Gaining Consent in the Age of GDPR

Healthcare organisations should already be doing 70-75% of the points outlined in the GDPR according to Dawn Monaghan, head of data sharing and privacy (NHS England), head of Strategic IG (NHS Digital) and director Information Governance Alliance. Speaking at UKA Live: Identity, Consent & GDPR, she mentioned that there are 3 sections, the area that organisations should already be doing as part of the Data Protection Act 1998, the bits that are part of good practice codes that will become mandatory in May (this is around 30%), and then the brand new aspects.

Gaining Consent within Healthcare

One of the biggest changes brought in by the regulation is gaining consent to use the visitor’s data. Within Healthcare there is implied consent for direct care and that patient data can be shared among medical professionals. The example Monaghan used within the webinar was that “If I go to the doctor with a bad knee, he takes all my data and says I’m going to share that with the hospital as a consultant needs to see it, it is my reasonable expectation that that GP will share it with the hospital and consultant.”

There is also section 251 of the National Health Service Act 2006 that enables “the common law of confidentiality to be temporarily lifted so that confidential patient information can be transferred to an applicant without the discloser being in breach of the common law duty of confidentiality”. This is to be used in cases such as a patient attending Accident and Emergency (A&E), they can skip gaining consent to have access to the patient’s data but they do need to inform them how they are using it.

The application of gaining consent is to be used for purposes other than direct medical care. It is easy to record consent given in writing or over the phone when providing a service; however most organisations will receive personal data when an individual enquires through the website, so how can they gather the visitor’s agreement before they submit their identifiable details?

Organisations will need to inform visitor’s how they intend to use their personal data; this should be accessible and can easily be done within the website’s privacy policy. A link to this should be provided on any area that gathers visitors’ details (pre-chat form, contact form etc.), alongside a mandatory box that they will need to tick before the enquiry is submitted. The tick box cannot be pre-filled, and indicates that the visitor has read and understood how the organisation will use their data, recording their consent to this use.

Visitors are also able to withdraw their consent after the data has been processed under their right to be forgotten. Organisations will need to ensure they remove any records that contain traces of identifiable personal data which now includes IP addresses.

Providing Secure Software to Healthcare Organisations

Click4Assistance have recently released ‘Experiences’ the new enhanced solution, which has been developed around advanced security and GDPR.

All forms are fully customisable within the system, allowing links to privacy policies and mandatory tick boxes to be added to pre-chat, pre-call and smartContact forms etc. Data is encrypted whilst in transit using secure connections such as HTTPS / SSL, it is then stored within a fully reliable and robust back-end, where it is encrypted at rest on servers that are located in Equinix, London. 

Click4Assistance is an UK company and has been providing chat on your website software for over 10 years; our customers include CWP NHS, BMI Healthcare and NHS Scotland. For more information about complying with GDPR and the new enhanced solution contact out team on 01268 524628 or email theteam@click4assistance.co.uk. 

Author: Gemma Baker

Gemma is the Marketing Executive for UK live chat software provider, Click4Assistance, with a range of digital knowledge within PPC advertising, SEO practices, email campaigns and social media.