Challenges in identifying Data Controllers - dated 25.5.21

The piece is entitled 'Challenges in identifying Data Controllers and Legal Bases and the developing role of hospitals in relation to research and data governance' and is dated 25.5.21 (drafted BH Ethics)

It marks a point in time, three years post-GDPR, in the journey of understanding and implementing GDPR in the area of research.

Always Remember: if you do not understand GDPR, you are not alone!

Beaumont Hospital

This piece is entitled Research and Data Governance in Beaumont Hospital and is dated 31.5.21 (drafted BH Ethics)

European Data Protection Board

The European Data Protection Board adopted Guidelines 07/2020 on the concepts of controller and processor in the GDPR (link to EDPB website) on the 7th July 2021.

The examples from pages 22 and 23 of the EDPB Guidelines are specific to scientific research.

Health Research Executive National Office for Research and Development

The HSE National Office for Research and Development launched the HSE National Framework for the Governance, Management and Support of Research (RGMS) on the 9th September 2021 - please contact the HSE for a copy of the framework.

These quotes taken from the framework focus on:

  • data controllers and processors as 'Organisations' as opposed to Individuals
  • data controllers and processors as 'Organisations' as opposed to Employees
  • data controllers and processors as 'Organisations' as opposed to Principal Investigators
  • the sponsor as being the data controller in respect of a clinical trial (NB)

The RGMS Framework builds on the work of Irish Health Research Data Protection Network.

Beaumont Hospital - Step by Step Guides for Researchers

These Step by Step Guides (drafted BH Ethics, updated June 2024) represent the most common study types submitted to the Beaumont Ethics Committee - Step One in each of the guides is to identify the data controller. In line with the HSE RGMS Framework, the data controller should be an organisation as opposed to an individual.

Once you have identified your data controller, the next challenge is to identify the legal basis for processing.