Information for the public
Data
For this research we will be using data relating to medications dispensed to people eligible for the General Medical Services (GMS) or “medical card” scheme in Ireland. This data is held by the Health Service Executive (HSE) Primary Care Reimbursement Service (PCRS). The GMS scheme covers approximately 1.58 million people in Ireland. The research focuses on people eligible for the GMS scheme who were dispensed analgesic or sedative medications on prescription between 2014 and 2021.
Before sharing this data, the HSE PCRS remove directly identifiable information, including the GMS or medical card number, and instead assign a new number per individual specifically for the purposes of this research. Similarly they remove the number assigned to GPs who prescribe and pharmacists that dispense, and assign a new number. The data contains information on what medications were dispensed, when they were dispensed, and the age group and sex of the patient they were dispensed to. The geographic area of the dispensing pharmacy (based on HSE local health offices – similar to the county) is also included. No individual can be identified directly from this data, and it is highly unlikely that anyone could be identified even by indirect means.
This data will be analysed to produce summary information about the use of analgesic and sedative medications across Ireland, and this will be compared to summary information that is publicly available on prescribing in GP practices in England, as an international benchmark.
Legal basis and approvals
In order for our research team to process this data from the HSE PCRS, specific legal bases under GDPR Article 6 and Article 9 must be met. For this project the legal bases are:
Under Article 6
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
and
Under Article 9
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
Although the data has been de-identified, we are treating this data as pseudonymised (i.e. personal data where identifies are hidden by assigning a new code or number to individuals) and providing all relevant safeguards in terms of data protection. When using personal data for health research without explicit consent, a consent declaration must be obtained, on the basis that “the public interest of the research significantly outweighs the public interest in requiring the explicit consent of the individual whose data is being processed”. A consent declaration was granted for this project by the Health Research Consent Declaration Committee.
Once data is received by our team from the HSE PCRS, it should not be possible for us to identify people whose data is included by any direct or indirect means. As we are processing the data for scientific research purposes, based on Section 61, subsection 2 of the Data Protection Act 2018, rights of data subject (i.e. people whose data is included) set out in Articles 15, 16, 18 and 21 of GDPR (which includes the rights to object and restrict processing) are restricted, as exercise of these rights would seriously impair the achievement of the scientific purposes of the research (generating national and regional trends for benchmarking locally and internationally). Therefore it is not possible to withdraw data from this study in light of these issues.
Data processing
In carrying out this research, we will process data from the HSE PCRS in a number of ways. We will analyse the data to summarise things like the number of times a medication is dispensed and how much, and how many people receive a medication. This will be summarised by local health office area (similar to county), by age group, and by sex, over time. Graphs will be generated based on this data. We will store the data in a restricted, encrypted area using RCSI’s online storage with Microsoft OneDrive. Only core members of the research team will have access to the data, all of whom have competed data protection training. All access to the data will be logged, and the data will be protected by a number of security measures, including two-factor authentication to access it. Once the project is completed in 2024, we will retain the data for five years, to ensure we can answer any questions about the results of the project. At this point, we will destroy the data or fully anonymise it, so there will be no personal data retained.