Your feedback can help us improve and enhance our services to the public. Tell us what matters to you in our online Customer Satisfaction Survey.
Data protection transparency notice for the Health Research Data Centre.
Under Data Protection legislation, individuals have a number of rights in relation to the personal data an organisation holds about them. The purpose of this notice is to inform you about the data held in the CSO Health Research Data Centre, how these data are handled and what your rights are.
The work of the CSO is carried out under the Statistics Act, 1993 which provides for the collection, compilation and dissemination for statistical purposes of information relating to economic, social and general activities and conditions in the State.
The CSO Data Protection Officer (DPO) is responsible for overseeing questions in relation to this Privacy Statement (contact details below). If you have any questions about this statement, including any request to exercise your legal rights, contact the CSO DPO on
Data Protection Officer,
Central Statistics Office,
Skehard Road,
T12 X00E
Tel: 021-4535000
Email: dpo@cso.ie
In order to support the work of the health research community and thereby to inform evidence-based decision making and service planning, a mechanism is required to facilitate access to the data relevant for health research in a format that is controlled, accessible and usable for approved researchers. This mechanism is provided by the Health Research Data Centre.
The purpose of the Health Research Data Centre is to make individual level administrative and survey datasets available to researchers via the CSO Researcher Microdata Files (RMF) process under Section 20(c) of The Statistics Act, 1993. The provision for researcher access to the Health Research Data Centre follows extensive consultation between CSO, the Health Research Board (HRB), Department of Health (DoH) and the Heath Service Executive (HSE). This consultation led to the establishment of the Research Data Governance Board. No directly identifiable data relating to individuals will be made available to researchers, and no identifiable data will be made available to any stakeholders or other persons by the project team under conditions of Section 34 of the Statistics Act.
The RDGB has been set up as an additional safeguard in the application process to act as a central point for application receipt, screening, review and prioritisation of data requests prior to applications being assessed by the CSO. The RDGB will oversee a transparent process to facilitate secure and controlled access to the data for the purposes of conducting statistical analysis to facilitate research.
Only applications that have been approved by the RDGB and where
is received by the RDGB will be recommended to be reviewed by the CSO.
The CSO will issue final approval for access to relevant data. The data available to researchers will be limited to datasets collected by the CSO only and no external data will be permitted.
All the available data is collected under the Statistics Act, 1993.
The CSO surveys individuals, households, and enterprises throughout the year on topics such as health, employment, well-being, and household finances, so we can all live in an informed society.
The CSO also uses data collected by other Government departments, agencies, and public bodies, known as administrative data.
Access to the Health RDC is restricted to registered researchers from registered research institutions in Ireland.
Information on the registration process is available in Data for Researchers section.
Researchers will also require separate approvals from a Research Ethics Committee, the Research Data Governance Board and the Health Research Consent Declaration Committee before the CSO will consider the application.
In the Health RDC, nearly all variables can be considered to be personal data as they are attributes of individuals or attached to individuals.
The pseudonymisation process applied to the data involves removing personal data such as patient's name, address, date of birth and contact details. All direct identifiers are removed from variables and are replaced with a Protected Identifier Key (PIK) to allow safe linkage across data sources and over time. PIKs use either a randomised lookup table or a salt and hash technique where access to key parts of the pseudonymisation process is closely guarded.
A full list of datasets and associated variable lists available through the Health RDC can be found in the Research Microdata Files (RMFs) register.
All direct identifiers such as names and addresses are removed by CSO. Additionally, once in receipt of HSE data, the CSO converts the identifier numbers in each dataset that remain to a Protected Identifier Key (PIK). The PIK is a unique and non-identifiable number which is internal to the CSO. Using the PIK enables the CSO and approved researchers to link and analyse data for statistical purposes, while protecting the security and confidentiality of the individual data.
Researchers applying to access the Health RDC will go through a robust application process. Separate approvals from a Research Ethics Committee, the Research Data Governance Board and the Health Regulations Consent Declaration Committee will be needed before the CSO will consider the application. The Director General of the CSO will only then make a determination on each application.
The contract that governs the processing of the data by researchers is the RMF Agreement. Researchers agree to abide by the terms and conditions of this agreement. Failure to do so may result in sanctions being applied by CSO.
Approved researchers will access the CSO Researcher Data Portal via a Citrix (secure remote access) connection using a unique username, PIN and password.
The microdata, at all times, remains on a CSO server. When a researcher has completed analysis on data they wish to have exported as an output, they contact the data custodian in CSO. The data custodian then checks that the file contains only non-confidential data before emailing the approved output to the researcher.
The RDP was developed under the headings of the Five Safes:
Personal data means any information relating to a living individual who can be identified, directly or indirectly. It can include a name, an identification number, location data, an online identifier or one or more factors specific to an individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
Special categories of personal data mean data revealing racial or ethnic origin; political opinions or religious or philosophical beliefs; trade union membership; genetic data; biometric data; data concerning health; individual’s sex life or sexual orientation.
Processing means doing anything with the data, such as storing, accessing, disclosing, destroying or using the data in any way.
Processing of personal health data as contained in the Health RDC is permitted under Article 6.1.e, Article 9.2.i and j of the General Data Protection Regulation (GDPR):
Article 6.1.e
“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
Article 9.2.i
“processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal
products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy”
Article 9.2.j
“processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”
38 (1) a
"The processing of personal data shall be lawful to the extent that such processing is necessary and proportionate for the performance of a function of a controller conferred by or under an enactment or by the Constitution”
41 (1) c
“Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, personal data may be processed, in accordance with Article 89, for statistical purposes”
53
“Subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects, the processing of special categories of personal data shall be lawful where it is necessary for public interest reasons in the area of public health including—
54. c
“Subject to compliance with section 42, the processing of special categories of personal data is lawful where such processing is necessary and proportionate for statistical purposes.”
CSO is bound by the terms of the Statistics Act, 1993. All researchers approved for access to the Health RDC will be Officers of Statistics under Section 20(c) of the Statistics Act, 1993. Each approved researcher will have signed the Declaration of Secrecy under Section 21 of the Statistics Act, 1993.
The processing of all personal data contained within the Health RDC RMF datasets for health research by RMF researchers must be compliant with the Health Research Regulations, 2018.
As explicit consent from a data subject is a mandatory safeguard under the Health Research Regulations, all RMF researchers must apply to the Health Research Consent Declaration Committee (HRCDC) for a consent declaration where explicit consent of the data subjects is not possible or practicable. A consent declaration shall only be made by the HRCDC for a research study, when it is satisfied that all the data protection safeguards and technical and organisational measures have been met, and the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the individual who owns the personal data.
Access to personal data held in the Health RDC is restricted to nominated CSO staff and to approved researchers.
The General Data Protection Regulation (GDPR) confers the following rights on individuals:
Article 89(2) of the General Data Protection Regulation (GDPR) allows derogations from data subject rights where personal data are processed for scientific/historical research or statistical purposes. These apply in respect of your right of access, right to rectification, right to restriction of processing and right to object, but only where the exercise of these rights is likely to render impossible or seriously impair the achievement of the specific statistical purposes.
Under data protection legislation you have a right to lodge a complaint with the Data Protection Commission if you consider that processing of your personal data is contrary to data protection law. The contact details of the Commission are
By post: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.
By e-mail: info@dataprotection.ie
By phone: 01 7650100 / 1800 437 737
Online: https://www.dataprotection.ie/