Under Data Protection legislation, individuals have a number of rights in relation to the personal data an organisation holds about them. The purpose of this notice is to inform you about the data held in the CSO COVID-19 data research hub, how these data are handled and what your rights are.
The work of the CSO is carried out under the Statistics Act, 1993 which provides for the collection, compilation and dissemination for statistical purposes of information relating to economic, social and general activities and conditions in the State.
The CSO Data Protection Officer (DPO) is responsible for overseeing questions in relation to this Privacy Statement (contact details below). If you have any questions about this statement, including any request to exercise your legal rights, please contact or send them to the CSO DPO:
The contact details for the CSO DPO are:
Data Protection Officer,
Central Statistics Office,
Skehard Road,
T12 X00E
Tel: 021-4535000
Email: dpo@cso.ie
In order to support the work of the research community in the area of COVID-19 related research and thereby to inform evidence-based decision making during this period of national emergency, a mechanism is required to facilitate the compilation of relevant COVID-19 health data in a format that is controlled, accessible and usable for approved researchers. This mechanism is the CSO COVID-19 data research hub.
The purpose of the CSO COVID-19 data research hub is to make individual level administrative COVID-19 datasets available to researchers via the CSO Researcher Microdata Files (RMF) process under Section 20(c) of The Statistics Act, 1993. The datasets within the hub contain individual level data on those who have been diagnosed with Covid-19, been referred for testing, been treated in hospital for Covid-19 or have been identified as being a close contact of a confirmed case. The provision for researcher access to the CSO COVID-19 data research hub follows extensive consultation between CSO, the Health Research Board (HRB), Department of Health (DoH) and the Heath Service Executive (HSE). This consultation led to the establishment of the Research Data Governance Board. No directly identifiable data relating to individuals will be made available to researchers, and no identifiable data will be made available to any stakeholders or other persons by the project team under conditions of Section 34 of the Statistics Act.
The RDGB has been set up as an additional safeguard in the application process to act as a central point for application receipt, screening, review and prioritisation of data requests prior to applications being assessed by the CSO. The RDGB will oversee a transparent process to facilitate secure and controlled access to the data for the purposes of conducting statistical analysis to facilitate research.
Only applications that have been approved by the RDGB and where
is received by the RDGB will be recommended to be reviewed by the CSO.
The CSO will issue final approval for access to relevant COVID-19 health data. The data available to researchers will be limited to datasets provided to CSO in the context of the Ministerial release letter for COVID-19 analysis.
Please also see: https://www.hrb.ie/
Under Section 31 of the Statistics Act 1993 (http://www.irishstatutebook.ie/eli/1993/act/21/enacted/en/html ), the CSO first consulted with the HSE in March 2020 for the purpose of assessing the potential of the records of the HSE as a source of statistical information. The CSO examined the information provided by the HSE and identified the initial subsets of HSE data.
The Director General of the CSO then formally requested the HSE, in accordance with Section 30 of the Statistics Act, 1993, to provide the datasets it sought. The Director General also sought the agreement of the Minister for Health that his request, and any subsequent requests, could apply to medical records which are not publicly available. This was a requirement of Section 30.2(b) of the Statistics Act, 1993. The Minister gave his agreement for granting access to the Central Statistics Office to data sources that will support the analysis of Covid-19 related issues in writing to the DG on 31st March, 2020.
The CSO is the Data Controller for the HSE data that is transferred to the CSO.
Access to the CSO COVID-19 data research hub is restricted to registered researchers from registered research institutions in Ireland, are permitted to apply for access to these data.
Information on the registration process is available on the following page:
https://www.cso.ie/en/aboutus/lgdp/csodatapolicies/dataforresearchers/
Researchers will also require separate approvals from a Research Ethics Committee, the Research Data Governance Board and the Health Regulations Consent Declaration Committee before the CSO will consider the application.
The following datasets are available for research purposes:
A21 – Swiftqueue |
HSE Coronavirus Assessments, Test Referrals and Facilities data |
Hospital Cases |
Recorded Hospital Cases as a result of Covid-19 |
CIDR - HSE Computerised Infectious Disease Reporting System |
Register of confirmed positive cases notified to Health Protection Surveillance Centre (HPSC) |
HIPE - Hospital Inpatient Discharge Data |
Detailed information with respect to admissions and discharges from the HIPE system |
NOCA - National Office of Clinical Audit Intensive Care Unit Data |
|
CCT - Covid Care Tracker data |
The underlying C19 patient management system developed by the HSE system to manage the pandemic emergency |
COVID-19 Vaccine data |
|
A21 – SwiftQueue
This is the HSE system for managing referrals for tests or assessments. The cohort relates to persons that have been referred by a GP or public health clinician or occupational health clinician for testing or assessment based on criteria which may change from time to time. Relates to people who:
There are four primary SwiftQueue data extracts.
Hospital Cases - Recorded Hospital Cases as a result of COVID-19.
This dataset is hospital management level data and contains no individual level patient data.
Computerised Infectious Disease Record (CIDR)
CIDR contains the register of confirmed positive cases notified to Health Protection Surveillance Centre (HPSC).
Currently there are 5 data extracts.
Hospital InPatient Enquiry (HIPE)
Contains detailed information with respect to admissions and discharges from the HIPE system.
NOCA - National Office of Clinical Audit Intensive Care Unit Data
This dataset does not contain personal data.
Covid Care Tracker (CCT)
This is effectively the underlying C19 patient management system developed by the HSE system to manage the pandemic emergency.
The cohort relates to persons who:
The entry route of a person onto the CCT system is as follows:
The nine data extracts are as follows
COVID-19 vaccine data
With regard to the prospective data flow 'Vaccination Information Data - Record of vaccinations administered for COVID-19', the CSO are currently developing the data transfer timeline with the HSE.
For completeness and transparency, the CSO are including this prospective data flow in both the DPIA and transparency notice.
In the CSO COVID-19 data research hub, all variables can be considered to be personal data as they are attributes of individuals or attached to individuals.
The pseudonymisation process involves removing personal data such as patient's name, address, date of birth and contact details. All direct identifiers are removed from variables and are replaced with a Protected Identifier Key (PIK) to allow safe linkage across data sources and over time. To compensate for the lack of a standard common identifier on all health records and all data sources, a new PIK variable has been created combining the patient's date of birth and surname to enhance data linkage using PIKs. PIKs use either a randomised lookup table or a salt and hash technique where access to key parts of the pseudonymisation process is closely guarded.
A full variable list of each dataset in the CSO COVID-19 data research hub can be found in the COVID-19 data register:
https://www.cso.ie/en/aboutus/lgdp/csodatapolicies/dataforresearchers/rmfregister/
Pseudonymisation of personal identifiers
All direct identifiers such as names and addresses are removed by CSO. Additionally, once in receipt of HSE data, the CSO converts the identifier numbers in each dataset that remain to a Protected Identifier Key (PIK). The PIK is a unique and non-identifiable number which is internal to the CSO. Using the PIK enables the CSO and approved researchers to link and analyse data for statistical purposes, while protecting the security and confidentiality of the individual data.
Approval Process
Researchers applying to access the CSO COVID-19 data research hub will go through a robust application process. Separate approvals from a Research Ethics Committee, the Research Data Governance Board and the Health Regulations Consent Declaration Committee will be needed before the CSO will consider the application. The Director General of the CSO will only then make a determination on each application.
Access Security
The contract that governs the processing of the data by researchers is the RMF Agreement. Researchers agree to abide by the terms and conditions of this agreement. Failure to do so may result in sanctions being applied by CSO. Approved researchers will access the CSO Researcher Data Portal via a Citrix (secure remote access) connection using a unique username, PIN and password.
The microdata, at all times, remains on a CSO server. When a researcher has completed analysis on data they wish to have exported as an output, they contact the data custodian in CSO. The data custodian then checks that the file contains only non-confidential data before emailing the approved output to the researcher.
The RDP was developed under the headings of the Five Safes:
Personal data means any information relating to a living individual who can be identified, directly or indirectly. It can include a name, an identification number, location data, an online identifier or one or more factors specific to an individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
Special categories of personal data mean data revealing racial or ethnic origin; political opinions or religious or philosophical beliefs; trade union membership; genetic data; biometric data; data concerning health; individual’s sex life or sexual orientation.
Processing means doing anything with the data, such as storing, accessing, disclosing, destroying or using the data in any way.
Processing of personal health data as contained in the CSO COVID-19 data research hub is permitted under Article 6.1.e, Article 9.2.i and j of the General Data Protection Regulation (GDPR):
Article 6.1.e:
“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
Article 9.2.i:
“processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy”
Article 9.2.j
“processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”
Processing of personal health data as contained in the COVID-19 Data Flows is also permitted under Sections 38.1.a, 42.1.c, 53 and 54.c of the Data Protection Act 2018 i.e.
38. (1) a
“The processing of personal data shall be lawful to the extent that such processing is necessary and proportionate for the performance of a function of a controller conferred by or under an enactment or by the Constitution”
41. (1) c
“Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, personal data may be processed, in accordance with Article 89, for statistical purposes”
53.
“Subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects, the processing of special categories of personal data shall be lawful where it is necessary for public interest reasons in the area of public health including—
(a) protecting against serious cross-border threats to health, and
(b) ensuring high standards of quality and safety of health care and of medicinal products and medical devices.”
54. c
“Subject to compliance with section 42, the processing of special categories of personal data is lawful where such processing is necessary and proportionate for statistical purposes.”
CSO is bound by the terms of the Statistics Act, 1993. All researchers approved for access to the CSO COVID-19 data research hub will be Officers of Statistics under Section 20(c) of the Statistics Act, 1993. Each approved researcher will have signed the Declaration of Secrecy under Section 21 of the Statistics Act, 1993.
The processing of all personal data contained within the COVID-19 RMF datasets for health research by RMF researchers must be compliant with the Health Research Regulations (DATA PROTECTION ACT 2018 (SECTION 36(2) HEALTH RESEARCH) REGULATIONS 2018).
As explicit consent from a data subject is a mandatory safeguard under the Health Research Regulations, all RMF researchers must apply to the Health Research Consent Declaration Committee (HRCDC) for a consent declaration where explicit consent of the data subjects is not possible or practicable. A consent declaration shall only be made by the HRCDC for a research study, when it is satisfied that all the data protection safeguards and technical and organisational measures have been met, and the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the individual who owns the personal data.
Access to personal data held in the CSO COVID-19 data research hub is restricted to nominated CSO staff and to approved researchers.
There will be a post pandemic review which may make certain recommendations regarding the duration of the data storage element regarding COVID-19 related data sources.
The General Data Protection Regulation (GDPR) confers the following rights on individuals:
Article 89(2) of the General Data Protection Regulation (GDPR) allows derogations from data subject rights where personal data are processed for scientific/historical research or statistical purposes. These apply in respect of your right of access, right to rectification, right to restriction of processing and right to object, but only where the exercise of these rights is likely to render impossible or seriously impair the achievement of the specific statistical purposes.
Under data protection legislation you have a right to lodge a complaint with the Data Protection Commission if you consider that processing of your personal data is contrary to data protection law. The contact details of the Commission are
By post: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.
By e-mail: info@dataprotection.ie
By phone: 01 7650100 / 1800 437 737
Online: https://www.dataprotection.ie/