CSO COVID-19 Data Research Hub Summary Data Protection Impact Assessment (1204)

Legislative Safeguards

Data access is restricted to approved researchers who are appointed as Officers of Statistics under Section 20(c) of the Statistics Act, 1993. This appointment is granted for a specific period only and researchers must request a renewal of their access should they require same beyond the initial period granted. Officers of Statistics are bound by Sections 33 and 7 of the Statistics Act, 1993

• Section 33 prohibits the disclosure of information obtained under the Act which can be related to an identifiable person or undertaking

• Section 7 provides that all information provided to the CSO before the commencement of the Statistics Act, 1993 either voluntarily or in compliance with orders made under the previous legislation are subject to the same protection and provisions as if such information was collected under the Statistics Act, 1993

Governance Safeguards

Governance safeguards apply to all CSO staff both permanent and temporary.

Specific safeguards re COVID-19 Health Data

1. All COVID-19-related data containing personal identifiers or Special Category data must be received and registered via the CSO Administrative Data Centre (ADC)
2. Identity variables are separated at the earliest possible stage in the data processing following receipt in the CSO
3. If all steps in the relevant internal approvals processes are complied with, then access to the identified datasets only will be granted for a maximum of one year
4. Every 6 months, registered users are required to certify that they still require access to the data and are compliant with CSO Data Management Policy
5. ADC is informed by Human Resources of all staff changes, with access by staff who leave the CSO or whose roles have changed removed promptly
6. All registered users of each ADC dataset are identified on the ADC Portal
7. Access lists are regularly reviewed to ensure that access is restricted to the fewest possible number of staff
8. As specified in the CSO Data Management Policy, A1 (personally identifiable) data must not be shared between any business areas of the CSO

RESEARCH DATA GOVERNANCE BOARD (RDGB)

The RDGB has been established as an additional safeguard in the process to act as a central point for application receipt, screening, review and prioritisation of all requests to access data in the COVID-19 Data Research Hub. It is an independent body established jointly by the Health Research Board (HRB) and the CSO in close collaboration with the Department of Health (DOH) in Ireland. Members of the RDGB are appointed jointly by the HRB and the CSO based on their complimentary skills, expertise and experience deemed most relevant for making robust decisions and considering gender balance as well as the geographical spread.

The RDGB oversees a transparent process to facilitate secure and controlled access to the data for the purposes of conducting sttistical analysis to facilitate research. Only applications that have been approved by the RDGB and where evidence of Research Ethics Committee (REC) approval and Health Research Consent Declaration Committee (HRCDC; www.hrcdc.ie) approval is received by the RDGB will be recommended to the CSO. The CSO will issue final approval for access to relevant COVID-19 health data. The data available to researchers will be limited to datasets provided to CSO in the context of the written approval by the Minister for Health.

HEALTH RESEARCH CONSENT DECLARATION COMMITTEE

Researchers are required to have a declaration from the HRCDC when personal data is processed but where obtaining the explicit consent of the data subject is neither possible nor practicable. The HRCDC was established as part of the Health Research Regulations made under the Data Protection Act, 2018 and allows for use of personal data for health research that is of high public importance, and where obtaining consent from the research participant is not possible. A consent declaration shall only be made by the HRCDC for a research study when it is satisfied that all the data protection safeguards and technical and organisational measures have been met, and the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the individual who owns the personal data. For more information, please visit www.hrcdc.ie.

RMF Researchers

Governance safeguards apply to all RMF researchers. Applications for RMF access are accepted only from eligible researchers from registered research organisations.

Access to RMFs will only be given when:

1. The RMF Standard Agreement has been signed on behalf of the research organisation;
2. Each researcher specified in the Agreement has signed their acceptance of the Terms and Conditions of this Agreement;
3. Each researcher has signed the Declaration of Secrecy under Section 21 of the Statistics Act, 1993; and
4. Each researcher has been appointed an Officer of Statistics by the Director General of the CSO under Section 20(c) of the Statistics Act, 1993.

All RMF researchers must complete an RMF training course provided by CSO, a reinforcement of the terms and conditions of the RMF Standard Agreement to which researchers agree to abide. Failure to comply with the protocols, terms and conditions specified in the standard agreement may have implications for the individual and the organisation/institute for whom they work. These sanctions may include but are not limited to:

1. Termination of the individual’s appointment as an Officer of Statistics;
2. Requirement to return and/or cease using all information provided by the CSO;
3. Corresponding sanctions in relation to the organisation/institute and other RMF researchers in that organisation/institute; and
4. Denial of future requests for RMF research access.

The CSO reserves the right to apply other sanctions, up to and including prosecution under the Statistics Act, 1993, where appropriate. All researcher outputs are checked by the data custodian in the CSO and must be compliant with CSO’s Statistical Disclosure Control policy.

Physical and IT Related Safeguards

Access to RMFs will only be given when:

1. The RMF Standard Agreement has been signed on behalf of the research organisation;
2. Each researcher specified in the Agreement has signed their acceptance of the Terms and Conditions of this Agreement;
3. Each researcher has signed the Declaration of Secrecy under Section 21 of the Statistics Act, 1993; and
4. Each researcher has been appointed an Officer of Statistics by the Director General of the CSO under Section 20(c) of the Statistics Act, 1993.

All RMF researchers must complete an RMF training course provided by CSO, a reinforcement of the terms and conditions of the RMF Standard Agreement to which researchers agree to abide. Failure to comply with the protocols, terms and conditions specified in the standard agreement may have implications for the individual and the organisation/institute for whom they work. These sanctions may include but are not limited to:

1. Termination of the individual’s appointment as an Officer of Statistics;
2. Requirement to return and/or cease using all information provided by the CSO;
3. Corresponding sanctions in relation to the organisation/institute and other RMF researchers in that organisation/institute; and
4. Denial of future requests for RMF research access.

The CSO reserves the right to apply other sanctions, up to and including prosecution under the Statistics Act, 1993, where appropriate. All researcher outputs are checked by the data custodian in the CSO and must be compliant with CSO’s Statistical Disclosure Control policy.

IT Related

In 2019, the CSO was audited against and passed the European Statistical System IT Security Framework. CSO technology, in facilitating secure access to microdata, is in keeping with best practice internationally. CSO has a secure remote access system in place for access to RMFs as well as an application process which involves researcher and research organisation registration before an application for access to RMF data will be considered. The secure remote access Researcher Data Portal (RDP)) is a locked-down Citrix system from which no data can be extracted without the approval of CSO. The RDP was developed under the headings of the Five Safes:

• Safe Projects (RMF approval process);
• Safe People (Researcher and Research Organisation registration process);
• Safe Settings (RDP security);
• Safe Data (RMF construction in compliance with CSO Statistical Disclosure Control policy); and
• Safe Outputs (Outputs checked in accordance with CSO Statistical Disclosure Control policy by Data Custodian).

The datasets at all times remains on a CSO server. Secure access to microdata is through the CSO RDP. The RDP is a locked-down Citrix environment from which it is not possible for the researcher to export or import data. There is no email facility or internet access from the RDP.

Risk Assessment

A detailed Risk Assessment was completed in the preparation of this DPIA. It is not being included as part of the summary as it contains detail on operational and security measures and controls.

Risk descriptions included:

• illegitimate access;
• undesired modification;
• data breach;
• disappearance or loss of data;
• unintended consequences of access; and
• public perception.

Specific use cases were considered, assigned risk owners and scored. Controls in place to mitigate the risk were outlined for each. The scores were re-assessed based on these mitigating controls and re-scored. In addition, each use case outlined action(s) to mitigate the risk if it occurred.