Why we don’t think explicit consent is necessary.
There are some sources advising osteopaths that they must get patients to sign that they can give you their health data. At Mint we think that obtaining explicit consent for collecting health data is unnecessary (and so does the Incormation Commissioner’s Office) and here is why:
- Explicit consent is not appropriate for health data because it is not possible for patients to withdraw consent. If a patient does not consent to their data being processed in the clinic the osteopath is unable to fulfil their contract with the patient so the appointment will not be able to continue.
- Due to the legal obligations placed on the osteopath the patient would not be able to withdraw consent because once the osteopath holds health data on the patient they must retain that information for the time periods stipulated in the OPS. Consent is not valid unless there is the possibility to withdraw consent.
What should you do?
The alternative approach is much simpler and will save you a lot of work:
Health data is considered Special Category Data under the GDPR. In addition to identifying a lawful basis for processing data (see our last blog), which may include legal obligation or performance of contract or one of the other bases, osteopaths must identify a condition for processing Special Category Data from the 10 listed under section 9 of the GDPR.
One of those 10 conditions is a) explicit consent but the more appropriate condition is (h) and therefore explicit consent is not necessary.
Condition for processing special category data
Article 9 2(h)
- (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
- Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
You need to state in your policy your legitimate basis for processing your different data. Then, rather than gaining explicit consent you simply need to state in your data policy that your condition for processing special category data is Article 9 2(h) and that is it!