As data use and new practices like personalised medicine, machine learning and 3D printing promise game-changing improvements in the health sector, many organisations are tempted to streamline consent in an effort to clear the way for future (often secondary or ancillary) uses of personal information. 
However, attempts to bundle consent in relation to health information risk both breaching legal obligations and irreparably damaging the relationship of trust with customers. 
Healthcare professionals should view the process of obtaining an individual's consent not as a regulatory hurdle to be overcome, but instead as a critical opportunity to transparently demonstrate the value to that individual of each practice undertaken with it.
Bundled consent is the practice of combining requests for individual consent to a range of collections, uses or disclosures into a single consent without scope for the user to decide which to accept or reject. 
It is often presented as a way of ‘future-proofing’ – navigating privacy issues around new data uses and technologies that may be rolled out in future. 
However, sentiment toward the value and security of personal information has shifted recently, in part due to a spate of high-profile data breach/misuse events such as Cambridge Analytica, HealthEngine and the Medicare data breach
Legislators have sought to respond to this shift in sentiment, leading to the introduction of the notifiable data breach scheme and the proposed Consumer Data Right in Australia, as well as recent changes to the General Data Protection Regulation (GDPR) overseas.  
This shift is particularly relevant for health sector organisations which are placed in a position of trust by individuals (and generally, given a higher trust rating than financial institutions, government departments and charities). 
Over the next year, there is expected to be further tightening in regulatory frameworks and increased public scrutiny of how their data is handled. In light of these changes, it is critical that organisations go beyond mere legal compliance to build trust with individuals. The reality is that consent that is covertly obtained is not genuine consent. 
The closer that health sector organisations move to data use cases that are ancillary to, or even separate from, the primary purpose of collection (usually the delivery of healthcare to an individual), the less likely it becomes that bundled consent is an appropriate response. 
When bundled consent is used, organisations run the risk of confusing, and in some cases misleading customers. This leaves them disinterested or, worse, alienated. 
Adopting a bundled consent approach also signifies a general failure to communicate to the individual the full value proposition of the use of their personal information. 
This is not only a missed opportunity, but can undermine the voluntary, informed nature of the consent needed to demonstrate, if challenged.
Where to go from here? 
The emerging regulatory trend is that transparency is key. 
It's inevitable that some health sector organisations will need to rely on bundled consent in certain circumstances, such as where it is not practical to obtain consent for each separate use of personal information (eg. where a patient undergoes multiple linked procedures, under multiple different specialists or in multiple different locations). 
However, health sector organisations should not rely on bundled consent to enable the use of health information for secondary or ancillary purposes that would surprise individuals, such as direct marketing or other uses or disclosures which are intrusive or implemented primarily for the organisation's own commercial gain.   
In the health sector, bundling consent to facilitate future data use presents more risks than opportunities. Explicit, specific and informed consent can enable sophisticated uses of health data, and should be favoured over bundled consent methods in most circumstances. 
Here are some steps to take: 
  • Clearly and simply explain the scope and nature of the relevant data use cases/practices.
  • Provide individuals with opportunities to opt in to, or at a minimum opt out of (with sufficient granularity of options) new or unexpected data use cases, and still allow access to the primary service or product being provided.
  • Avoid involuntary opt in processes.
  • Don't rely on generalised statements like 'all legitimate uses or disclosures' or generalised references to 'implementing data analytics' or 'using future technologies'. Removing the knowledge gap between perceived and actual uses helps protect customer loyalty and safeguard against critical reputation damage.
  • Build and protect trust by considering reputation risk in all data use cases/practices – consumers are more wary than ever.
  • Consider what else you can do, from a communications perspective, to demonstrate the particular value to individuals in your data use proposition. This will cultivate a social licence (in addition to a strict legal right) for the relevant practice to occur. 
Phil O'Sullivan is a Managing Associate and Claudia Hall is an Associate at Allens. 



White papers