Skip main navigation

New offer! Get 30% off one whole year of Unlimited learning. Subscribe for just £249.99 £174.99. New subscribers only T&Cs apply

Find out more
Home / Healthcare & Medicine / GDPR / Protecting Health Data in the Modern Age: Getting to Grips with the GDPR / Consent and health data

Consent and health data

Watch Melania Tudorica explain more about consent under the GDPR.
View transcript
3.1
MELANIA TUDORICA: In this activity, you’ll learn about consent and you discussed it with fellow learners. You may have come to the conclusion that Anna never signed a document giving her consent for medical treatment. In the Netherlands, the legal basis for medical treatment is a contract, which is most of the time entered upon implicitly. The very fact that you go to your doctor already implies consent to this contract. This means that consent as a basis for lawful processing, as determined by the GDPR, is only needed if the medical data is used for another purpose than the necessary treatment. An example of another purpose is using the data for medical research. We will explain more about this in Week 2.
43.2
However, health data is not only used within a medical context. We saw Anna use a running app. You may recollect that health data is part of a special category of personal data, which is also referred to as sensitive data. The GDPR prohibits processing of this type of data, unless one of the conditions mentioned in Article 9 are met. One of these exemptions is explicit consent given by the data subject. This means that Anna has to agree with the processing of her health data by any app. In this case, the running app. The GDPR provides for a number of conditions for consent. A controller, such as an app company, has to be able to demonstrate that consent has been given.
82.8
A privacy policy is the most common way to inform people on how their data is going to be processed. Privacy policies have to be written in clear and plain language. As you saw earlier, this is not always the case. When presented with a privacy policy, the user is sometimes asked to agree with its content. However, the question is if people actually read the privacy policy. Research has shown that a vast majority of people never do. Sometimes, when downloading an app, if you look closely, you see that you can click on the privacy policy in order to read it.
116.5
You don’t always have to actually agree with the whole policy, but you may be asked to give the app access to, for example, your GPS as location. This practice does not seem to be in line with the provisions of the GDPR. Consent is one of the principles to protect data subjects like Anna. The GDPR provides for more rights for data subjects. You will learn more about this in the next activity.

Within a medical context, the legal basis for processing health data is often the (implicit or explicit) contract between a patient and a medical professional (Article 6 (1, b) GDPR). Anna never had to sign a document giving her consent for medical treatment. Health data can however also be processed outside the medical context, such as Anna’s running app.

Health data is part of a special category of personal data (sensitive data). The GDPR prohibits processing of this type of data unless one of the conditions mentioned in Article 9 GDPR is met. Healthcare providers who are bound by professional secrecy are exempted from this prohibition (Article 9 (2, h and 3)). One other exemption is explicit consent given by the data subject. This means that processing of health data outside the medical context needs to be based on Anna’s explicit consent. She has to agree for example with the processing of her health data by the running app.

A privacy policy is in this case the most common way to inform people on how their data is going to be processed. Privacy policies have to be written in clear and plain language and a controller has to be able to demonstrate that consent has been given. When presented with a privacy policy, users are sometimes asked to agree with its content. However, in such cases, the question arises whether people actually read the privacy policy.

Want to keep learning?

This content is taken from University of Groningen online course
Protecting Health Data in the Modern Age: Getting to Grips with the GDPR
View Course
See other articles from this course
This article is from the online course:

Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

Created by
Join Now
This article is from the free online

Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

Created by
Join Now
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now

Register to receive updates

  • Create an account to receive our newsletter, course recommendations and promotions.

    Register for free