top of page
GDPR Policy
GDPR10 - Consent Authorisation Policy and Procedure
1. Purpose
-
To ensure that Choice Healthcare 24 seeks consent from the Data Subject in a way that is GDPR compliant.
-
To ensure that when Choice Healthcare 24 seeks to obtain consent, Choice Healthcare 24 follows the Mental Capacity Act 2005 and Code of Practice where Service Users lack capacity.
-
To support Choice Healthcare 24 in meeting the following Key Lines of Enquiry:
-
To meet the legal requirements of the regulated activities that Choice Healthcare 24 is registered to provide:
-
Mental Capacity Act 2005
-
Mental Capacity Act Code of Practice
-
General Data Protection Regulation 2016
-
Data Protection Act 2018
-
2. Scope
-
The following roles may be affected by this policy:
-
All staff
-
-
The following people may be affected by this policy:
-
Service Users
-
-
The following stakeholders may be affected by this policy:
-
Family
-
Advocates
-
Representatives
-
Commissioners
-
External health professionals
-
Local Authority
-
NHS
-
3.Objectives
-
To ensure that Choice Healthcare 24 obtains appropriate and General Data Protection Regulation (GDPR) compliant consent from Data Subjects, including Service Users, where consent is necessary.
4. Policy
-
Choice Healthcare 24 understands that it may be able to rely on a ground other than consent under GDPR, such as legitimate interest, fulfilment of a contract, or the processing of special categories of data for the provision of health or social care or treatment or the management of health or social care systems andservices. Choice Healthcare 24 will review the guidance note entitled "GDPRG04 - Processing Personal Data" for more information about the grounds for processing under GDPR.
-
Choice Healthcare 24 understands that if it is required to seek consent from Data Subjects, including Service Users, such consent should be freely given and Choice Healthcare 24 should clearly explain the processing that it intends to carry out in respect of the personal data.
-
Choice Healthcare 24 understands that under GDPR consent has to be:
-
Explicit - consent requires a very clear and specific statement of consent
-
Separate from other terms and conditions
-
Specific and ‘granular’ so that Choice Healthcare 24 gets separate consent for separate things. Vague or blanket consent is not enough
-
Choice Healthcare 24 understands that it should take extra care when processing personal data about children. Choice Healthcare 24 recognises that GDPR does not specify an age at which children are deemed to be able to consent to their personal data being processed under GDPR (except where online services are being provided to a child, in which case a child can provide their consent at the age of 13).
-
Choice Healthcare 24 shall seek consent in line with any relevant provisions in the Data Protection legislation and shall ensure that the ways in which it obtains consent from a child are appropriate. For example, Choice Health Care 24 will obtain consent using language that is appropriate and easily understood by the child, taking into account the child's age and ability and the type of personal data being processed.
5. Procedure
-
Choice Healthcare 24 will use the template forms provided if Choice Healthcare 24 determines that it is required to seek consent from Data Subjects, including Service Users, to process their personal data under GDPR. If Choice Healthcare 24 is uncertain as to whether consent is necessary or it is able to rely on an alternative ground, it will seek further advice.
-
Choice Healthcare 24 will ensure it uses the appropriate form, bearing in mind whether the Data Subject has capacity or lacks capacity.
-
Choice Healthcare 24 will ensure that where children's services are provided or activities are undertaken where children might be present or involved, that parental/guardian consent is obtained in advance. This would include situations such as social events where photographs might be taken
6 Definitions
-
Data Subject
-
The individual about whom Choice Healthcare 24 has collected personal data
-
-
Personal Data
-
Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data, defined below
-
-
Process or Processing​
-
​​Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. You do not need to be doing anything actively with the personal data – at the point you collect it, you are processing it
-
-
Special Categories of Data
-
Has an equivalent meaning to “Sensitive Personal Data” under the Data Protection Act 2018. Special categories of data include but are not limited to medical and health records (including information collected as a result of providing health care services) and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views
-
-
Data Protection Act
-
The Data Protection Act 2018 implements GDPR in the UK
-
-
GDPR
-
General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law of data protection and privacy for all individuals within the European Union. It became enforceable on 25 May 2018
-
Key Facts - Professionals
Professionals providing this service should be aware of the following:
-
Should be used if consent needs to be obtained from a Data Subject, including Service Users
-
Personal data is any information that identifies someone or, in some cases, information that is about a person such as an opinion. It includes someone's name, email address, postal address, job role, photographs, CCTV and more sensitive personal data includes types of information such as medical and health records, Care Plans, information about religious beliefs, origin and race, someone's sexual orientation or political views
Key Facts - People Affected by The Service
-
People affected by this service should be aware of the following:
-
The online form will be used by Choice Healthcare 24 to obtain your consent to Choice Healthcare 24 processing your Personal data where consent is required under GDPR
-
Further Reading
As well as the information in the 'Underpinning Knowledge' section of the review sheet we recommend that you add to your understanding in this policy area by considering the following materials:
General Data Protection Regulation (GDPR) guidance: https://digital.nhs.uk/information-governance- alliance/General-Data-Protection-Regulation-guidance
Outstanding Practice
To be ‘Outstanding’ in this policy area you could provide evidence that:
-
You carefully consider whether consent is the appropriate ground for processing personal data and you document your decision and the rationale behind it
-
The wide understanding of the policy is enabled by proactive use of the QCS App
-
You conduct data privacy impact assessments in respect of the ways consent is obtained, particularly if consent is being provided by a child
bottom of page