GDPR Myths and Questions #3 – Consent and Lawful basis

You need to identify the lawful basis you are using for processing someone’s personal data – i.e. your justification for processing that data. There are 6 different lawful bases that you may use, for any given set of data. One of these is consent, but there are others too – e.g. ‘contract’ (valid if someone’s personal data needs to be processed to fulfil your contractual obligations, or because they’ve asked you to do something before entering into a contract, such as provide information). This is completely separate from your consent to treatment process so don’t get them muddled. You may identify more than one lawful basis for different elements of the data you collect e.g. health data and marketing data.

If you do use ‘consent’, it should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.

Consent is normally needed for marketing contact with patients but most of the other information collected by osteopaths will fall under one of the other lawful grounds for processing data. A simple table of the 6 lawful bases is below.

As well as identifying the lawful basis (or bases) for the general processing of data within your practice there is another requirement. Osteopaths also process what is referred to as ‘Special category data’ because we collect health information.  The condition for processing Special category data also needs to be identified – I have identified the condition from the 10 possible conditions as falling under condition 2(h) from article 9 for medical diagnosis and provision of health services –

Article 9

  1. (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
  2. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

In summary you should clearly identify in your privacy notice the lawful basis (or bases) for processing data and the condition for processing special category data.

 

Lawful Grounds for Processing Data under GDPR
# Summary Lawful Ground
1 Consent given The data subject has given consent
2 For performance of contract It’s necessary for the performance of a contract
3 To comply with legal obligation It’s necessary for the controller to comply with a legal obligation
4 To protect vital interest of data subject or other It’s necessary to protect the vital interest of the data subject or other natural person
5 Perform task in public interest It’s necessary to perform a task in the public interest
6 Legitimate interest persued by controller It’s necessary for the purposes of the legitimate interest pursued by the controller or third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Leave a Reply

Your email address will not be published. Required fields are marked *