Skip to main content

Warning notification:Warning

Unfortunately, you are using an outdated browser. Please, upgrade your browser to improve your experience with HSE. The list of supported browsers:

  1. Chrome
  2. Edge
  3. FireFox
  4. Opera
  5. Safari

Published: 21 September 2023

My data, my choice? The limits of consent in cancer screening programmes

By Dr Eimhin Walsh, Information Governance Manager, National Screening Service

Informed Consent

The concept of ‘informed consent’ is a key principle in the provision of healthcare. It serves as a tool for reminding healthcare providers that they must always respect the bodily autonomy of the patient, and that the patient has a right to understand the potential harms as well as benefits of any proposed healthcare intervention.

Far from a box ticking exercise, the principle of informed consent creates a responsibility on the healthcare provider to engage in a dialogue with a patient to help that patient decide whether a treatment option is right for them. It is the healthcare providers’ responsibility to intervene only when they have received informed consent following an explanation of the proposed care. There have been many cases that have reached the courts where a patient has experienced some harm as a result of a healthcare intervention and that, because they were not informed of the potential harm, the court agreed that they did not validly give their consent. As such, those interventions were deemed to have intruded upon the patient’s bodily autonomy. These cases have helped to clarify what is required for consent to be considered informed.

There are three main elements to informing consent. First are the resources such as the patient information leaflet that outlines what a typical patient can reasonably expect to know about the proposed intervention, including the known limitations and potential negative consequences. Second is an opportunity for the patient to engage with their healthcare provider to ask questions and understand further the likely impact of the intervention on their life. This is also an opportunity for the healthcare provider to confirm, from their perspective, that the patient understands what they are consenting to. The final step is to record the consent process through a consent form, which will typically outline what has been discussed and agreed to.

General Data Protection Regulation

After its introduction in 2018, the General Data Protection Regulation (GDPR) has established another framework that healthcare professionals need to consider. The GDPR is a principle-based law that asks us to apply those principles whenever personal data is processed. In a nutshell, the GDPR requires that personal data must be processed lawfully, fairly, and transparently.

While any healthcare intervention will require informed consent, it is a misconception that an organisation can only process personal data with the consent of the individual/patient. The GDPR recognises that there are five additional legal bases for processing personal data, other than consent, and indeed that there are certain situations where consent is not appropriate.

Legal basis for processing personal data

Take for instance, an emergency situation where an ambulance has arrived at a house and the patient is unable to communicate because they are unconscious. The treating paramedic would not need to seek the consent of the patient to provide their data to a hospital. Instead, such data processing is grounded in the ‘vital interests’ legal basis.

Under the GDPR, valid consent must be informed, freely given, specific and withdrawable. This latter criterion means that if someone withdraws their consent to the processing of their data, then it can no longer be used for that purpose: the processing must stop. Almost every interaction that a person has with a healthcare provider is likely to result in the generation of personal data. In the healthcare context, it is important to distinguish between consent to the healthcare intervention and the legal basis for the processing of personal data arising from that intervention. There may be cases where both rely on consent, but there are many instances where informed consent is the justification of the healthcare intervention but a different GDPR legal basis is the justification for the actual use (or processing) of that data.

Cancer Screening + data use

In cancer screening, a register of eligible screening populations is required in order to invite people to screening in the first instance. It is not feasible to ask for someone’s consent to be invited to attend screening. So instead, in Ireland we have a piece of legislation that allows the HSE to compile registers of people to invite to screening. Rather than consent, the lawful basis for this is that it is in the public interest for the HSE, as a public body, to reduce instances of cancer in the community. This is perfectly valid under the GDPR.

When a person attends their GP, their GP may decide to take a sample of blood as well as a clinical history to investigate the cause of their symptoms. This intervention absolutely requires the person’s informed consent because it is a healthcare intervention. That data and blood sample will be sent to a laboratory where it will be analysed and a result reported, generating further personal data. This will be shared with the person, their GP, and may be shared with other hospitals if treatment or further investigations are required. But there may be other secondary uses of that data which are not reliant on consent. For example, the GP will have a legal obligation to report certain diagnoses of infectious diseases to the Health Protection Surveillance Centre. They must do this regardless of whether the person consents or not, because the public interest in infection control outweighs the person’s preference. Again, this is valid under the GDPR.

Clinical audit + data use

Another important use of personal data is in clinical audit. As a party to the International Covenant on Economic, Social, and Cultural Rights, Ireland has recognised that the right to the highest attainable standard of health is a fundamental right of all human beings. This recognition creates on states including Ireland an obligation to ensure that the health services they provide are of the highest quality.

Clinical audit is a vital part of the quality assurance and quality improvement process, where the care provided to past patients is systematically reviewed against specified clinical standards and guidelines. In Ireland, clinical audit is regulated by the recently enacted Patient Safety Act. Clinical audit is aimed at improving the health service as a whole, identifying areas for improvement, as well as providing assurance that the care provided was appropriate. While it will process the individual’s data, their consent is not mandatory. This is because the public good and the HSE’s task of providing a high-quality health service outweighs the possible risks to an individual from their being part of the audit.

Fairness and transparency

So, there are many occasions when healthcare data can be processed without consent. While this is lawful, it is vital that the healthcare provider meets their fairness and transparency obligations. Fairness demands that the data will only be used to the extent that it is necessary and that it is aligned with the original purpose for which it was collected. Transparency means that the person should be informed of how their data may be used at the time that it is collected from them. For screening, this means we must tell participants that when they consent to be part of the programme, their personal data may be used for various purposes including quality improvement and it will not be possible to opt-out of that processing. Only when we communicate our intended uses of data, appropriately and transparently, will it be possible to have truly informed consent to the healthcare intervention.