Consent and health data
Within a medical context, the legal basis for processing health data is often the (implicit or explicit) contract between a patient and a medical professional (Article 6 (1, b) GDPR). Anna never had to sign a document giving her consent for medical treatment. Health data can however also be processed outside the medical context, such as Anna’s running app.
Health data is part of a special category of personal data (sensitive data). The GDPR prohibits processing of this type of data unless one of the conditions mentioned in Article 9 GDPR is met. Healthcare providers who are bound by professional secrecy are exempted from this prohibition (Article 9 (2, h and 3)). One other exemption is explicit consent given by the data subject. This means that processing of health data outside the medical context needs to be based on Anna’s explicit consent. She has to agree for example with the processing of her health data by the running app.
A privacy policy is in this case the most common way to inform people on how their data is going to be processed. Privacy policies have to be written in clear and plain language and a controller has to be able to demonstrate that consent has been given. When presented with a privacy policy, users are sometimes asked to agree with its content. However, in such cases, the question arises whether people actually read the privacy policy.
Protecting Health Data in the Modern Age: Getting to Grips with the GDPR
Protecting Health Data in the Modern Age: Getting to Grips with the GDPR
Reach your personal and professional goals
Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.
Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.
