Can I collect health information via Sprintlaw Signatures ?
Yes, you can collect Health Information (which is considered a special category of data under GDPR and sensitive information under the Australian Privacy Act) via Sprintlaw Signatures. However, there are specific requirements you must follow to ensure compliance with both GDPR/UK GDPR and the Australian Privacy Act.
To ensure compliance, please adhere to the following:
Explicit Consent:
Under GDPR and UK GDPR:
Collecting health information requires explicit consent from the data subject (your client or patient), or another lawful basis under Article 9 of the GDPR must apply. Before collecting health information via Sprintlaw Signatures, ensure that the data subject has been informed and that their explicit consent has been obtained. This consent can be incorporated into the first e-signature document you send them, provided it is clearly stated and agreed upon.
Under the Australian Privacy Act:
Collecting sensitive information, including health data, requires explicit consent from the individual, unless another lawful basis applies. Ensure that your privacy notices are clear about the collection and use of health information and that explicit consent is obtained before processing.
Security Provided by Annature:
Annature is responsible for implementing security measures to protect the processing of health information, including encryption, pseudonymisation, and access controls. Annature securely hosts the data on AWS servers located primarily in Australia, complying with the security requirements of both GDPR/UK GDPR and the Australian Privacy Act.
Data Minimisation:
Under GDPR and UK GDPR:
Ensure that you collect only the health information that is strictly necessary for the purpose you are processing it for. The GDPR emphasizes data minimisation, so avoid collecting more health data than required.
Under the Australian Privacy Act:
Collect only the personal information that is necessary for your functions or activities, in line with the Australian Privacy Principles (APPs).
Retention and Deletion:
Under GDPR and UK GDPR:
Sprintlaw Signatures allows you to retain health information only for as long as necessary to fulfill your business needs or legal obligations. Afterward, health information can be deleted in accordance with your documented instructions and in compliance with GDPR’s data retention policies.
Under the Australian Privacy Act:
Personal information must not be kept longer than necessary for the purpose for which it is collected. Ensure that you have processes in place to securely delete or anonymise health information when it is no longer needed.
Additional Resources:
For detailed information on our data protection practices, please review our Data Processing Addendum.
To understand more about handling special categories of data, refer to our Australian Privacy Policy and our UK Privacy Policy.
If you’re planning to collect health information, ensure that your privacy policies and consent forms are up to date and include the necessary disclosures to meet GDPR, UK GDPR, and Australian Privacy Act standards.
Feel free to out to our team if you require further advice on this topic.