One of the most important things Jane users in the EU need to do to comply with GDPR is to Determine and DECLARE the legal basis on which they will process personal data.
Many of Jane’s users will be able to prove that they are processing a special category of sensitive personal health data if the processing is necessary to provide health care or make a medical diagnosis. When processing such health data, clinics do not need to rely on consent for the legal basis for processing (and you’d want to head over to a different Guide Document: GDPR and Jane in the EU and scroll down to #2 Identifying the Lawful Basis on Which You Process Health Data).
But what about businesses in the EU that want to use Jane for serving clients outside of typical health-related services? In that case, you’ll need to choose another lawful basis for processing personal data, document that basis, and communicate it to your clients.
The information in this article summarizes consent for GDPR, and is not meant as legal advice.
Options for choosing lawful basis for processing.
Relying on the consent of your clients is just one of several lawful bases to justify processing personal data. Before we get into the details of consent, we’d like to mention that the International Commissioner is clear that no one option (for a lawful basis for processing personal data) is better than the others in all situations. It really depends on the specifics of your business and the nature of the information that you will be processing.
ICO advises that consent is appropriate as a lawful basis for processing personal data when your business is structured so that you can truly offer people real choice and control over how you use your data. For many allied health clinics that are required to comply with laws and bylaws about the creation, storage, protection and ultimate destruction of health and medical records, relying on consent won’t be appropriate because it would be misleading and unfair.
But if your business processes personal data that isn’t health or medical data, consent might be an appropriate basis.
What are the 6 lawful bases for data processing under GDPR?
1 - You have the consent of the person for whom you are processing data.
2 - Processing is necessary to uphold a contract.
3 - Processing is necessary for compliance with a legal obligation.
4 - Processing will protect the vital interests of another person, where it is literally a matter of life or death.
5 - The impact of processing data will have minimal impact on an individual, but you are upholding your own legitimate interests.
6 - Processing is necessary to provide health care or make a medical diagnosis.
It is likely that many non-healthcare and non-medical businesses will need to rely on #1 by obtaining the consent of the person for whom you are processing their data. Under GDPR, the concept of consent is very similar to previous laws across the EU, but the process for getting that consent as well as an individual’s right to revoke that consent have strengthened.
You can read more about these options on the EU Information Commissioner’s website: Lawful Basis for Processing.
How is consent obtained under GDPR?
Here’s a summary of your options for obtaining consent and keeping it up-to-date.
Section 9(2)(a) of GDPR states that organizations can process personal data on the lawful basis of explicit consent obtained from the individual.
If you are using consent as your lawful basis for processing personal data, you now need to seek explicit consent to legitimize all data processing your business will be involved in, and this includes asking for consent for you to use a third party clinic management solution, such as Jane. Businesses can no longer assume consent, and clients must actively “opt in” to have their personal information collected, stored, and used. Pre-ticked check boxes are no longer an acceptable way for clinics to obtain consent.
Long or extensive Terms and Conditions that are illegible to most people are no longer acceptable.
Consent statements must be easy-to-read and understand, and they must be unambiguous.
It must be simple for your patients to provide consent.
It must be as easy for your patients to withdraw consent as it was to give.
Most marketing calls or messages, website cookies or other online tracking methods, or to install apps or other software on people’s devices will require explicit consent.
a) Separate consent requests from all other terms and conditions and clinic policies.
b) Also separate consent for each type of data processing you will be doing. GDPR requires that when the processing has multiple purposes, consent should be given for all of them.
c) Make sure the process for opting in is active. Use un-ticked opt-in boxes, signature, or binary choice options (for example, Yes or No) that have equal prominence on your consent form.
d) On your consent request form, name your organization and any other third party organizations who will be relying on that consent.
There is significant debate across the EU on the requirement to name all third party organizations your business uses to “process” personal data. On one side, GDPR states that third party processors who will be relying on your data must be named in your consent requests. On the other side, in practice, naming every third party data may be shared with may prove to be highly difficult and impractical, especially when lists of third-party vendors change and evolve. The argument is that any individual patient or client presented with a consent form that listed categories of third party vendors would be able to make an informed decision about providing consent.
Since GDPR’s official Checklist for Consent includes the following check: We name our organization and any third party controllers who will be relying on the consent, it will likely be in the best interest of your business to name your own organization along with any third-parties who will process that data, including Jane. If you have concerns specific to your clinic, you should seek legal counsel.
e) Document what each individual has consented to including what they were told and when and how they consented.
f) On your consent request form, tell people that they have the right to withdraw their consent at any time, and state clearly how they can do this.
g) GDPR does not require that clinics ‘repaper’ or refresh existing consents, HOWEVER, you need to audit your existing consent processes and records to make sure that they meet GDPR standards. If previous consents don’t meet GDPR standards, your clinic should re-do them.
Check to make sure your existing consents to process personal health information were active consents.
Make sure you have informed your clients of an easy process for withdrawing their consent.
If your existing consents do not meet GDPR’s high standards, you will need to refresh your processes and consents or stop processing that personal health information.
Moving into the future, it’s important to note that GDPR does not set a specific time limit for consent. Still, consent is likely to degrade over time. How long it lasts will depend on the context. You will need to consider the scope of the original consent and the individual’s expectations.
And if you haven’t already, we recommend consulting the European Union Information Commissioner’s Office resources on Consent.
And finally, many of the links in this article send you to specific sections of EU ICO’s data protection guide. If you’d like to scroll through all the topics yourself: Guide to Data Protection. And as always, Jane is here to help. Let us know if you need a hand.