One of the most important things Jane users in the EU need to do to comply with GDPR is to Determine and DECLARE the legal basis on which they will process personal data.
Here are the exact words from the EU Information Commissioner:
Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.
Most clinics using Jane can’t offer people real choice when it comes to collecting and processing health data because that data is deemed necessary for upholding standards of care and generating medical diagnoses. Most importantly, collection, storage, and protection of data is regulated by local laws and regulating body by-laws & requirements. GDPR respects those laws, by-laws, and requirements and expects health care professionals to follow.
Instead of asking for consent to collect and process data, EU clinics using Jane are going to be documenting a Legal Basis for collecting and processing data - and then separately asking for other necessary consents (consent to treat, etc.).
Looking for the right words to document a Legal Basis for collecting and processing data? We’ve come up with a paragraph to get you started. Have a look at: GDPR Consent Language.
If you haven’t already, we recommend consulting the European Union Information Commissioner’s Office resources on Consent.
And finally, many of the links in this article send you to specific sections of EU ICO’s data protection guide. If you’d like to scroll through all the topics yourself: Guide to Data Protection. And as always, Jane is here to help. Let us know if you need a hand.
The information in this article summarizes consent for GDPR, and is not meant as legal advice.