is the current buzzword in healthcare tech and especially in the context of the looming GDPR deadline or European regulation of data protection. Those in charge of controlling the data are getting nervous about what they do with the information they have and the rest of us are slowly realising how much we are giving over. Whichever side of the fence you are, the word consent seems to lead to a rise in heart beat and a wish that we could go back to the simple life before we were aware of how much Facebook was playing with our data.
For practising physicians, consent is the basis of all clinical interventions, drummed in to all levels and all types of interventions. From the implied consent to draw blood by putting your arm out to the needle to a 3 page pre-operation document, consent is part of our daily bread. Doubts come (usually retrospectively when faced with a complaint) as to whether written consent using up an extra desperately needed 5 minutes in the emergency room is enough, or whether we should wing it on oral consent which still has to be documented in the notes. Whichever it is, there is not doubt that it has to be part of the process. Revised guidance from the Royal College of Emergency Medicine details practically how to deal with consent issues in the Emergency Department in the UK in a short document.
The big question which is more complicated is does that person have capacity to take the decision to give consent. For physicians this question comes up obviously when faced with an intoxicated or unconscious person although the answer is not for that reason easy. Although some of the principles may seem to be more specific to a medical setting such as best interests and the least restrictive intervention, others lead to interesting questions for the tech industry when it comes to look at future legislation. The Mental Capacity Act 2005 in the UK gives the possibility of an individual to make what might be seen as unwise or eccentric decisions and that there is a presumption of capacity. How does this translate when the consent is being given online and where so the responsibilities of the data controllers lie when it comes to assessing the capacity to give that consent?
Age is another complicating factor. Although Article 8 of the GDPR states that consent can only be given by an individual over the age of 16, consent to medical treatment in England can be given without their guardian if the patient younger than 16 is determined to be Gillick competent. It is based on full comprehension of the medical treatment being proposed in order to be able to give that consent. Take that into the data protection arena, many over 16 may not be able to fully comprehend what will happen to their data. Should there be something similar for data protection? Or is a blanket ban on all minors (less than 16 in this case), a valid if easy way to think about it?