Consenting and data protection

legal-mainConsenting and data protection

Keeping patient data safe and taking robust consent data is crucial to protect practice and patients, explain Dr Natalie Blakely and clinical negligence expert Mandy Luckman


Informed consent is a fundamental legal requirement and there are many legal disputes that centre around what was said or what wasn’t said before a procedure.
It’s vital to ensure that as well as being given information about the benefits of the procedure, patients also have the risks involved thoroughly explained. They need to know what the complications are and what downtime should be expected.

Not only are you then managing expectations from the start, you are also thoroughly consenting the patient at the same time. The patient should understand all the information that is given to them.

After a consent form has been discussed with a patient, you then need to ask the patient to review the consent form and ask them to sign it to confirm that they’ve understood it. Even if this is the second or third time that the patient has been seen, you should still consider re-consenting before every procedure.

You should certainly be checking whether anything has changed in the way of health or lifestyle. Taking the time to do this can save many hours of protracted argument in years to come.

Using consent forms provided by the manufacturer is a good start, but as the practitioner any potential claim would come to you. It’s a good idea to have a look through the form and check to see whether you’re happy with it or whether there’s anything that you feel needs to be mentioned from experience in your practice.

Recently there have been a number of cases of blindness caused after filler injections close to the eye. That’s not currently on any of the manufacturers consent forms for filler, but it is a known possible complication. Patients should be informed about this possibility and it should be included on the consent form or it could be a very significant problem if that unfortunate outcome did arise.

When performing a very minor procedure like removal of a skin tag, many practitioners assume implied consent because the patient is letting them undertake the procedure. It’s good practice to consent before any procedure, even if it’s straightforward, low risk, or perceived as non-invasive.


Although consent can be verbal, a lawyer would always recommend getting it in writing so it can be used as a form of documentary evidence if needed.

There are some fundamental principles about when a patient cannot give informed consent—for example, if they lack capacity. If a patient has a severe case of body dysmorphia, it raises questions as to whether they have got capacity to consent to a particular procedure.

Again, if a patient can evidence that they haven’t been properly informed about the treatment, then there isn’t a consent there necessarily. If the patient is under the influence of alcohol—even if they’ve had a little bit too much wine at lunchtime—then they would be lacking capacity.

You need to be wary about putting pressure on the patient to sign there and then. There are variable circumstances when it may be appropriate, but rushing a patient into signing a consent form is not a good idea.

Consent recommendations

It’s not a legal requirement to sign a consent form, but the General Medical Council (GMC) have produced guidelines that strongly recommend that any medical records are properly drafted, accurate, legible and contemporaneous.

The records need to detail the information that’s been shared, the decisions made and the actions agreed, together with who’s making those decisions. It’s worth both the practitioner and the patient signing the consent form.

The GMC does recommend that you also time and date the records, in case a claim is brought some years down the line, but it’s not a legal requirement. If you have recorded as much detail as possible about what was discussed and when it was discussed, then it makes it far easier to produce that documentary chain of evidence.

There’s currently very little regulation in place around this, but it is advisable that if you delegate the consent process to a junior, that the person getting consent is technically able to carry out that procedure. This means they’re fully aware of what’s involved, they can explain the risks and they can make sure that the patient understands what’s involved.

Take patients through the consent form and don’t just give them a piece of paper to sign. Then you can say with confidence that time has been taken to thoroughly discuss the risks, and that the patient fully understands the procedure.

If you give a detailed consultation and consent and then cause a necrosis when doing a filler, it doesn’t mean you definitely wouldn’t end up in court, but if you’re able to evidence that good, informed consent has taken place, then it is less likely.

Using and storing data

With all the tablet systems around for keeping medical records, there’s a lot of concern about whether or not a digital signature is valid, especially when it comes to consent.

In the medical sphere, there’s very little case law around this particular issue, which is perhaps not that surprising. The Electronic Communications Act is the best piece of legislation to refer to, and that does recognise the legal validity of an e-signature in the UK.

It also confirms the requirements of the Data Protection Act, which is that confidential information needs to be stored in a safe and secure environment. For example, if it’s going to be stored electronically, it has to be done with password protection or encryption.

There is a question of who ‘owns’ patient data, particularly for people who have mobile businesses and perform treatments in other people’s premises. Somebody recently said they’d had a dispute with the clinic owner, who then decided to go with a different provider for their toxins and fillers.  They kept all of the consent forms and all of the medical records. That practitioner wanted to know who actually owned the medical records.

It’s a complicated situation, but the patient actually owns the information. The clinic and the practitioner have a responsibility to make sure that that information is stored and it’s stored confidentially, so that if a patient ever requests a copy of those records pursuant to the Data Protection Act, they can be provided within the 40 day period that’s stipulated.

It’s important that we have access to those medical records to provide the best possible care.
The piece of legislation that we need to be familiar with is the Data Protection Act 1998, which controls how the information is used and how it’s stored.

The information must be kept safe and secure, and clearly medical records, particularly photographs, are extremely sensitive. Storing data like that on phones which can be easily lost or stolen isn’t advisable at all. There are other methods of storage which are far more secure.

Another thing that can happen is accidentally syncing private information from an iPad to a personal Cloud. Somebody was telling me they came in to find their young son looking at medical photographs from their clinic.

Sometimes technology doesn’t work in our favour so we need to be more careful.  As we get busier, our clinics are getting busier, we end up being overrun by paperwork and it’s not always possible to store everything on site. It’s our responsibility to make sure that there are no breaches of data protection. If outsourcing archiving you need to use an appropriate storage facility.

A practitioner recently told me she was driving and had medical records in the boot of her car. The boot flew open and the records flew out. Fortunately they were handed back to her without any problem, but that lady would have been in breach of data protection.

The Department of Health stipulates a maximum period of NHS record retention of 30 years. The NHS Code of Practice is eight years for adults, 25 years forchildren.
Practitioners need to remember it can be quite difficult to defend any potential litigation if the contemporaneous medical records can’t be produced. If a grumble or complaint is received, or if there was an adverse outcome, then those records in particular should be retained.

Claimants have a period of time in which to bring a claim, which is three years from the date of the negligent treatment. If there’s a later date of knowledge it will start to run from that period of time, assuming they’ve got capacity. That should give a general feel for how long the documents should be kept.

Dr Natalie Blakely is Medical Director of The Light Touch Clinic in Weybridge and Founder of Consentz, Electronic Health record app. Mandy Luckman is a Partner specialising in Medical Law at Irwin Mitchell.

Author: bodylanguage

Share This Article On