Data Protection Policy

Data Protection, Security and General Data Protection Regulation.

INFANT fully respects the right to privacy. Any personal information which INFANT stores is treated with the highest standards of security and confidentiality, strictly in accordance with the Data Protection Acts 1988-2018. The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation on data protection and privacy for all individuals within the European Union. It came into force across the European Union on 25 May 2018 and it forms the basis of our new Data Protection Irish laws (Data Protection Acts 1988-2018). In Ireland, we have introduced new legislation known as the Data Protection Act 2018 which was signed into law on 24 May 2018.

General Data Protection Regulation (GDPR) (EU) 2016/679

Data Protection Act 2018

When does data protection law apply and what does it cover?

The Data Protection Acts 1988-2018 are designed to protect people’s privacy. The legislation confers rights on individuals in relation to the privacy of their personal data as well as responsibilities on those persons holding and processing such data.

Data protection law covers most situations in which information about somebody (the ‘personal data’ of a ‘data subject’) is used in some way (‘processed’) by some other person or organisation (the ‘controller’), other than in a purely personal context.

Personal Data: Personal data means data relating to a person who is or can be identified either from the data itself or in conjunction with other information that is in, or is likely to come into, the possession of the Department. It covers any information that relates to an identified or identifiable living individual. These data can be held on computers or in manual files.

A ‘controller’ refers to a person, company, or other body that decides how and why a data subject’s personal data are processed. If two or more persons or entities decide how and why personal data are processed, they may be ‘joint controllers’, and they would both share responsibility for the data processing obligations.

A ‘processor’ refers to a person, company, or other body which processes personal data on behalf of a controller. They don’t decide how or why processing takes place, but instead carry out processing on the orders of a controller.

During various research studies and projects, INFANT collects Electroencephalography (EEGs), associated videos of patients, physiological monitoring data, biological samples, clinical and assessment data. This data is collected mainly within Cork University Maternity Hospital (CUMH), the INFANT Discovery Platform at Cork University Hospital Paediatric Academic Unit and the INFANT Space in the Brookfield Medical Sciences Complex. The data is analysed for the study it was collected for and is stored for future analysis in related projects/research questions as per the original consent obtained.

Following Good Clinical Practice (ICH-GCP E6 (R2) guidelines and ISO 14155:2011 all research data collected such as EEGs, videos and clinical data is pseudo-anonymised by stripping any patient identifiers and assigning unique study numbers.

INFANT stores data from previously conducted studies in a state of the art three layer storage systems that are monitored and secure.

Your Rights under the GDPR

Data protection is a fundamental right set out in Article 8 of the EU Charter of Fundamental Rights:

  1. Everyone has the right to the protection of personal data concerning him or her.
  1. Such data must be processed fairly for specified purposes based on the consent of the person concerned, or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
  2. Compliance with these rules shall be subject to control by an independent authority.

This means that every individual is entitled to have their personal information protected, used in a fair and legal way, and made available to them when they ask for a copy. If an individual feels that their personal information is wrong, they are entitled to ask for that information to be corrected.

To process personal data, organisations must have a lawful reason. The lawful reasons for processing personal data are set out in Article 6 of the GDPR. The six lawful reasons for processing personal data are:

  1. Consent
  2. To carry out a contract.
  3. For an organisation to meet a legal obligation.
  4. Where processing the personal data is necessary to protect the vital interests of a person.
  5. Where processing the personal data is necessary for the performance of a task carried out in the public interest.
  6. In the legitimate interests of a company/organisation (except where those interests contradict or harm the interests or rights and freedoms of the individual).

Any one of the six reasons given above can provide a legal reason for processing personal data.

Data Subjects Privacy Rights: (https://gdpr.eu/what-is-gdpr/)

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.