What does consent mean under the GDPR?
Processing personal data is commonly prohibited, unless it is expressly allowed by law or the person whose data it is has consented to it. Since 25 May 2018, a dentist obtaining consent has to record when and how the patient consented to having their personal data used and stored. Remember you do not need consent for treating patients, but you would for certain types of marketing, such as using a patient’s image.
Important here is that consent has to be explicit and cannot be inferred from silence or inactivity. For the dentist, this means keeping consent as separate from conditions of service as possible, in order to foster transparency and avoid confusion. Furthermore, if sought online, pre-ticked boxes are no longer permitted, as consent could potentially be obtained illegitimately through a mere oversight by the patient to untick the box.
Naturally, consent means the patient was given a genuine choice and had control over how this data would be used or else it was not “freely given” and thus invalid. The patient must therefore be able to refuse and withdraw consent without suffering detriment. This means that a refusal to consent cannot cause a patient to be treated unfairly. It is not uncommon for consent to convey a benefit – agreeing to have their data used might mean a patient has access to loyalty schemes, vouchers or special information. This is perfectly legitimate, as long as the practice or associate can assure that those who have not consented do not suffer any direct detriment as a result.
How can consent be obtained?
- Patient signs a consent statement on paper
- Patient answers yes to a clear oral consent request
- Patient selects from clear yes or no options on paper or online
- Patient ticks an opt-in box on paper or electronically
- Patient positively responds to an email requesting consent
- Patient volunteers information for a specific purpose – for example through optional fields on an official form or personally giving the dentist their business card
What needs to be in a consent request?
The data controller’s identity – This means the practice needs to identify themselves as well as any third parties who will have access to the consent and data, such as associates.
The purpose of obtaining the data – This means an option to consent to each separate purpose and has to include all of the purposes for which data will be used.
The types of data that will be collected – This includes all types of data as well as for what and how they will be used. It needs to be clear that for example an email address will be used for marketing purposes whereas a picture might appear on Instagram.
The right to withdraw at any time – This must be clearly stated along with advice on how to do so. Any potential withdrawal must be followed up on immediately.
Who can give consent?
Under the GDPR, a third party can give consent on behalf of someone else, as long as they can demonstrate the authority to do so. This covers cases where an individual lacks legal ability to consent due to age or mental incapacities. Authority here must be of legal nature, meaning the third party has to show they are either a parent or guardian or any other person entitled to make decisions on behalf of the individual, under for example a Power of Attorney.
How should consent be recorded?
A record of data obtained and consented to being used should be kept for as long as the data is used by the dentist. This is to show compliance and accountability at any given point. It also serves for the purposes of monitoring and refreshing consent and should consequently include:
Who consented – This means the name of the individual and potential third party along with other identifiers such as an online user name or session ID.
When they consented – This includes a copy of a dated document, or online records that include a timestamp. For oral consent, the dentist should make a note of the time and date of the conversation.
How the patient consented – For written consent, this means a copy of the relevant document. For online consent, the associate’s records should include the data submitted as well as a timestamp to connect it to the relevant version of the data capture form. For oral consent, the dentist should keep a note of this made at the time of the conversation as mentioned. However, this does not have to be a full record of the conversation.
Withdrawal – This means whether and when consent has been withdrawn.
How long does the consent last?
There is no specified time limit within the GDPR, but the dentist is advised that consent can vitiate over time, depending on context. The relationship to the patient or the purpose of the data usage might change, so it is important the associate considers the original consent and what the patient expected this would entail. An example might be someone who was a patient, is then a patient of someone else but then becomes the associate’s patient again. Their expectation will be that their original consent expired when they left and the associate will have to obtain fresh consent.
- Make the request for consent noticeable and separate from your terms and conditions
- Use clear, plain language that is easy to understand by everybody
- Give separate options to consent to different purposes of data use and processing
- Specifically name your practice and any third parties who will use the patient’s consent
- Inform the patient they can withdraw their consent at any time, advertise how to do so and make the process of withdrawal clear and easy
- Make sure withdrawal of consent is realised as soon as possible
- Ask patients to positively opt out of giving their consent
- Inform the patient why you need the data and what is going to happen with it
- Make sure you have processes in place to regularly review and refresh consent with regard to patient-relationship, processing and purposes of data use
- Do not make consent a precondition to service
- Do not use pre-ticked boxes that a patient would have to actively untick as this could be construed as illegitimate default consent
As long as they stick to the checklist, the dentist should be protected under the GDPR. Instagram away!
Henriette Kaerger, Paralegal