Consent Preferences

Recording Medical Information

In this module, we are covering the recording of medical information. As mentioned in previous modules underneath GDPR there are different categories of data.

Medical information will always be categorized as sensitive data.

This means that it has had a higher level of protection and you should only be gathering this information if it is relevant to the organization and the activities that are being carried out within that group.

Within your organization if you are collecting medical information in any form you have to be transparent and very clearly define the reason why you are collecting this information.

If you are working with children, it is imperative that parents fill out any intake form and disclose any medical condition and or allergies that are relevant to the activities that are being carried out within that group.

Biometric Data

Underneath sensitive data, biometric data as well can be captured. This could involve a thumbprint or an eye scan or a face ID that may be used in some platforms as part of the organization’s way of signing into their facilities. If this is a common practice, then this has to be disclosed in any membership intake forms that all being completed.

If you are capturing sensitive data of either a medical or a biometric form you must clearly state in the forms that are being completed the following: why it is required, how long it will be stored for, who has access to it, where it will be stored, and who it will be shared with?

Data Storage

Whilst storing information in paper form it’s not the most preferred method for personal or sensitive data we have to be realistic with the resources that a lot of organizations have. As long as the information is only shared on a need- to-know basis and it is kept locked securely away and it’s only taken out and shared when it is necessary, and maintained accurately and adequately for the role that it has been collected for then it is being properly monitored.

All organizations must review the information that they are storing in their records on a regular basis. Depending on how often your organization changes from year to year or if they change from group to group if they are based within the school system is it relevant to keep all of the information that you require if a person is no longer within that group?


Rights to Access

members have the right to access what information you are storing on them. If they are under the age of 18 than their parents can act on their behalf, and they can lodge a Subject Access Request with yourself to find out what information you are storing on their child. They have the right to have access to all information that is being stored regarding their child and it does not just have to be any information that they have completed themselves. They have the right to access any information where their child’s name is mentioned.

You must always be aware of the information you are storing and that is being communicated amongst yourselves. You must never share information in relation to another person that you would not be happy saying to that person’s face. We all have the right to have access to the data that is being stored about us and that includes any information that mentions us whilst we may not be party to that conversation.


Consent can be withdrawn at any time. If a person no longer wants to be a member of a group or an organization they have the right to withdraw their consent and you must stop processing their data. This means that they should be taken off any e-mail list that they are on, and they should also be removed from any groups or communication platforms that they have been added to. They should be taken out of any WhatsApp groups that they are included in if they haven’t done so already and the only information that should be kept in relation to them should be any financial transactions that have taken place as they are part of your accounting responsibilities within an organization.

Consent & Data Storage

As they rule of thumb under GDPR I would recommend only storing the minimum amount of information that you are required to store in order to perform the agreement that the person has committed to join that organization. Once that person has left that organization then you should delete all information that is related to them unless there are grounds for any legal issues or if there are any accounting reasons for you to keep their information.

If in doubt about any information you are storing in relation to any of the members always raise this as an issue with the chairperson or the person in charge of that organization. I would suggest put it in writing via e-mail to make sure that you are covering yourself in case there are any issues that may come in in relation to data being shared stored or retained unlawfully.

Consent is always King and Queen in relation to storing of data- always remember if it was your data and you have decided to leave an organization would you want them still to be processing and storing and commenting about your information when you are no longer part of an organization?