Ethics Guidance for Occupational Health Practice 9th Edition - Book - Page 47
3.50. If the provider is the same, the provider must ensure that occupational health
professionals do not cross reference records without consent, except where it
is in the public interest to do so, for example where a worker has a health
condition that may create a health and safety risk in the new employment. In
some circumstances (e.g. a move within the NHS), it may be in the best interests
of the worker and the employer to transfer records, but explicit consent should
be sought from the worker affected.
Consent and the UK GDPR
3.51. The UK GDPR provides several different lawful bases for the processing of
personal data, of which consent is only one. Although health professionals
should continue to seek consent to the disclosure of confidential information
to third parties in order to comply with the common law of confidentiality and
the ethical rules of their professions, it is usually advisable to rely on another
lawful basis for the purpose of complying with the UK GDPR.
Using consent as a lawful basis (which is not mandatory) is different from the
duty to act lawfully by complying with the common law and the Human Rights
Act obligations not to disclose confidential information without consent.
3.52. The UK GDPR defines consent as follows:
“Consent of the data subject means any freely given, specific, informed and
unambiguous indication of the data subject’s wishes by which he or she, by a
statement or by a clear affirmative action, signifies agreement to the processing
of personal data relating to him or her”.
Implied consent is therefore insufficient, and for that reason, health care
providers like NHS Trusts may have to justify their processing of data when they
share clinical information among a team of health professionals without explicit
consent by another lawful basis under the Regulation.
3.53. Recital 43 26 (guidance on the meaning of the Regulation) states that consent
should not provide a valid legal ground for the processing of personal data in
a specific case where there is clear imbalance of power between the data subject
and the controller, in particular where the controller is a public authority and it
is therefore unlikely that consent was freely given in all the circumstances of
that specific situation.
Page | 46
