Skip main navigation

Consent and health data

Watch Melania Tudorica explain more about consent under the GDPR.
3.1
MELANIA TUDORICA: In this activity, you’ll learn about consent and you discussed it with fellow learners. You may have come to the conclusion that Anna never signed a document giving her consent for medical treatment. In the Netherlands, the legal basis for medical treatment is a contract, which is most of the time entered upon implicitly. The very fact that you go to your doctor already implies consent to this contract. This means that consent as a basis for lawful processing, as determined by the GDPR, is only needed if the medical data is used for another purpose than the necessary treatment. An example of another purpose is using the data for medical research. We will explain more about this in Week 2.
43.2
However, health data is not only used within a medical context. We saw Anna use a running app. You may recollect that health data is part of a special category of personal data, which is also referred to as sensitive data. The GDPR prohibits processing of this type of data, unless one of the conditions mentioned in Article 9 are met. One of these exemptions is explicit consent given by the data subject. This means that Anna has to agree with the processing of her health data by any app. In this case, the running app. The GDPR provides for a number of conditions for consent. A controller, such as an app company, has to be able to demonstrate that consent has been given.
82.8
A privacy policy is the most common way to inform people on how their data is going to be processed. Privacy policies have to be written in clear and plain language. As you saw earlier, this is not always the case. When presented with a privacy policy, the user is sometimes asked to agree with its content. However, the question is if people actually read the privacy policy. Research has shown that a vast majority of people never do. Sometimes, when downloading an app, if you look closely, you see that you can click on the privacy policy in order to read it.
116.5
You don’t always have to actually agree with the whole policy, but you may be asked to give the app access to, for example, your GPS as location. This practice does not seem to be in line with the provisions of the GDPR. Consent is one of the principles to protect data subjects like Anna. The GDPR provides for more rights for data subjects. You will learn more about this in the next activity.
Within a medical context, the legal basis for processing health data is often the (implicit or explicit) contract between a patient and a medical professional (Article 6 (1, b) GDPR). Anna never had to sign a document giving her consent for medical treatment. Health data can however also be processed outside the medical context, such as Anna’s running app.
Health data is part of a special category of personal data (sensitive data). The GDPR prohibits processing of this type of data unless one of the conditions mentioned in Article 9 GDPR is met. Healthcare providers who are bound by professional secrecy are exempted from this prohibition (Article 9 (2, h and 3)). One other exemption is explicit consent given by the data subject. This means that processing of health data outside the medical context needs to be based on Anna’s explicit consent. She has to agree for example with the processing of her health data by the running app.
A privacy policy is in this case the most common way to inform people on how their data is going to be processed. Privacy policies have to be written in clear and plain language and a controller has to be able to demonstrate that consent has been given. When presented with a privacy policy, users are sometimes asked to agree with its content. However, in such cases, the question arises whether people actually read the privacy policy.
This article is from the free online

Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education

close
  • 30% off Futurelearn Unlimited!