Back to Top

 Skip navigation

Central Statistics Office (CSO)

Data protection transparency notice for

The CSO COVID-19 data research hub

Purpose

Under Data Protection legislation, individuals have a number of rights in relation to the personal data an organisation holds about them. The purpose of this notice is to inform you about the data held in the CSO COVID-19 data research hub, how these data are handled and what your rights are.

Who we are and how to contact us

The work of the CSO is carried out under the Statistics Act, 1993 which provides for the collection, compilation and dissemination for statistical purposes of information relating to economic, social and general activities and conditions in the State. 

The CSO Data Protection Officer (DPO) is responsible for overseeing questions in relation to this Privacy Statement (contact details below).  If you have any questions about this statement, including any request to exercise your legal rights, please contact or send them to the CSO DPO: 

The contact details for the CSO DPO are:

Data Protection Officer,

Central Statistics Office,

Skehard Road,

T12 X00E

Tel: 021-4535000

Email: dpo@cso.ie

What is the CSO COVID-19 data research hub?

In order to support the work of the research community in the area of COVID-19 related research and thereby to inform evidence-based decision making during this period of national emergency, a mechanism is required to facilitate the compilation of relevant COVID-19 health data in a format that is controlled, accessible and usable for approved researchers. This mechanism is the CSO COVID-19 data research hub.

The purpose of the CSO COVID-19 data research hub is to make individual level administrative COVID-19 datasets available to researchers via the CSO Researcher Microdata Files (RMF) process under Section 20(c) of The Statistics Act, 1993. The datasets within the hub contain individual level data on those who have been diagnosed with Covid-19, been referred for testing, been treated in hospital for Covid-19 or have been identified as being a close contact of a confirmed case. The provision for researcher access to the CSO COVID-19 data research hub follows extensive consultation between CSO, the Health Research Board (HRB), Department of Health (DoH) and the Heath Service Executive (HSE). This consultation led to the establishment of the Research Data Governance Board. No directly identifiable data relating to individuals will be made available to researchers, and no identifiable data will be made available to any stakeholders or other persons by the project team under conditions of Section 34 of the Statistics Act.

What is the Research Data Governance Board (RDGB)?

The RDGB has been set up as an additional safeguard in the application process to act as a central point for application receipt, screening, review and prioritisation of data requests prior to applications being assessed by the CSO. The RDGB will oversee a transparent process to facilitate secure and controlled access to the data for the purposes of conducting statistical analysis to facilitate research.

Only applications that have been approved by the RDGB and where

  1. Evidence of Research Ethics Committee (REC) approval and
  2. Health Research Consent Declaration Committee (HRCDC; www.hrcdc.ie) approval

is received by the RDGB will be recommended to be reviewed by the CSO.

The CSO will issue final approval for access to relevant COVID-19 health data. The data available to researchers will be limited to datasets provided to CSO in the context of the Ministerial release letter for COVID-19 analysis.

Please also see: https://www.hrb.ie/

How are these data collected?

Under Section 31 of the Statistics Act 1993 (http://www.irishstatutebook.ie/eli/1993/act/21/enacted/en/html ), the CSO first consulted with the HSE in March 2020 for the purpose of assessing the potential of the records of the HSE as a source of statistical information. The CSO examined the information provided by the HSE and identified the initial subsets of HSE data.

The Director General of the CSO then formally requested the HSE, in accordance with Section 30 of the Statistics Act, 1993, to provide the datasets it sought. The Director General also sought the agreement of the Minister for Health that his request, and any subsequent requests, could apply to medical records which are not publicly available. This was a requirement of Section 30.2(b) of the Statistics Act, 1993. The Minister gave his agreement for granting access to the Central Statistics Office to data sources that will support the analysis of Covid-19 related issues in writing to the DG on 31st March, 2020.

The CSO is the Data Controller for the HSE data that is transferred to the CSO.

Who can apply for access to the CSO COVID-19 data research hub?

Access to the CSO COVID-19 data research hub is restricted to registered researchers from registered research institutions in Ireland, are permitted to apply for access to these data.

Information on the registration process is available on the following page:

https://www.cso.ie/en/aboutus/lgdp/csodatapolicies/dataforresearchers/

Researchers will also require separate approvals from a Research Ethics Committee, the Research Data Governance Board and the Health Regulations Consent Declaration Committee before the CSO will consider the application.

What datasets are accessible to researchers in the CSO COVID-19 data research hub?

The following datasets are available for research purposes:

A21 – Swiftqueue

HSE Coronavirus Assessments, Test Referrals and Facilities data

Hospital Cases

Recorded Hospital Cases as a result of Covid-19

CIDR - HSE Computerised Infectious Disease Reporting System

Register of confirmed positive cases notified to Health Protection Surveillance Centre (HPSC)

HIPE - Hospital Inpatient Discharge Data

Detailed information with respect to admissions and discharges from the HIPE system

NOCA - National Office of Clinical Audit Intensive Care Unit Data

 

SBAR - Situation, Background, Assessment, Recommendation. Shift handover data

 

CCT - Covid Care Tracker data

The underlying C19 patient management system developed by the HSE system to manage the pandemic emergency

COVID-19 Vaccine data

 

A21 – SwiftQueue

This is the HSE system for managing referrals for tests or assessments. The cohort relates to persons that have been referred by a GP or public health clinician or occupational health clinician for testing or assessment based on criteria which may change from time to time. Relates to people who:

  • are referred by GP or GP out of hours or public health clinician for testing at a Test Centre or assessment at an Assessment Hub; or
  • are resident in a nursing home and referred by a public health clinician for testing in the nursing home; or
  • are referred by an occupational health service for testing at a Test Centre.

There are four primary SwiftQueue data extracts.

  • Assessment hub referrals and appointments
  • Test centre referrals and appointments
  • Assessment hub details
  • Test Centre details

Hospital Cases - Recorded Hospital Cases as a result of COVID-19.

This dataset is hospital management level data and contains no individual level patient data.

Computerised Infectious Disease Record (CIDR)

CIDR contains the register of confirmed positive cases notified to Health Protection Surveillance Centre (HPSC).

Currently there are 5 data extracts.

  • CORE
  • ENHANCED
  • ICU
  • HIU
  • OUTBREAKS

Hospital InPatient Enquiry (HIPE)

Contains detailed information with respect to admissions and discharges from the HIPE system.

NOCA - National Office of Clinical Audit Intensive Care Unit Data

This dataset does not contain personal data.

SBAR - Situation, Background, Assessment, Recommendation. Shift handover data

This dataset does not contain personal data.

Covid Care Tracker (CCT)

This is effectively the underlying C19 patient management system developed by the HSE system to manage the pandemic emergency.

The cohort relates to persons who:

  • are awaiting a C19 laboratory test SwiftQueue appointment following an eReferral, or
  • have a Laboratory test result uploaded to CCT without a SwiftQueue appointment
  • are symptomatic, or who feel they may have C19, and:
    • Have had an Assessment Hub appointment and Ambulatory Assessment following an eReferral, or
    • Have had an admission for C19 to an acute hospital or isolation facility [or in the future an intermediate care facility], or
    • Have had a congregated residential setting C19 episode

The entry route of a person onto the CCT system is as follows:

  • SwiftQueue Test Centre or nursing home testing appointment or Assessment Hub appointment, viaHealthlink eReferral
  • Automated registration on CCT from a bulk upload of laboratory results (patients who have not come via the SwiftQueue route – e.g. Acute Hospital inpatients)
  • Manual registration by user on CCT in these scenarios:
    • Registering contact as patient
    • Phone call to HSE live
    • Admission to Acute Hospital
    • Admission to Isolation Facility
    • Start of Congregated Residential Setting C19 episode

The nine data extracts are as follows

  • Patient
  • Case
  • Assessment
  • Contacts
  • Admission/Discharge (Hospital)
  • Ambulatory Assessment
  • Positive Patient Assessment
  • Negative Patient Tests

COVID-19 vaccine data

With regard to the prospective data flow 'Vaccination Information Data - Record of vaccinations administered for COVID-19', the CSO are currently developing the data transfer timeline with the HSE.

For completeness and transparency, the CSO are including this prospective data flow in both the DPIA and transparency notice.

What personal data is held in the CSO COVID-19 data research hub?

In the CSO COVID-19 data research hub, all variables can be considered to be personal data as they are attributes of individuals or attached to individuals.

The pseudonymisation process involves removing personal data such as patient's name, address, date of birth and contact details. All direct identifiers are removed from variables and are replaced with a Protected Identifier Key (PIK) to allow safe linkage across data sources and over time. To compensate for the lack of a standard common identifier on all health records and all data sources, a new PIK variable has been created combining the patient's date of birth and surname to enhance data linkage using PIKs.  PIKs use either a randomised lookup table or a salt and hash technique where access to key parts of the pseudonymisation process is closely guarded.

A full variable list of each dataset in the CSO COVID-19 data research hub can be found in the COVID-19 data register:

https://www.cso.ie/en/aboutus/lgdp/csodatapolicies/dataforresearchers/rmfregister/

What is being done to protect data subjects’ privacy and confidentiality?

Pseudonymisation of personal identifiers

All direct identifiers such as names and addresses are removed by CSO. Additionally, once in receipt of HSE data, the CSO converts the identifier numbers in each dataset that remain to a Protected Identifier Key (PIK). The PIK is a unique and non-identifiable number which is internal to the CSO. Using the PIK enables the CSO and approved researchers to link and analyse data for statistical purposes, while protecting the security and confidentiality of the individual data.

Approval Process

Researchers applying to access the CSO COVID-19 data research hub will go through a robust application process. Separate approvals from a Research Ethics Committee, the Research Data Governance Board and the Health Regulations Consent Declaration Committee will be needed before the CSO will consider the application. The Director General of the CSO will only then make a determination on each application.

Access Security

The contract that governs the processing of the data by researchers is the RMF Agreement. Researchers agree to abide by the terms and conditions of this agreement. Failure to do so may result in sanctions being applied by CSO. Approved researchers will access the CSO Researcher Data Portal via a Citrix (secure remote access) connection using a unique username, PIN and password.

The microdata, at all times, remains on a CSO server. When a researcher has completed analysis on data they wish to have exported as an output, they contact the data custodian in CSO. The data custodian then checks that the file contains only non-confidential data before emailing the approved output to the researcher.

The RDP was developed under the headings of the Five Safes:

  • Safe Projects (RMF approval process),
  • Safe People (Researcher and Research Organisation registration process),
  • Safe Settings (RDP security),
  • Safe Data (RMF construction in compliance with CSO Statistical Disclosure Control policy) and
  • Safe Outputs (Outputs checked in accordance with CSO Statistical Disclosure Control policy by Data Custodian)

Definitions 

  • Personal Data 

Personal data means any information relating to a living individual who can be identified, directly or indirectly. It can include a name, an identification number, location data, an online identifier or one or more factors specific to an individual’s physical, physiological, genetic, mental, economic, cultural or social identity.

  • Special Categories of Personal Data

Special categories of personal data mean data revealing racial or ethnic origin; political opinions or religious or philosophical beliefs; trade union membership; genetic data; biometric data; data concerning health; individual’s sex life or sexual orientation. 

  • Data Processing 

Processing means doing anything with the data, such as storing, accessing, disclosing, destroying or using the data in any way.

What is the lawful basis for researcher access to the CSO COVID-19 data research hub?

Processing of personal health data as contained in the CSO COVID-19 data research hub is permitted under Article 6.1.e, Article 9.2.i and j of the General Data Protection Regulation (GDPR): 

Article 6.1.e:

“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”

Article 9.2.i:

“processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy”

Article 9.2.j

“processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”

Processing of personal health data as contained in the COVID-19 Data Flows is also permitted under Sections 38.1.a, 42.1.c, 53 and 54.c of the Data Protection Act 2018 i.e.

 38. (1) a

“The processing of personal data shall be lawful to the extent that such processing is necessary and proportionate for the performance of a function of a controller conferred by or under an enactment or by the Constitution”

 41. (1) c

“Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, personal data may be processed, in accordance with Article 89, for statistical purposes”

 53.

“Subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects, the processing of special categories of personal data shall be lawful where it is necessary for public interest reasons in the area of public health including—

(a) protecting against serious cross-border threats to health, and

(b) ensuring high standards of quality and safety of health care and of medicinal products and medical devices.”

54. c 

“Subject to compliance with section 42, the processing of special categories of personal data is lawful where such processing is necessary and proportionate for statistical purposes.”

CSO is bound by the terms of the Statistics Act, 1993. All researchers approved for access to the CSO COVID-19 data research hub will be Officers of Statistics under Section 20(c) of the Statistics Act, 1993. Each approved researcher will have signed the Declaration of Secrecy under Section 21 of the Statistics Act, 1993.

Compliance with Health Research Regulations

The processing of all personal data contained within the COVID-19 RMF datasets for health research by RMF researchers must be compliant with the Health Research Regulations (DATA PROTECTION ACT 2018 (SECTION 36(2) HEALTH RESEARCH) REGULATIONS 2018).

As explicit consent from a data subject is a mandatory safeguard under the Health Research Regulations, all RMF researchers must apply to the Health Research Consent Declaration Committee (HRCDC) for a consent declaration where explicit consent of the data subjects is not possible or practicable. A consent declaration shall only be made by the HRCDC for a research study, when it is satisfied that all the data protection safeguards and technical and organisational measures have been met, and the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the individual who owns the personal data.

Does CSO share personal data with any third parties?  

Access to personal data held in the CSO COVID-19 data research hub is restricted to nominated CSO staff and to approved researchers.

How long will COVID-19 data be stored for?

There will be a post pandemic review which may make certain recommendations regarding the duration of the data storage element regarding COVID-19 related data sources.

What rights do you as the data subject have?

The General Data Protection Regulation (GDPR) confers the following rights on individuals: 

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to object to processing of personal data

Article 89(2) of the General Data Protection Regulation (GDPR) allows derogations from data subject rights where personal data are processed for scientific/historical research or statistical purposes. These apply in respect of your right of access, right to rectification, right to restriction of processing and right to object, but only where the exercise of these rights is likely to render impossible or seriously impair the achievement of the specific statistical purposes.

Right to lodge a complaint to the Supervisory Authority

Under data protection legislation you have a right to lodge a complaint with the Data Protection Commission if you consider that processing of your personal data is contrary to data protection law.  The contact details of the Commission are

By post:                       21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.

By e-mail:                    info@dataprotection.ie

By phone:                    0761 104 800 or lo-call number 1890 252 231

Online:                        https://www.dataprotection.ie/