C THE SIGNS PATIENT CONSENT TO DATA UPLOAD
C THE SIGNS PATIENT CONSENT TO DATA UPLOAD
The LMC has heard concerns about patient consent to upload data to the C the Signs platform. CCG DPO Mr Kevin Caldwell has reassured us that a DPIA was completed in which consent was not judged the appropriate legal basis for the processing of patient data for this direct care purpose. Under GDPR Article 6(1)(e) – public task & Article 9(2)(h) – management of health and social care apply. Under Common Law, reasonable expectations/implied consent were considered appropriate. This was supported by the amended template privacy notice circulated to practices earlier this year which includes reference to the use of third party digital tools and software by practices to support specialist areas of care. Practices remain the data controllers for C the Signs as data processor in a similar way that practices use EMIS (a third party) to create a record when a patient registers. You wouldn’t seek formal consent from a patient to create the record as it would be within the reasonable expectations of a new patient and implied as part of the registration process. “As long as practices are letting patients know via their privacy notice that they use digital tools to support direct care with assurance that appropriate due diligence has been completed and documented, then my view is it is legitimate to rely on reasonable expectations/implied consent as a basis to process.”
