GDPR and the Processing of Sensitive Data by Health Professionals

Transcription of Video

Good afternoon, everybody. Suzanne Dibble here, Data Protection Law Expert, coming to you raw and uncut from the Island of Sentosa, just off the Singapore mainland, a little island, and little fun ... I'm not sure what the word is ... fun mecca. There are all kinds of bungee jumping and zip wiring and cable car and theme parks, and you name it, it's here on Sentosa.

But I just wanted to do this very quick video for healthcare professionals. I've had a number of questions from healthcare professionals who are concerned about the processing of sensitive data because they've seen my videos that say that to process sensitive data, the consent that you need for that is a higher standard than when you're not processing sensitive data, and you need explicit consent from individuals to doing that. And explicit consent means either ...

Look, a little peacock's come and joined me. Look at this, ladies and gentlemen. Can see that there? He wants to learn about GDPR, too. Or she. Not quite sure which way round the sexes are. But look, he's just literally flown down in front of me. Well, there you go. That's a first.

So processing sensitive data. So healthcare professionals are concerned that they have to go out and get the consent, the explicit consent, either signing a form or some kind of double opt-in process, to get the explicit consent of people, historically, who they've obtained sensitive data from and are still storing it or otherwise processing it. Obviously, that's a big concern because that's a big exercise isn't it, to be doing that?

But actually, what I didn't go on to say, because my previous videos were of more general application, is that there are other grounds for processing sensitive data if you are a healthcare professional. I'll post the specific ground in the comments to this video, but essentially, what it says is that if you are providing ... sorry, if you're processing sensitive data as part of providing healthcare services, and you are subject to a confidentiality requirement as part of your profession, so in the same way that as a lawyer, I'm subject to a duty of confidentiality to my clients, well, if you are too, then that is sufficient for the purposes of processing sensitive data. You would not need to go and get explicit consent from your data subjects.

As I say, I'll post the exact wording of the article of GDPR in the comments to this video, so you can have a read of it for yourself, but hopefully, that should set a lot of your minds at rest over that. You don't have to go back through the records of thousands of patients and go and request that explicit consent. Okay, so a short, snappy, specific video for you today, but I hope that helps those of you who are in the health service industry.