GDPR places an emphasis on the important aspect of consent in relation to data protection

The General Data Protection Regulation (GDPR) comes into force throughout the EU on 25th May 2018.  At that date the UK will still be a member of the European Union (EU) and so it will automatically become part of our law on this date.  This will mean that the DPA 1998 will cease to be law.

Consent

Consent is one of the most important parts of ensuring compliance with the GDPR.  Gaining consent is a simple way of ensuring that your processing is lawful (in accordance with the first privacy principle), so the Regulation has strict conditions to make sure that it is fairly gained and not abused.

Article 4, Clause 11 of the GDPR stipulates that ‘consent’ of the data subject means any:

  • freely given;
  • specific,
  • informed and
  • unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Article 29 Data Protection Working Party Guidelines on Consent under Regulation 2016/679

Essentially consent can only be lawful if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered without detriment.    The employment relationship is considered an unequal relationship and therefore consent will be considered unlawful.  Is the Occupational Health data subject relationship an equal relationship?  Diana Kloss MBE, has advised Cohort Software to check the Information Commissioner’s response to the following adoption of the EU Article 29 Data Protection Working Party guidelines on Consent.

However as Occupational Health professionals our duty of confidentiality still applies so we need to continue our current processes in relation to consent.  The GMC is revising its ethical guidance on consent and draft guidance will be released for comment in early 2018.

GDPR, Article 9, Clause 2

Article 9 states that you are not allowed to process sensitive data at all.  Sensitive data relates to data about race, political opinions, religion or philosophical belief, genetic data, biometric data, health, sex life or sexual orientation.  Processing is prohibited unless one of the conditions in GDPR, Article 9 (2) applies.  Diana has advised that it is the first time that the term ‘occupational medicine’ has been mentioned in statute.  To process sensitive health data Occupational Health practitioners are going to have to show either that we have explicit consent or, that our:

“(h) processing is necessary for the purpose of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health and social care systems or pursuant to contract with a health professional and subject to the conditions and safeguards in paragraph 3;”

Or,

“(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Here at Cohort Software we are working with Diana Kloss and industry experts to understand what changes to our policies, procedures and products may be required before May 2018.