Do we need to get explicit consent from data subjects for research under GDPR?

Informed, voluntary and fair consent is the cornerstone of ethical research involving people. It is a mechanism, to ensure the rights of individual participants can be respected. It is through the consent process that research participants can understand what taking part in a specific study will mean for them, so they can make an informed choice and feel able to express their wishes. 

Yet consent is not likely to be your lawful basis to hold and use personal data, or the condition to process special categories of personal data, for research. 

Because you will not be using consent as your legal basis for processing data under GDPR, in most cases you will NOT need to re-consent existing participants (or parents/ representatives for paediatric studies) in order to comply with GDPR. Unless you are making changes to your study processes or arrangements (eg changing what data you collect or how you will hold it), you will not need to re-consent existing participants for common law or other ethical reasons.

It is important that you are clear that this does not affect the ethical importance of consent. You will also still need to obtain consent for access to or use of confidential patient information to meet the common law duty of confidentiality. There are, of course, also other requirements in law for obtaining consent for research, eg clinical trials legislation, as well as ethical reasons.

The Confidentiality Advisory Group (CAG) advises the HRA whether there is sufficient justification to process confidential patient information without consent in England and Wales. Support under the relevant regulations (Health Service (Control of Patient Information) Regulations 2002) sets aside the common law duty of confidentiality. It does not set aside the need to comply with other legislation or the principles of data protection.

This means that there also still needs to be a legal basis under the GDPR, as set out in previous sections above, and that appropriate transparency information should be provided and safeguards implemented. CAG sets certain additional expectations in relation to safeguards (eg the opportunity for patients to opt out) and transparency (eg patient notification arrangements), which are a condition of the approval for research. You need to ensure that any additional safeguards or transparency requirements to meet GDPR are also implemented.

N.B Other parts of the law do demand that consent is in place before research can happen (e.g. Human Tissue Act, Medicines for Human Use (Clinical Trials) Regulations, etc.).  Given the additional ethical imperative to obtain consent whenever possible, researchers should review and improve their consent procedures in line with good research practice.