We use cookies to help provide you with the best possible online experience.
By using this site, you agree that we may store and access cookies on your device. Cookie policy.
Cookie settings.
Functional Cookies
Functional Cookies are enabled by default at all times so that we can save your preferences for cookie settings and ensure site works and delivers best experience.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Confidentiality Notice
This document contains information that is privileged, confidential or otherwise protected from discloser. It must not be used by, or its contents reproduced or otherwise copied or disclosed without the prior consent in writing from Claremont Medical Centre.
Document Details
- Classification: Internal
- Author and Role: Dr Mohammed Zafar Munshi (GP Partner), Dr Abir Shaikh (GP Partner), Dr Uzma Mahmood (Locum GP), Dr Sujeen Chandramoorthy (Locum GP), Ms Marie-May Adrienne (Practice Nurse), Mr Tuhinur Raza (Practice Manager)
- Organisation: Claremont Medical Centre
- Document Reference: Operational
- Current Version Number: 2
- Current Document Approved By: Dr M.Z.M / Dr A.S/ Dr U.M/ Dr S.C/ MM (PN) / TR(PM)
- Date Approved: May 2022
- Review Date August 2023 (reviewed), Next review: August 2024
Introduction
In the UK, the Data Protection Act of 1998 was replaced by the General Data Protection Regulation (GDPR) as of May 2018. (DPA). Consent is held to a high level under the GDPR. It adds to the DPA standard of consent in a number of ways and codifies current European guidance and best practices with a great deal more detail. This policy explains our compliance strategy and covers the criteria for legal permission. It also offers useful assistance in determining whether to rely on consent and when to consider alternatives. This policy exclusively addresses consent for data processing.
Please refer to our Consent Policy for information regarding consent for medical treatment.
About this policy
To provide more thorough, useful guidance on permission under the GDPR, this policy should be read in connection with the other GDPR-related rules concerning data processing. Consent is held to a high level under the GDPR. Giving patients actual power and choice over how we use their data constitutes consent. Consent can help us establish trust and improve our reputation when used properly. This policy will outline when to explore for alternatives and when to rely on consent for processing. The GDPR-compliant methods for obtaining and managing consent are explained, along with what constitutes valid consent. The policy outlines the GDPR's interpretation by the Information Commissioner's Office (ICO) as well as our general suggested strategy for compliance and best practices.
Summary
To be valid, consent must be unequivocal and involve an affirmative action. Terms and conditions should not be combined with consent. In general, it shouldn't be a requirement for signing up for a service. The office won't make use of pre-ticked opt-in boxes. Different processing processes require different levels of permission. In order to prove permission, we must maintain accurate records.
Patients have the right to revoke their consent at any time, and we are required to provide them with simple methods to do so. Patients have the right to have their data erased if we used their consent for processing. If no other basis exists, consent should only be utilised as the legal basis for data processing.
How is consent incorporated into the GDPR?
The GDPR requires that we identify and document our legal justifications for processing in order for it to be done. Article 6(1) lists six legal basis, including the following six:
- Consent
- Contractual Obligation
- Complying with legal requirements
- Important interests
- In the public interest or when using official authority
- Justifiable interests. (Since public authorities are not covered by this, the practice should not cite this as justification for processing personal data.)
Since the practice is part of the NHS, it is likely that the majority of the data it processes is medical in nature. This is regarded as a unique category (sensitive). If you are processing patient information for another NHS organisation, such as a hospital or diagnostic centre, you do not need their agreement.
When processing special category (sensitive) personal data, one of the requirements in Article 9 must also be met (2).
One method for approving the use of special category data is "explicit consent." The others include:
- Important Interests
- Charitable or non-profit organisations
- Clearly disclosed by the data subject
- Legal Demands
- Considerable public interest
- Social and health services
- Public Wellness
- For scientific, statistical, or historical research
In the absence of proper protections, express agreement might also legitimise restricted processing, automated decision-making (including profiling), or international transfers by private-sector organisations. Relying on consent will have an impact on peoples' rights. People's rights, such as the right to erasure (sometimes known as "the right to be forgotten") and the right to data portability, will typically be stronger when processing is based on consent. Therefore, it is crucial that consent only be used as the legal justification for data processing when there is no other viable option. Consent is typically not required to constitute the legal basis for processing data for healthcare purposes. Only when patients can truly choose and control how you use their data and you want to earn their trust and engagement is consent suitable. However, consent is not acceptable if you are unable to present a real option. Asking for consent is fundamentally unfair and dishonest if you plan to continue processing the personal data without it.
What are the consequences if you do it incorrectly?
Making errors in the area of consent could subject the practise to significant fines under the GDPR. According to Article 83(5)(a), violations of the fundamental rules for processing personal data, including the prerequisites for consent, are subject to the heaviest administrative penalties. A punishment of up to €20 million, or 4% of the entire annual global turnover, whichever is higher, could result from this.
When will we need consent?
There will be instances where using permission as the legal foundation is appropriate. These comprise, but are not limited to:
- Requests for Subject Access
- Information exchange for research purposes
- Sharing data with a third party
- Sharing information in an unexpected or intrusive way
- Information exchange for purposes other than healthcare
- Disseminating data for commercial gain
Consent in these situations should always be expressed explicitly. This signifies that the patient (or their representative if they are a minor or have parental responsibility) has acknowledged their understanding of the information that will be shared by signing a document. Below is further information on children's capacity and consent.
Using data without permission
Consent cannot be the legal basis for processing data if you would nevertheless process the data (for example, record consultation details). In this case, the patient is unable to choose to have the information they have provided to the clinician withheld. Additionally, it is doubtful that the data will ever be deleted, therefore the patient has no real "option". In this situation, asking the patient for consent is unfair and deceptive by nature. Instead, in order to ensure fairness and transparency, we should explain to the patient how we will handle their data.
Consent being the legal justification for data processing
The GDPR specifies the conditions for utilising consent as a legal justification. In order for consent to be granted voluntarily, patients must be given actual continuing choice and control over how their data is used. The controller's name must be expressly mentioned in the consent (the practice). Any third parties on whose behalf we will rely on consent must also be identified. The processing activities and purposes must be covered by the consent. Granular options should be available as necessary; for instance, we should list each individual part and ask patients to confirm their consent for each. Consent requests must be clear, distinct from other terms and conditions, brief, simple to comprehend, and straightforward to utilise. Consent should be readily apparent and demand affirmative action to opt in. We must give the patient information on how to exercise their right to withdraw permission at any time. Explicit consent must be verbally expressed rather than by any other affirmative action. Any time sensitive healthcare data is processed, explicit consent must be acquired. Information given to patients should be clear, concise, and written in simple terms. It shouldn't be mentioned in the services "terms and conditions." The duration of consent is not predetermined. The situation will determine how long it lasts. As necessary, you should check and update consent.
Definite sign (by statement or clear affirmative action)
The patient's consent must be clear, as well as what they consented to. This calls for more than simply a statement that they have read the terms and conditions; there needs to be a definite indication that they accept them. A consent is not legitimate if there is any opportunity for question.
As a result, the clinic should provide check boxes for the patient to "opt in" or have a clearly defined written statement for them to sign on every consent papers it creates. Never will the practice employ pre-ticked "opt in" or "opt out" boxes.
How long is consent effective?
There is no set duration for consent under the GDPR. Over time, consent is probably going to deteriorate, but how long depends on the situation. We must take into account both the original consent's parameters and the person's expectations. If in doubt, please contact the Caldicott Guardian or the practice's Data Protection Officer (DPO).
Unless you have another legal justification, we must stop processing as quickly as feasible if the patient withdraws consent. The legality of the processing up to that point is unaffected by this.
When a child achieves the legal age of majority, parental permission is always null and void. Therefore, at pertinent milestones, we should examine and update children's consent. If in doubt, please contact the Caldicott Guardian or the practice's Data Protection Officer (DPO).
Ability to give consent?
Although there are no specific rules in the GDPR regarding the ability to consent, the idea of "informed" consent raises questions about capacity.
Unless we have reason to believe otherwise, we can generally assume that adults have the capacity to consent (e.g. diagnosis of dementia). If unsure, you should consult the Caldicott Guardian of the Practice.
It's possible that you do have good reason to think that someone is unable to offer informed consent because they lack the mental capacity to comprehend the implications of doing so. If so, a third party with the authority to act on their behalf legally (such as through a Power of Attorney) may consent. The medical file should contain a copy of the POA. We must make sure that the POA covers health and welfare as well as property and money matters.
Children’s consent
Under the GDPR, there are no universal requirements for children's consent. However, if we are using permission in place of another legal justification for the processing, we must obtain parental approval for any children under the age of 13. Parental responsibility may still be in effect for those aged 13 to 16. If you are unsure of the patient's competence to consent, you should consult the practise DPO or Caldicott Guardian. The "Gillick competency test" will be used to determine whether each child is competent to understand and consent on their own. For example, if we are registering a child who has never been registered with the NHS, you should ask to see the birth certificate or passport to validate the patient's age. The practice needs to make sure there are age-verification methods in place for kids. Additionally, we must "reasonably" attempt to confirm parental responsibility" for anyone who is under the legal age.
Requesting consent in writing
Consent requests must stand out from other material, such as general terms and conditions, be brief, clear, and easy to read. All consent requests must be made in plain, uncomplicated language that patients can easily understand. This is especially crucial if you are asking children to assent. In this case, we must solicit parental opinion and take age-verification and parental-authorization concerns into account.
What details ought to be provided?
Consent must be informed and specific. A consent request must at the very least contain:
The practice's name and the identities of any third parties who will rely on the consent, inadequate specificity in the consent for certain kinds of third-party organisations, your motivation for requesting the data (the processing goals), the data processing tasks you plan to carry out and the patient has the right to revoke their permission at any moment. It is wise to include instructions on how to revoke consent.
Notices that are timely
Another option is to use "just-in-time" alerts. These function by displaying a brief message regarding the purpose of the data on-screen as soon as the user enters the pertinent data. This will enable you to present additional information in a conspicuous, understandable, and precise manner to guarantee informed consent. The notices must be combined with an active opt-in, but you must make sure the user is not overly inconvenienced. This might be used to make appointments in the neighbourhood hub. In certain circumstances, the patient may verbally assent as long as they are fully informed. The patient record should then reflect this consent.
What techniques can you employ to gain consent?
Any technique you use must adhere to the requirement of an unmistakable indication through obvious affirmative action. This implies that you must actively request patients' consent. Active opt-in systems include, for instance:
- Checking a box on a printed form that requests consent.
- Checking an electronic or paper opt-in box.
- By clicking an online opt-in button or link.
- Replying to a request for permission by email.
- Saying "yes" to a request for clear oral consent.
- Providing information voluntarily for a specific purpose, such as filling out optional fields on a form.
Silence, inactivity, pre-ticked or opt-out boxes, default settings, or a general acceptance of terms and conditions are insufficient. Although opt-out boxes are often equivalent to pre-ticked boxes, which are prohibited, the GDPR does not expressly forbid them. Both approaches rely on inactivity and by default combine consent with other issues. Opt-out boxes are typically used to increase consent by exploiting people's inaction, however this is a significant warning indication that there is a problem with the quality of the consent. To get consent, we need employ particular opt-in boxes (or similar active opt-in approach).
How should consent be documented?
Article 7(1) says:
"The controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data where the processing is based on consent."
As a result, we need a thorough audit trail documenting how and when consent was granted so we can back it up in court.
Our documents must show the following:
- Who gave their permission: their name or another identification (e.g., online user name, session ID).
- Evidence of their consent, such as a copy of a dated document or online records with a timestamp or audit trail; there should always be a record of the date and time of the oral consent discussion.
- What was disclosed to them at the time: ideally, a scanned copy of the document or a master copy of the data capture form containing the consent statement in effect at the time, as well as any additional privacy policies, with version numbers and dates that correspond to the date consent was granted. Your records should contain a copy of the script that was utilised if consent was granted verbally.
- How they consented: a copy of the pertinent document or data capture form if written consent was required. If consent was provided electronically, the records should reflect the information provided and a timestamp linking it to the appropriate version of the data capture form. Even though there doesn't have to be a complete transcript of the conversation, we should retain a record of any oral consent that was granted.
- If so, when did they withdraw their consent?
How should consent be handled?
If something changes, such as if the operations or goals for collecting the information change, we will need fresh consent because the previous one might not have been sufficiently clear or informed. If we rely on parental consent, we will also need to reaffirm consent when the kids get older and are able to give their own approval. Speak with the DPO or Caldicott Guardian if you have any doubts regarding the consent's continued validity. We ought to think about whether to automatically renew consent at suitable periods. The specific circumstances, including the patient's expectations, whether they are in regular touch, and how upsetting it would be for them to receive repeated consent requests, will determine how frequently it is appropriate to do so. Most of the time, we will only update consent once every two years.
How should the right to withdraw consent be handled?
People have a special right under the GDPR to revoke their permission, which they may do "at any moment." We shouldn't in any way make it challenging for the patients. Either verbally or in writing, one may withdraw their consent. The person whose consent was withdrawn, as well as the time and date of the withdrawal, should be noted in the record. If at all possible, we should additionally note the explanation for the withdrawal of consent.
Although a third party acting on behalf of an individual is not prohibited under the GDPR from revoking consent, we must be confident that the third party is authorised to do so. The lawfulness of the processing up to that point is unaffected if someone withdraws their consent. It does, however, imply that we can no longer use permission as the legitimate ground for processing. Either the processing must stop, or another legal basis must be found, together with a justification for why more processing is fair. We must specify the right to revoke consent in our privacy disclosures and request forms.
Checklist:
- Consent-seeking inquiry
- We have verified that the best legal basis for processing is consent.
- The request for consent has been made clear and set apart from our terms and conditions.
- We kindly request that people opt in.
- We do not employ default consent of any kind, including pre-ticked boxes.
- We speak in simple, easy-to-understand language.
- We outline our motivations for requesting the data as well as our intended use for it.
- We provide detailed choices for approving separate processing activities.
- We have identified our practice as well as any outside parties.
- We let them know they can revoke their consent.
- We make sure the person can decline consent without suffering consequences.
- We don't require permission before providing a service.
- If we directly provide children with internet services, we will only do so with parental agreement and age verification procedures in place.
Consent is noted
- We retain a record of when and how the person gave their consent.
- We retain a record of everything that was spoken to them at the time.
Controlling consent
- In order to ensure that the connection, the processing, and the aims have not changed, we periodically assess consents.
- We have procedures in place to update consent, including any parental consent, at suitable intervals.
- We make it simple for patients to revoke their consent at any moment and make that information widely available.
- We respond to requests for consent withdrawal as soon as we can.
- Patients who choose to withdraw their permission are not penalised by us.