ISO/TS 17975:2022

TECHNICAL ISO/TS
SPECIFICATION 17975
Second edition
2022-11
Health informatics — Principles and
data requirements for consent in
the collection, use or disclosure of
personal health information
Informatique de santé — Principes et exigences des données pour
le consentement dans la collecte, l'utilisation ou la divulgation
d'informations de santé personnelles
Reference number
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 2
3 Terms and definitions . 2
4 Abbreviated terms . 6
5 Consent requirements.6
5.1 General . 6
5.2 Informational consent . . 7
5.3 Consent to treatment versus informational consent . 7
5.4 How consent relates to privacy, duty of confidence and to authorization . 7
5.5 Relationship of consent to OECD guidelines . 8
5.6 Relationship of consent to legislation . 8
5.7 Expectations and rights of the individual . 9
5.8 Consent directives . 9
5.9 Consent is related strongly to purpose of use . 9
5.10 Consent to collect and use versus consent to disclose . 10
5.11 Consent is applicable to specified data . 11
5.12 Consent related to disclosure . 11
5.13 Exceptional access . 11
5.14 Challenges associated with obtaining consent .12
6 Consent frameworks .12
6.1 Giving consent . .12
6.2 Types of consent sta . 14
6.3 Detailed requirements .15
6.3.1 Express or expressed (informed) consent . 15
6.3.2 Implied (informed) consent . . 17
6.3.3 No consent sought . 18
6.3.4 Assumed consent (deemed consent) . 19
7 Mechanisms and process: denial, opt-in and opt-out, and override .20
7.1 Express or expressed (and informed) denial . 20
7.2 Opt-in and opt-out . 21
7.2.1 General . 21
7.2.2 Opt-in . 21
7.2.3 Opt-out . 21
7.3 Override . 21
8 Minimum data requirements .21
Annex A (informative) Consent framework diagrams .23
Annex B (informative) Jurisdictional implementation examples .29
Bibliography .33
iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 215, Health informatics.
This second edition cancels and replaces the first edition (ISO/TS 17975:2015), which has been
technically revised.
The main changes are as follows:
— editorial revision;
— Clause 2 and the bibliography have been updated.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
iv
Introduction
This document defines several frameworks for informational consent in healthcare. These are
frequently used by organizations who wish to obtain agreement from individuals in order to process
their personal health information.
NOTE Various terms are used to refer to the recipients of healthcare services. The terms patients, subjects
of care, data subjects, persons or clients are all used, depending upon the relationship of the individual with the
data collector and the circumstances or setting of the transaction.
Requirements arising from good practices are specified for each framework. Adherence to these
requirements will ensure the individual, as well as the parties who process personal health
information, that consent to do so has been properly obtained and correctly specified. This document
covers situations involving informational consent in routine healthcare service delivery. There can be
situations involving new and possibly difficult circumstances which are not covered in detail, but even
in these situations the principles herein can still form the basis for potential resolution.
In order to align with internationally accepted privacy principles, this document is based on two
international agreements. The first is the set of privacy principles specified by the Organization for
Economic Co-operation and Development and known as the OECD Guidelines on the Protection of
Privacy and Transborder Flows of Personal Data. These principles form the basis for legislation in many
jurisdictions, and for policies addressing privacy and data protection. International policy convergence
around these privacy principles has continued since they were first devised. The principles require the
consent of the individual for data processing activities.
The second international agreement used is the Declaration of Helsinki, which is used to define essential
characteristics of best practices in informational consent management. The Declaration of Helsinki is a
set of ethical principles regarding human experimentation. It was developed for the medical community
by the World Medical Association (WMA) and is widely regarded as a cornerstone document of human
research ethics. While this agreement applies directly to research on human subjects, it is intimately
related to data processing, and can therefore be readily applied to the detailed requirements for
informational consent management. In the context of the Declaration of Helsinki, the characteristics
of informational consent were defined and developed over a number of revisions in order to remain
relevant to contemporary society.
This document specifies that a record be retained of the set of agreements and constraints granted
via an informational consent process, and that the results of that process be made available to other
parties to whom the corresponding personal health information is subsequently disclosed (see 5.10).
It also defines a list of essential characteristics that the informational consent record should possess.
These characteristics can be represented within information handling policies and used as part of an
automated negotiation between healthcare information systems to regulate processing and exchange
of personal health information.
Interoperability standards and their progressive adoption by e-health programmes expand the
capacity for information systems to capture, use and exchange clinical data. For this to occur on a wide
scale, the majority of decisions regarding the processing of data will need to take place computationally
and automatically. This will in turn require privacy policies to be defined in ways that are themselves
interoperable, so that interactions between heterogeneous systems and services are consistent from a
security perspective and supportive of policy (bridging) decisions regarding the processing of personal
health information.
A list of defined essential characteristics makes up the record of the agreements granted via an
informational consent process so as to be made available to those who wish to use the data, as well
as to other parties to whom the corresponding personal health information is subsequently disclosed.
These characteristics might therefore be represented within policies used as part of an automated
negotiation between healthcare information systems to regulate processing and exchange of personal
health information.
v
Once consent agreement has been reached, allowable constraints defined, and the authority for the
organization to collect, use or to disclose data has been established, security processes are needed
to support maintenance of the consent documentation itself. Security protects the data that the
organization has the authority to collect and to hold.
Why standardization of consent terminology and frameworks is desirable
The specific practices applied in obtaining and using informational consent vary among jurisdictions
and among healthcare service settings because of variations in legislation, subject of care types and
intended purposes of use. However, there is an increasing alignment globally on basic privacy principles
and on a common understanding of the expectations of individuals in how their personal health data
will be accessed, used and shared. International alignment of informational consent practices is of
growing importance as personal health data are increasingly communicated across organizational and
jurisdictional boundaries for clinical care, research and public health surveillance purposes. Agreed
representations of informational consent frameworks help to clarify requirements for this international
alignment. This document describes the various informational consent frameworks and identifies the
core principles that are common to all frameworks.
Even if two or more parties share a common policy model, this is not sufficient to support policy bridging
(automated inter-policy negotiation), as the terms used for each characteristic within the shared policy
model also need to be mutually understood between collectors and disclosers of health information.
In other words, the characteristics of, and terms used in, the request-for-data policy need to have a
computable correspondence with the terms and policies of the disclosing party’s policy in order for an
automated decision to be made regarding the sharing of data. Clear and consistent use of informational
consent frameworks are an important component of that interoperability.
This document is applicable regardless of frequency or scale of use and disclosure. However, it does
assert that every use and disclosure be made in accordance with stated policies. It is possible that this
might be affected on a per-data-request basis between discrete computational services, or on a per-
user-session based on role, or on the basis of batch transfer of data pushed to a business area or activity.
For example, claims processing might be permitted without requiring explicit consent because it is a
direct and necessary purpose associated with healthcare service delivery. In this case, the business
activity for which the data is used has a direct relationship to the original purpose of use, and purpose
matching could be done for each batch transfer rather than for each individual record. The issue of
how frequently the policy services are interrogated would be addressed in accordance with suitable
policies applying to transactions or batches. In this way, a policy enforcement point need not consult a
policy decision point nor determine consent for each record. The policy is, above all, an administrative
decision that is part of the information governance activity: the policy engine automates the decision
within a business activity or business area wherein the data’s purpose of use and informational consent
framework will have been predefined. Such pre-specified or predefined uses cannot take place in
a rigorously enforced, policy-compliant manner without interoperable policy specifications, which
includes the use of consistent informational consent frameworks.
No particular technical approach for implementing policy services or policy checking is required in this
document and implementers are therefore free to apply this to a wide range of technical approaches.
Need for formalized representation of informational consent decisions
Without a focused set of informational consent requirements which automatically apply to every data
collection, the healthcare organization cannot assume that subjects of care agree that data collected for
care can be used for other purposes (e.g. research).
This classification of informational consent frameworks can be used in conjunction with functional
roles and data sensitivity classification to support interoperability, automated decision-making related
to privilege management and cross-border data flows. For example, an organization might apply a
framework which combines implied informed consent for routine healthcare service delivery and
support purposes with one which requires more explicit (but also informed) consent for follow on
purposes of use. By undertaking this alignment, the organization ensures that purposes to which data
are put, and for which data are disclosed, are done in a way with which the subject of care agrees, and
which meets applicable requirements.
vi
Inter-relationship with other standards
This document can be used as a semantic complement to the ISO 22600 series and ISO 13606-4, both
of which provide formal architectural and modelled representations of policies but do not themselves
include requirements for consent.
ISO 22600-2 defines a generic architectural approach for policy services and a generic framework for
defining policies in a formal way. However, like any generic architecture, a structural framework to
support policy interoperability must be instantiated for use. A policy domain also needs to specify which
informational consent characteristics must be taken into account when making processing decisions.
The policy domain needs to specify a high-level-policy model containing those characteristics to which
all instances of that kind of policy conform.
There are other standards that define interoperability vocabularies which might also be used to
instantiate parts of a policy. Based on ISO 23903, the ISO 22600 series defines the necessary policy
ontology, and ISO 21298 is a vocabulary for functional and structural roles.
ISO/TS 14441 defines privacy requirements for EHR systems. It includes several requirements for
recording informational consent, as well as minimum data to be recorded, and provisions for emergency
access.
ISO/TS 14265 defines the range of purposes for which personal health data might be used in healthcare
service delivery, and describes the purposes of use for which informational consent might be required.
ISO 13606-4 defines a policy model for requesting and providing EHR extracts (i.e. for one particular
case to which this document might be applied). ISO 13606-4 also defines a concepts related to the
sensitivity of EHR data.
ISO 22857 describes the transmission of data across national/jurisdictional borders or the situations
where data are deliberately made accessible to countries/jurisdictions other than where they
are collected or stored. One key requirement of ISO 22857 is that this processing is carried out in a
fashion that is consistent with the purposes and consent obtained during the original data Collection
and, in particular, all disclosures of personal health data be made only to appropriate individuals or
organizations within the boundaries of these purposes and informational consents.
ISO 27799:2016 describes information security best practices for healthcare. It includes informational
consent requirements for policy implementation, electronic messaging, access privilege assignment,
and data protection and privacy.
ISO 21298 defines functional and structural roles. These will support the instantiation of informational
consent policies.
vii
TECHNICAL SPECIFICATION ISO/TS 17975:2022(E)
Health informatics — Principles and data requirements
for consent in the collection, use or disclosure of personal
health information
1 Scope
This document defines the set of frameworks of consent for the collection, use and/or disclosure of
personal information by healthcare practitioners or organizations that are frequently used to obtain
agreement to process the personal health information of subjects of care. This is in order to provide
an informational consent framework which can be specified and used by individual policy domains
(e.g. healthcare organizations, regional health authorities, jurisdictions, countries) as an aid to the
consistent management of information in the delivery of healthcare services and the communication of
electronic health records across organizational and jurisdictional boundaries.
This document is applicable to Personal Health Information (PHI).
Good practice requirements are specified for each framework of informational consent. Adherence to
these requirements is intended to ensure any subject of care and any parties that process personal
health information that their agreement to do so has been properly obtained and correctly specified.
The document is intended to be used to inform:
— discussion of national or jurisdictional informational consent policies;
— ways in which individuals and the public are informed about how personal health information is
processed within organizations providing health services and health systems;
— how to judge the adequacy of the information provided when seeking informational consent;
— design of both paper and electronic informational consent declaration forms;
— design of those portions of electronic privacy policy services and security services that regulate
access to personal health data;
— working practices of organizations and personnel who obtain or comply with consent for processing
personal health information.
The document does not:
— address the granting of consent to the delivery of healthcare-related treatment and care. Consent to
the delivery of care or treatment has its own specific requirements, and is distinct from informational
consent.
— specify what consent framework is applicable to a data classification or data purpose as this can
vary according to law or policy, although an examples of implementation profile is provided in
Annex B;
— specify the data format used when consent status is communicated. The focus is on the information
characteristics of consent, and not the technology or medium in which the characteristics are
instantiated;
— specify how individuals giving Informed Consent come to be informed of the responsibilities,
obligations and consequences related to granting consent;
— specify requirements on how individuals are informed of the specifics of the data, data sharing or
data processing concerned;
— specify requirements on how consent itself or the specific activities of the consent process are
recorded. Specific requirements on recording consent in EHR systems are given in ISO/TS 14441:2013,
5.3.2;
— specify any information security requirements, e.g. the use of encryption or specific forms of user
authentication (see e.g. ISO 27799).
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 22600-3, Health informatics — Privilege management and access control — Part 3: Implementations
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 22600-3 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
anonymization
process by which personal data is irreversibly altered in such a way that a data subject (3.6) can no
longer be identified directly or indirectly, either by the data controller alone or in collaboration with
any other party
Note 1 to entry: The concept is absolute, and in practice, it can be difficult to obtain.
[SOURCE: ISO 25237:2017, 3.2]
3.2
assumed consent
informational consent (3.17) done in the absence of any formal, recorded or verbal indication of
agreement or any overt action (or inaction) on the part of the data subject (3.6)
Note 1 to entry: Assumed Consent is most often done by care providers and information collectors.
3.3
authorization
granting of privileges which includes the granting of privileges to access data and functions
3.4
collection
obtention of data by any means including that of viewing them
3.5
consent
form of authorization, provided by the individual (3.16) to whom the data refers, that some information
processing activity is or is not permitted
3.6
data subject
identified or identifiable natural person that is the subject of personal data
Note 1 to entry: With the collection (3.4), a subject of care (3.27) automatically becomes a data subject.
[SOURCE: ISO/TS 14265:2011, 2.10, modified — Note to entry added.]
3.7
denial
refusal of informational consent (3.17)
Note 1 to entry: Denial can apply to the collection (3.4), use (3.28) and/or disclosure (3.8) of data for all or some
specific data and/or Purpose(s) of Use as specified by the subject of care (3.27).
3.8
disclosure
divulging of or provision of access to data
Note 1 to entry: Whether the recipient actually looks at the data, takes them into knowledge or retains them
is irrelevant to whether Disclosure has occurred. Disclosure occurs inside the organization if the data are
made available to someone who is not authorized to have them, or they are used for a purpose not authorized.
Disclosure is justified if authorized. Disclosure is not justified if not authorized.
[SOURCE: ISO 25237:2017, 3.22; modified — Sentences 2 and 3 were added to Note to entry.]
3.9
expressed consent
informational consent (3.17) that is freely and directly given, expressed either viva voce or in writing
Note 1 to entry: It can also refer to the details of the process of obtaining informational consent.
Note 2 to entry: It can also refer to the details of the process of denial (3.7).
3.10
healthcare organization
organization involved in the direct or indirect provision of healthcare services (3.11)
Note 1 to entry: Service could be to an individual (3.16), group or population.
3.11
healthcare service
service that is the results of a healthcare process
[SOURCE: ISO 13940:2015, 8.2.6]
3.12
identifiable person
one who can be identified, directly or indirectly, in particular by reference to an identification number
or one or more factors specific to one’s physical, physiological, mental, economic, cultural or social
identity
[SOURCE: ISO 22857:2013, 3.7]
3.13
identification
process of using claimed or observed attributes of an entity to single out the entity among other entities
in a set of identities
[SOURCE: ISO 25237:2017, 3.26, modified — Note to entry deleted.]
3.14
identity
collection (3.4) of data items, such as official name, postal address, etc. that are required for naming
non-ambiguously a given person
3.15
implied consent
informational consent (3.17) that is freely and directly given, indicated by an action or an inaction rather
than a formal verbal or written indication of agreement on the part of the data subject (3.6)
Note 1 to entry: This is derived from Expressed consent (3.9).
3.16
individual
single discrete entity
Note 1 to entry: This includes a distinct person or organization.
Note 2 to entry: The term may refer to a person who is a subject of care (3.27), a patient, a data subject (3.6), a
client, a consumer or any other person.
3.17
informational consent
consent provided for the collection (3.4), use (3.28), disclosure (3.8), or any data processing activities of
personal information (3.22)
Note 1 to entry: As opposed to consent (3.5) for treatment or care, this includes denial (3.7) by the data subject
(3.6) of certain data processing activities, or constraints and conditions that the data subject might place on
those activities.
3.18
informed consent
permission to perform healthcare activities, voluntarily given by a subject of care having consent
competence, or by a subject of care proxy, after having been informed about the purpose and the
possible results of the healthcare activities
Note 1 to entry: A healthcare mandate requires either informed consent or authorization by law.
[SOURCE: ISO 13940:2015, 11.2.6]
3.19
opt-in
process or type of policy whereby the data subject (3.6) is required to take a separate action to express
specific, explicit or prior consent (3.5) for a specific type of processing
3.20
opt-out
process or type of policy whereby the data subject (3.6) is required to take a separate action in order to
withhold or withdraw consent (3.5) from a specific type of processing
Note 1 to entry: In the case of Opt-out, implied consent (3.15) exists for the collecting organization to process the
personal information (3.22) unless the individual (3.16) explicitly denies or withdraws permission. Opt-out is also
a process provided by a data collecting organization in order for a data subject to deny or withdraw permission
to perform a specific type of processing.
3.21
personal health information
PHI
information about an identifiable person (3.12) that relates to the physical or mental health of the
individual (3.16) or to provision of health services to the individual
Note 1 to entry: Such information can include the following:
a) information about the registration of the individual for the provision of health services;
b) information about payments or eligibility for healthcare in respect to the individual;
c) a number, symbol or particular assigned to an individual to uniquely identify the individual for health
purposes;
d) any information about the individual that is collected in the course of the provision of health services to the
individual;
e) information derived from the testing or examination of a body part or bodily substance;
f) identification of a person (e.g. a health professional) as provider of healthcare to the individual.
Note 2 to entry: Personal health information does not include information that, either by itself or when combined
with other information available to the holder, is anonymised (see 3.1).
[SOURCE: ISO 27799:2016 3.8, modified — Part of note to entry merged with definition, note 2 to entry
shortened.]
3.22
personal information
information relating to an identified or identifiable natural person
Note 1 to entry: To determine whether a data subject (3.6) is identifiable, take account of all the means which can
reasonably be used by the entity holding the data, or by any other party, to identify that individual.
[SOURCE: EU Directive 95/46/EC, MEDSEC, modified — Note to entry added.]
3.23
privacy control
measures that treat privacy risks by reducing their likelihood or their consequences
Note 1 to entry: Privacy controls include policies, procedures, guidelines, practices or organizational structures,
which can be administrative, technical, management or legal in nature.
Note 2 to entry: Control is also used as a synonym for safeguard or countermeasure.
[SOURCE: ISO/IEC 29100:2011, 2.14, modified — Note 1 to entry rephrased.]
3.24
privacy policy
specification of objectives, rules, obligations and privacy controls (3.23) with regard to the processing
of personal information (3.22) in a particular setting
[SOURCE: ISO/TS 14441:2013, 3.34]
3.25
privacy principles
set of shared values governing the privacy protection of the personal information (3.22) over its
information management lifetime
3.26
processing
operation or set of operations performed upon personal data, whether or not by automatic means
Note 1 to entry: Operations can include collection (3.4), recording, organization, storage, adaptation or alteration,
retrieval, consultation, use (3.28), disclosure (3.8) by transmission, dissemination or otherwise making available,
alignment or combination, blocking, erasure or destruction.
3.27
subject of care
healthcare actor with a person role, who seeks to receive, is receiving, or has received healthcare
Note 1 to entry: A fœtus can be considered as a subject of care when receiving or when having received healthcare.
EXAMPLE A treated patient, a client of a physiotherapist, each particular member of a target population
for screening, each particular member of a group of diabetic people attending a session of medical education, a
person seeking health advice.
[SOURCE: ISO 13940:2015,5.2.1]
3.28
use
act of employing data or information for a specific purpose, for which access to the data is required
Note 1 to entry: Use of data implies that the data have been collected, even if simply by viewing them.
4 Abbreviated terms
EHR Electronic Health Record
OECD Organization for Economic Co-operation and Development
5 Consent requirements
5.1 General
This clause specifies a set of good practice activities and concepts related to the concept of consent.
Figure 1 provides an overview of the concepts and influences in the selection of a consent model, and
indicates the consent assurance process that follows. These aspects are discussed further in this clause.
Figure 1 — Consent concepts
Except where inappropriate, the subject of care has a ‘right to know’ and should be informed about the
set of conditions associated with the granting of consent. The subject of care has a right to know what
data are involved, what processes are proposed (collection and use and/or disclosure), the purposes
to which the data might be put, the length of time for which the data might remain active, and other
specifics. Broad general descriptions of the activities intended do not adequately inform the individual.
5.2 Informational consent
Consent in the healthcare environment is widely understood as an informed and knowledgeable
agreement between the data collector and the subject of care concerning certain data processing
activities including its use for various purposes including delivery of care, and includes denial by the
subject of care of certain data processing activities, or constraints and conditions that the subject of
care might place on specific data or activities. It is, in effect, a contract. Informational consent is thus a
component of the privacy, security and information management policies required for the effective Use,
and communication and management of information about an individual.
For ethical, and sometimes legal, reasons, information collection, use and/or disclosure need to be
appropriately authorized by the subject of care. The agreement of the subject of care to the collection,
use or disclosure of their personal health information of the subject of care for specified purposes is an
important step in the healthcare process.
5.3 Consent to treatment versus informational consent
Consent for information collection, use and disclosure is separate from consent to treatment. Consent
to treatment can itself be implied by attendance by the subject of care at a healthcare facility; however,
since nearly all healthcare interventions lead to information being collected, it is the use and potential
onward disclosure of this information with which this document is primarily concerned. While
subjects of care are normally content for information to be collected and used in order to provide their
healthcare, it is still important that reasonable efforts be made to ensure that they understand how
their information is to be used to support these activities and how it can be used in the future.
Informational consent and treatment consent remain distinct from one another, even when both are
obtained as part of a single procedure.
5.4 How consent relates to privacy, duty of confidence and to authorization
The establishment of mutual trust between a subject of care who, with the collection of their data,
becomes a data subject, and their healthcare providers is both a goal and a prerequisite of effective
healthcare delivery. Individuals who are not informed make no meaningful decisions about how their
information will be used, and thus lose an opportunity to develop appropriately trusting relationships
with those to whom they give personal data.
While privacy is not an absolute right in most jurisdictions and is subject to exceptions defined by
custom and legislation, a fundamental principle underlying the use of personal health data is that they
are originally collected and used for the benefit of the subject of care, and that further uses are made
with the subject of care’s knowledge and agreement. As part of a healthcare provider’s duty of care
and duty of confidence, consent forms the foundation for the collection, use and/or disclosure of health
information for permitted purposes by and between users, systems, organizations or policy domains
which might need it. The concept of consent includes both agreement and denial.
The act of obtaining consent from individuals reduces the risk of arbitrary collection, use or disclosure
of information from individuals. Loss of privacy is cumulative; with each subsequent collection, use
or disclosure, more of the individual’s privacy is put at risk. Consent processes can inform the public
of the extent of that loss. However, consent processes can also create operational inefficiency; if not
well implemented, these processes will not achieve subject of care’s intended objective. A consent
framework which is inconsistent in design or inconsistently applied might have the effect of creating
the perception of protection without actually providing it, and while increasing process and cost. Legal
authority to collect and use data or to disclose it protects those collecting, using or disclosing the data
against legal risk but once legal authority is established and the data are collected, the data processing
activities likewise need to be documented, and both process and data made secure. Where consent is
required for collection, use and/or disclosure, the process of obtaining consent provides a subject of
care with general information regarding the data’s protections and subject of care’s rights to question,
view and correct subject of care’s own data and to question the organization’s compliance with its
information management policies.
5.5 Relationship of consent to OECD guidelines
While consent is one of the OECD principles, those principles also state that it is only permitted to
collect the information that is needed in order to deliver a defined set of services. In other words, the
need to collect is predicated on the need to know. Justification of the need to know, and thus to collect,
forms part of the governance and high-level policy setting of an organization or jurisdiction.
Consent is an aspect of accountability within a society, a jurisdiction and an organization or department;
the consent process itself defines the organization’s authority to collect data and usually describes the
organization’s responsibilities with respect to individuals' rights of control of their own information
whatever those might be.
5.6 Relationship of consent to legislation
Privacy legislation is often based on or aligned with the OECD principles although the degree of
agreement varies. As well, specific legal exceptions usually define when consent is not required. These
exceptions are usually based on both ethical and practical considerations in an attempt to create
balance. While this document defines consent frameworks, it does not provide a comprehensive listing
of legal circumstances under which consent is or is not required.
Legal obligations to disclose, report or communicate data can override requirements for consent, as
well as requirements to match the purpose for which data were originally collected with the purposes
for which the data are disclosed. In that case, the data recipient might legally be permitted to demand
and to receive information without consents. Some examples of variations include t
...