GDPR and Processing Sensitive Data

Transcript of the Video

Good evening, ladies and gentlemen, Suzanne Dibble here, data protection law expert coming to you raw and uncut at 1:07 AM on a Sunday night/Monday morning. I have been struggling this evening for the past couple of hours really, thinking, "What can I do a video on that is going to add value?" And we've covered so much ground now that I'm really struggling to do topics that are going to add value but don't require extensive research by me. So I went through the list of videos that people had requested, and some of them are very specific and I don't feel will have general application for others, and I have replied individually to those where I can.

But I did think that this, although it won't be applicable to many people in the group, I know is a question that was raised by a number of therapists, and that is about the conditions for processing sensitive data. Now, we had a bit of a discussion in the group around whether explicit consent is needed, and let me just find the relevant bit. Oh, I've moved off the post. Let me find it, because it was an interesting post, because I'd always say that you need explicit consent for processing sensitive data, and the chap, whose name is I can't quite remember now, made some very sensible comments about the problems with consent, and I know that I think there was another post where somebody had actually heard, well, had conflicting advice from the ICO about whether to rely on consent for therapists or not, for coaches and therapists.

I'm just trying to scroll down to find this comment. Yes, so it was Joshua Carrick Baker, who said, "Why would therapists not be using legitimate interest and/or contract," as the initial ground of processing? And then 9.2h in relation to the special consent for processing sensitive data, which is all about health data. And he said, "Data subjects aren't just your clients. It's anyone who's identifiable from the data that you're processing, so, in effect, anyone the client refers to where they can be identified." And, i.e. it would be very difficult, if not impossible, to get consent for processing that personal data from that other person.

So I've looked into it a bit further, and I've actually looked at the Data Protection Bill, which is the bill that will become an act, the new Data Protection Act in the UK. And, sorry, this is specific to the UK only, so sorry to those of you that aren't in the UK. But this is what we'll be implementing, GDPR in the UK, and I'll tell you what it says, which kind of answers this question. So there are 10 conditions for processing sensitive data, and the health-related one says, "The processing is necessary for medical purposes, and is undertaken by a health professional, or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person was a health professional."

Okay, so there's a few things there. The first is, it's necessary for medical purposes. Further down, it says, "In this paragraph medical purposes includes," so that's not ideal, because that's telling me that it only includes it, and arguably there are more things that it could be. But, "Includes the purposes of preventative medicine, medical diagnosis, medical research, and the provision of care and treatment and the management of healthcare services." Okay, so, for me, and bear in mind I'm not in that industry, but, for me, being a coach or a complementary therapist would not bring you inside that definition. Happy to debate it if you have other views, but, for me, from, as I say, not being in the profession, I would say that does not include complimentary therapists or coaches.

Now, the first bit, sorry, well the bit after that "Is undertaken by either a health professional." Now, health professionals are a big long list of them. So health professional means any of the following. A registered medical practitioner, a registered nurse or midwife, a registered dentist, a registered optician, a registered osteopath, a registered chiropractor, a person registered as a member of a profession to which the health and social work professions order for the time being extends. And I have to admit, I don't know what is covered in that. A registered pharmacist, a child psychotherapist, and a scientist employed by a health service body as a head of the department. And that's the definition of a health professional.

So it's processing necessary for medical purposes and it's undertaken by a health professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person was a health professional. So if you have a governing body, and you are under a duty of confidentiality, so in the same way that I, as a lawyer, and I have professional duty of confidentiality, if there is a similar level of confidentiality for you, then you would be able to process as long as it's necessary for medical purposes.

Okay, so the first test is, is it for medical purposes? If it's not, then that's it. But if it is for medical purposes, then it has to be undertaken by either a health professional or a person who has these confidentiality obligations on him or her. So that is what the Data Protection Bill says about that. If you can't fit within that particular extra condition for processing sensitive data, then you need to look at the others, and one thing that I did notice actually was that the bill doesn't talk about explicit consent, it talks about consent. It says The data subject has given consent to the processing." Whereas, the relevant bit of GDPR said, "The data subject has given explicit consent to the processing for one or more specified purposes."

But in our bill, it just says, "The data subject has given consent to the processing." There's a condition relating to employment, which won't be relevant to the coaches and therapists. There's a condition for the vital interests of a person, and that's where consent can't be given by the data subject. You can't reasonably be expected to obtain the consent of the data subject. And it's in order to protect the vital interests of another person in a case where consent by or on behalf of the data subject has been unreasonably withheld. So, again, that's, I think, very limited circumstances. There's safeguarding of children and of individuals at risk. There's a data already published by a data subject, so where data's already been made public. There's a ground for legal proceedings. There's ground for the administration of justice.

Then there's this medical purposes ground that we've just talked about. And then there is an equality ground, which is where the processing of sensitive data containing information as to racial or ethnic origin and it's necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins with a view to enabling such equality to be promoted or maintained and is carried out with the appropriate safeguards for the rights and freedoms of data subjects.

So if you are a coach or a therapist, I think the only two grounds that will apply are the consent of the data subject and this health-related ground, if you can get it within that. So, love to know your thoughts on that. As I say, I'm not in the industry, but let me know if you think that you would fit into the medical purposes ground, or whether you would have to get consent. I'm going to leave that there. I'm sure more discussion will come out of this video. I'm very interested in it, so please do post, and I'll also post a link to the Data Protection Bill. It is huge, so if anyone wants to plow through that, do feel free. Okay, I will leave it there. I'm going to go and get some shut-eye, and I'll see you tomorrow.