Cookies on this website

We use cookies to ensure that we give you the best experience on our website. If you click 'Accept all cookies' we'll assume that you are happy to receive all cookies and you won't see this message again. If you click 'Reject all non-essential cookies' only necessary cookies providing core functionality such as security, network management, and accessibility will be enabled. Click 'Find out more' for information on how to change your cookie settings.

abstract

Several recently enacted data protection laws appear to afford a privileged position to scientific research, including health research. Rules that might otherwise apply to data subjects and data controllers, including rights exercisable by data subjects against controllers, are lifted or lessened. However, when it comes to considering whether consent should serve as the lawful basis for processing data in the health research context, a fair degree of policy and regulatory divergence emerges. This divergence seems to stem from a normative link that some draw between consent as a research ethics principle and consent as a lawful basis in data protection law. This seminar considers the EU General Data Protection Regulation (GDPR) and three national laws, either implementing the GDPR or inspired by it, to provide points of comparison: South Africa’s Protection of Personal Information Act, 2013, the UK’s Data Protection Act 2018, and Ireland’s Health Research Regulations 2018. I argue that there is merit in distinguishing research ethics consent from data processing consent, to avoid what I term ‘consent misconception’, and come to advocate a middle-ground approach in data protection law, i.e. one that does not mandate consent as the lawful basis for processing personal data in health research projects—but does encourage it. This approach achieves the best balance for protecting data subject/research participant rights and interests and promoting socially valuable health research.