GDPR - GPC - Blog 17
17 Blog Seventeen, Consent
Reference to all these Articles is a bit legalistic and confusing, why not just use consent?
Prior to the the end of the last century everything was done under the principles established by the many hundreds of years of accumulated case law more commonly known as the Common Law Duty of Confidentiality (CLDoC)1. On the patient records and data side it all boiled down to a default assumption that doctors protect their patient’s data. Its easy to confuse consent for an action, having a needle stuck in you, and consent to process your data. One is usually more apparent than the other, if you roll up your sleeve its reasonable to assume “implied consent” to the needle. Unfortunately, your data could be being processed whether your sleeve was rolled up or not, or indeed if you were in the room or not.
For this blog we are only dealing with consent and data, not actions.
Huzzah, the Data Protection Act
The DPA was introduced to deal specifically with the protection of patient data. It has a concept of consent in its schedules but there was no precise definition of what the DPA consent meant, required or represented. There was no description of what conditions had to exist to make consent for processing comply with the DPA. As a result, under the DPA consent could mean anything from “implied consent”, (when a patient agrees to a referral it is implicit that they are consenting to the referral letter being sent), to explicit written and formally documented detailed consent such as signing an Advance Directive. Whilst implied consent and explicit consent are terms often referred to neither is defined under the old DPA. So-called “implied consent” was being flogged like the proverbial dead horse as a justification for just about any use of patients’ data, as I once witnessed an eminent researcher explain, “we’re often too busy to consent, we have to make assumptions”.
So, we had implied consent, consent and explicit conset under DPA?
No, you had consent and CLDoC. Everything else was a concoction.
GDPR understands the ambiguity between CLDoC, consent, implied consent and the undefined legal consent of the old DPA and has provided a clearer set of rules.
The rise and fall
GDPR was drafted in the aftermath of the digital data revolution, the honeymoon is over with social media and the like, data is now instantly transferable to the other side of the globe at the blink of an AI observed eye. More control is needed.
GDPR has been drafted with a far tighter definition of consent. Consent under GDPR, must have a list of conditions satisfied for it to be legally relied upon. The tighter definition of consent under GDPR is there to provide greater and more explicit control for DSs, that is to be welcomed. However, in delivering that enhanced control certain unintended consequences arose, one of which was in healthcare. We’ll go into those in a moment but take it from me seeking legally valid GDPR qualifying consent in day to day general practice would be incompatible with sanity.
So did we ditch implied consent?
Not exactly, more moved it aside and let something else through in its place. GDPR recognises that GPs process data on their patients because that’s what they do, partly because they always have but also because they are legally required to do so. The Medical Act, The NHS Act and your contracts with the NHS all require GPs to keep and maintain records of their patients. Understanding that in practical terms GDPR consent would be impossible in health care GDPR focuses on other legal requirements for our processing data. Article 6(1)(e) of GDPR creates a legal justification for processing patient data because the GP DC is simply doing what the laws require him to do, GDPR describes this as exercising “official authority vested in the controller”. So, Article 6(1)(e) allows GPs to process their patient’s data because that is what GPs do, if you register with a GP for NHS services he is going to process data he holds on you. If you need to see a specialist, your GP will share necessary and appropriate data with that specialist. Because Article 6(1)(e) exists as a standalone justification under GDPR, consent is therefore not required. In effect you might consider that Article 6(1)(e) is creating a legal basis for “implied consent”. Essentially GPs acting as GPs can do stuff with patient data during their normal activities, because that is what GPs are expected, i.e. its implied, to do.
So what has happened to consent?
GDPR tightens up on what is meant by consent and provides a set of specific characteristics that must be met for it to be legal. The nebulous ill-defined consent of DPA is now replaced by Articles 4, 6, 7 and 9 (I’m omitting children, Article 8, for the moment). GPDR consent is a whole different ballgame and requires a set of specific goals to be achieved and requires recorded proof of giving. In addition, consent given under GDPR conditions can be unconditionally withdrawn at any time, and with a burden no greater than the giving (i.e. if consent is one tick box then withdrawal can’t need two to achieve). Obviously, this particular aspect would be problematic for GPs and healthcare in general.
GDPR consent is defined in Article 4(11) as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
OK understood, day to day agreeing care plans and treatments with patients will be unchanged, am I going to have to make any other changes to my clinical practice?
No. Day to day, treating patients who seek care believing themselves to be ill, or not, will not change under GDPR. They’ll need to know that data is shared or processed but detailed explanation won’t be necessary at the time. If you rely upon GDPR consent for any other activities, then you will need to make sure your consenting process and records for those processes, are watertight, and by May 25th.
I’m sorry did you say we’ve got to revise all our consents by May 25th?
Yes. If you are going to rely on GDPR consent, either 6(1)(a) or 9(2)(a) you must make sure they are compatible with GDPR consent by 25th May. Except where communications are covered by PECR, where the “soft opt in” exists, see blog 5.
But, and it’s a big but, don’t panic
Remember, as the numerous previous blogs have described, GPs are very, very, very rarely ever going to be relying on GDPR consent for anything, not even as employers. Specific research and marketing to new patients are the only likely ones I can think of.
GDPR consent in detail
The ICO has a very good page on consent under GDPR on her web site. There’s no point in my rekeying it all. It’s a neat check list;
☐ We have made the request for consent prominent and separate from our terms and conditions.
☐ We ask people to positively opt in.
☐ We don’t use pre-ticked boxes or any other type of default consent.
☐ We use clear, plain language that is easy to understand.
☐ We specify why we want the data and what we’re going to do with it.
☐ We give individual (‘granular’) options to consent separately to different purposes and types of processing.
☐ We name our organisation and any third party controllers who will be relying on the consent.
☐ We tell individuals they can withdraw their consent.
☐ We ensure that individuals can refuse to consent without detriment.
☐ We avoid making consent a precondition of a service.
☐ If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
☐ We keep a record of when and how we got consent from the individual.
☐ We keep a record of exactly what they were told at the time.
☐ We regularly review consents to check that the relationship, the processing and the purposes have not changed.
☐ We have processes in place to refresh consent at appropriate intervals, including any parental consents.
☐ We consider using privacy dashboards or other preference-management tools as a matter of good practice.
☐ We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
☐ We act on withdrawals of consent as soon as we can.
☐ We don’t penalise individuals who wish to withdraw consent.
Some quick points to emphasise
Consent must never be “bundled”, it must be a standalone process (Article 7(4). Particularly consent and contracts cannot be merged and blurred.
If a DC wants to process personal data in respect of a contract, Article 6(1b) would be a better place to start.
Consent must be specific for a purpose described in detail. It cannot be vague. As a minimum you explain (1) the DC’s identity, (2) the purpose of the processing, (3) what data will be collected and used, (4) how to withdraw consent, (5) information about any automated processing and (6) relates to transfers of data abroad so unlikely to be in need.
Clear and plain language means easily understandable for the average person and not only for lawyers. DCs must not use long dense small print legalistic statements.
And for Article 9 data it gets even tougher. The DS must give an express statement of consent which must be captured as proof, such as a written statement signed by the DS. But more high-tech than paper a DS could alternatively fill in an electronic form, like some “GP in yer ‘ocket” services do or send an email or uploading a scanned signed document or by using an electronic signature. A verbal recording would do, but you’d have to have the visuals recorded as well to prove no sword of Damocles was nearby.
The DC will be expected to be able to prove beyond doubt that consent was legally (GDPR) valid. That’s quite a high standard. See Article 7(1).
How long consent lasts will depend on the context, the scope of the original consent and the expectations of the data subject.
If the processing operations change or evolve considerably then the original consent is no longer valid. If this is the case, then new consent needs to be obtained. Consent must be regularly reviewed, revised and re-visited
Article 7(3) of the GDPR says that consent can be withdrawn by the data subject as easyily as giving it and at any given time. They don’t have to be by the same mechanism, mouse click vs finger swipe, but they must be equally easy.
After withdrawal of consent all processing should ordinarily stop,
Unless otherwise specified by the DS, their data deleted!
Now I mentioned research.
Clearly there are circumstances when research throws the odd googlie;
“It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.” So, researchers are cut a little slack which is why the template Privacy Notice for Research has Article 6 & 9 consent as options.
So, I hope this little late night lecturette on consent has been informative and placed it in context. I think all GPs can all be pleased that GDPR tightens up on protecting our patient’s data but without strangling what GPs do.
And there’s more for those interested.
See the Official GDPR Guidance on Consent.
Dr Paul Cundy
GPC IT Policy Lead
16th April 2018