RCA Data

RCA Data and Consent

Data and consent for the RCA

Example Consent Policy

Example / Template DPIA

Blank DPIA

Trainees, trainers and practices need to be fully aware of the legal issues relating to data and consent that surround recording consultations. This page doesn’t cover all that and it is still your responsibility in law to familiarise yourself and comply with the legal requirements.

The summary:

  • With regard to the recording of consultations, make sure you understand all the data issues and have complied with legal requirements and GMC guidance
  • Make sure your Data Protection Officer (DPO) knows your plans and consider a Data Protection Impact Assessment (DPIA)
  • For the consultations being done doing now, use your existing (if robust) consent procedures, or this policy
  • When the Fourteenfish platform is available, make sure that you familiarise yourself with the consent procedures and update your DPIA if required
  • Consider processes to reconfirm consent after the consultation and at the time of submission to the RCGP

Understanding the data issues

Recordings of patient consultations are amongst the most sacred data types we can imagine and this needs to be taken seriously. The Doctor and practice should, at all times, fully understand and comply with GDPR and GMC regulations. This includes the need to identify a DPO who should be consulted when necessary with regard to data protection matters.

To be clear trainees and trainers need to discuss, share and agree the process for the recording of consultations with their DPO. This discussion should include, but is not limited to, consent to capture, store and transfer data

The DPO will advise, but prior to submission of your assessment to the RCGP, the practice is very likely to be the Data Controller. Any IT platform that supports preparation or submission for assessment (e.g. iConnect; Fourteenfish) is likely to be a Data Processor. Depending on how the data is managed by FourteenFish and the RCGP (which will likely be a Data Controller once it receives the consultations), the practice may remain the Data Controller after submission.

In terms of practical steps following this stepwise advice is helpful:

  1. Think about how you are practically going to capture consultations (face to face, video, audio/telephone)
  2. Where will that data be stored and how will it be protected? How would you want your personal medical information to be protected?
  3. How are you going to obtain consent prior to and after the consultation? How will you reconfirm consent at the time of submission? How will patients be able to withdraw consent? Will you have a privacy policy on your website?
  4. Identify your Data Protection Officer and discuss your plans with them
  5. You DPO may request – and I would strongly recommend – that a Data Protection Impact Asssessment is completed. A blank template is available here. I have also part-completed one which I hope is helpful, but you MUST adapt this for your own situation.
  6. Remember the need to review the DPIA regularly and particularly if there is a change in circumstances, processes or guidance


Consent policy for audio/video consultations

When available, the Fourteenfish submission platform for the RCA has the ability to record audio and video consultations, with consent procedures built in. Until then (and possibly afterwards), you may be using other methods of recording e.g. your own equipment or iConnect.

Regardless of recording platform or nature of the consultation, practices must have processes for obtaining and recording consent from patients for the recording of consultations that meet GMC and GDPR guidance.

It needs to be clear that giving consent is not necessary to receive care and that it can be withdrawn at any time. Fourteenfish are building all of that into the recording platform and trainees will not know if a patient has consented or not.

You also need to think about how you will obtain consent from patients in all circumstances, e.g. audio, video, face-to-face as well as with different patient groups, for example children and young people, those who lack capacity, and people with communication difficulties.

We must also recognise that when trying to access their GP’s care, patients may just click ok to something without properly considering the implications.

Therefore, best practice (and a strong recommendation) would be to do TWO EXTRA THINGS:

  1. Send a follow up message to patients with a link to a copy of the consent statement that you have used and ideally your privacy policy, which should enable them to read about how you are going to use and store their data. This should include confirmation of the ability to withdraw their consent at any time and how to do so.
  2. Whilst any consent that you take at the time of the consultation might include the data being forwarded to other parties and used for assessment (e.g. the RCA), it would be good practice to reconfirm the patient’s consent for this after the consultation and before the transfer, particularly because we don’t know how the data is going to be processed for the RCA. In other words, when you decide which consultations you want to submit for assessment, reconfirm the patient’s consent for you to do so. In practical terms, this could be a phonecall or text to the patient that makes it clear to them that the consultation you recorded if now going to be accessible by other parties and the