Consent is important across the spectrum of nearly every industry, but it’s especially critical when it involves an individual’s health. The GDPR lays out the ground rules for what is and isn’t allowed, though these rules can be interpreted differently depending on your organisation. We’ll look at the differences between types of consent and how you can best show you met the requirements in the case of a dispute.
When it comes to direct care, industry standards rely on implied consent or the concept of using patient data for treatment purposes without breaching confidentiality. However, implied consent for treatment is not the same as consent in the context of processing data under GDPR.
Within a healthcare setting, consent can be given in a variety of ways beyond a formal consent form. A patient might give a verbal yes or a nonverbal nod to taking a certain test. They may hold out their leg for an examination rather than explicitly acknowledging that they approve.
A patient’s approval for a service should ideally be given directly to the healthcare practitioner, as opposed to an intermediary or admin worker. Parents of children up to the age of 16 are generally allowed to stand-in for consent if need be, though it’s considered better to have the child’s direct consent.
Within the context of GDPR though, the consent generally needs to be more formal. It needs to be specific and unambiguous, and the patient must be able to easily withdraw their consent if they choose. Ideally, the party requesting consent should not be viewed as having any sort of power over the patient either, as it can be difficult to justify an affirmative act under these circumstances.
(GDPR does allow for data processing though if it meets the terms of an appropriate lawful basis. For instance, if using the data is necessary in order to promote the public’s interest. However, we’ll be focusing on consent in the absence of a lawful basis.)
Patients are often given any number of forms before they receive treatment, and almost no one takes the time to understand every term and condition listed. If healthcare professionals asking people to sign paperwork before a practitioner can begin work, you can’t bury consent in the middle of the fine print.
Instead, you should be actively drawing people’s attention to it, so they can see that it’s a separate matter and give it the attention it deserves. If you need to include detailed information in your forms, make sure it’s all prominent and easy to read. Headers, italics, and bolded words can really help draw the eye to important information and ensure that patients understand what they’re agreeing to.
Whether verbal or written, healthcare professionals should not be using technical jargon or confusing language to describe the nature and terms of the patient’s consent. Because conversations can be interpreted differently, healthcare facilities should ensure that their written data is both simple and straightforward.
GDPR includes health information as part of its special category data, which means that this form of consent will generally be subjected to additional scrutiny. You must identify who will be using the data, why you want it, and what you’ll do with it. It’s also considered good practice to not only tell the patient that they can withdraw consent but include information on how they can do so.
Consent under the Data Protection Act (DPA) may or may not fit all of the requirements under the GDPR standards, especially if it lacks the compliance measures for allowing patients to withdraw their consent. This means that under the GDPR regulations, you’ll need to get new consent or identify a lawful basis for using the data.
One of the key differences under the DPA is that it allows practitioners to profile patients based on information if there are legitimate grounds and there are barriers in place to protect them. However, the GDPR does not allow for this, which may mean that you’ll need to specify your intentions and obtain new consent before moving forward.
When it comes to recording and managing consent, you need to keep information regarding who consented, when it occurred, and how consent information was conveyed. Practitioners will need to detail how the person consented (e.g., online, on paper, etc.), and whether consent was ever withdrawn.
Patients shouldn’t have access to forms with pre-ticked boxes as a default or blanket acceptance terms designed to cover a myriad of situations. Providers and administrative workers should be recording opt-in and opt-out information meticulously and ensuring that data is easily retrievable if need be. If you’re asked to prove consent across patients, this is the best way to avoid an auditing nightmare.
After consent has been given, it’s considered good practice to provide management tools for patients to update consent, which may include online privacy tools or marketing campaigns to inform patients of their rights. For instance, children who pass the age of 16 may want to update their consent forms now that their parents no longer have the right to speak for them.
Often, a different treatment or change in procedure could demand a revisit of processing purposes and associated lawful bases. It could also introduce different types of special categories of personal data which could introduce different risks.
Your compliance management software should be comprehensive enough to alert you to such changes, perform DPIAs and gap analyses where required, seamlessly integrate your data mapping to your privacy notices, records of processing and processor contracts; and to maintain personnel awareness of their responsibilities.
Working with such a software helps you to get your data protection right by managing the risks.
We can show you how it how works. Click below to claim your free trial.