out in accordance with the Data Protection Regulation, together with processes for testing and evaluating the effectiveness of such measures;
(d) arrangements to ensure that personal data are processed in a transparent manner are identified and in place; (e) explicit consent has been obtained from the data subject, prior to the commencement of the health research, for the processing of his or her personal data for the purpose of specified health research, either in relation to a particular area or more generally in that area or a related area of health research, or part thereof.
Please for further guidance see the Health Research Board GDPR Guide for Researchers which provides an invaluable video briefing, further explanation of terms and a Frequently Asked Questions Section: https://www.hrb.ie/funding/gdpr-guidance-for-researchers/gdpr-and-health-research
Health Research Regulations 2018, Regulations 5(2) and 6(5)
When might a consent declaration apply?
A researcher may apply for a declaration that explicit consent is not required if:
- the public interest of the research significantly outweighs the public interest in requiring the explicit consent of the individual whose data is being processed (Regulation 5(1))
Please see the Health Research Consent Declaration Committee website for details of how to make an application: HRCDC | Transparency – Confidence – Trust
Please note the following amendendments have been made and must also be considered:HRCDC | NEW: Amendments made to the Health Research Regulations - HRCDC