The basic proposition is sound providing your privacy notice is up to scratch and deals with the lawful basis.
Medical photography is a good example and about as complex as it probably gets.
Normally* we need consent to take e.g. a photo of a wound BUT when getting that consent we make clear that once we have the photo the lawful basis for holding it is NOT consent (the consent is actually about ethics and confidentiality and not GDPR). It becomes part of the health record and the lawful basis is statutory duty and the right to erasure will not apply - this is made clear. This consent can still be withdrawn but will not result in erasure. The image will be removed from normal access but not deleted. It is still part of the record. Access will only be granted if consent is renewed or another condition arises sufficient to overcome confidentiality objections.
At the same time we may get a separate consent to use the image for research / teaching. This consent may be withdrawn at any time and this is made clear. If consent is withdrawn such usage stops.
At the same time we may get a third consent to use the image in medical publications. This consent may be withdrawn at any time and this is made clear. However it is also made clear that this is not retrospective and if the image has been published (usually as anonymous as possible but this may be impossible e.g. for a facial burn) the publishing will not normally be rescinded.
* special rules where patient lacks legal capacity. Less restrictive rules for Xrays, MRI scans etc.
This makes the consent forms complicated ! We also have a well managed image database which controls the various usages & access, records consents, and retention periods etc.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|