Patient data is caught between the conflicting priorities of medical treatment and data protection law. Doctors, therapists and other healthcare professionals need to process sensitive health data in order to do their jobs, but at the same time they are obliged to protect their patients’ privacy and personal rights.
This tension is particularly evident in the collection, transfer and storage of data in everyday practice – for example, in patient forms for registration, consent or treatment documentation. The Federal Data Protection and Information Commissioner (FDPIC) has published a new factsheet on patient forms for medical and therapeutic consultations. It specifies how information obligations, consent and data security can be implemented in a legally compliant manner in the treatment environment.
With this publication, the EDÖB aims to raise awareness among service providers such as doctors, therapists, practices and health centres of the requirements of the revised FADP and to bring existing form templates into line with data protection regulations.
Duty to provide information and consent – two separate obligations
The factsheet makes it clear that anyone who processes health data has a comprehensive duty to provide information, regardless of whether consent has been obtained. Healthcare professionals must inform patients transparently about data processing: the purpose, legal basis, recipients and retention period must be disclosed in a comprehensible manner (Art. 19 FADP).
Consent comes into play as a supplementary measure if there is no other legal basis or if particularly sensitive processing is carried out, such as when data is transferred to third parties or for research purposes. The following applies: valid consent must be voluntary, informed, specific and revocable at any time. Blanket or pre-filled consent forms – such as prior disclosure of the patient file or certain elements thereof to third parties – are inadmissible.
The factsheet urges service providers to critically review their forms: information and consent sections must be clearly separated and formulated in an understandable manner. Those who comply with this reduce the risk of data protection violations and at the same time build trust in patient contact.
Digital exchange of data – safety over convenience
Another focus is on the secure handling of patient data in digital communication. The factsheet expressly warns against the unsecured transfer of sensitive data – especially by e-mail or online form without encryption.
Digital data transfer should only happen if it’s properly secured. Only in special cases – and after getting clear, informed consent from the person involved – can a less secure transfer be okay. In these cases, the patient needs to know the risks and have a real choice (like between a secure portal and regular email).
The implementation of technical and organisational security measures is crucial, especially in increasingly digitised practices. Anyone who transfers patient data via unsecure channels risks not only data protection complaints, but also liability consequences.
Data minimisation and purpose limitation – less is more
The FDPIC points out that only data that is absolutely necessary for treatment or administration may be collected in the healthcare sector. The principle of proportionality requires that patient data be collected for a specific purpose, be accurate and be collected as sparingly as possible.
Forms that request excessive information – such as occupation, nationality or marital status without any medical relevance – are not permitted. All information collected must serve a clear purpose and be medically or administratively necessary.
Doctors and therapists may find this reference to the principle of proportionality somewhat objectionable. In practice, this is difficult to implement without enormous additional effort. However, these requirements are not aimed at bureaucracy, but at trust: lean, purposeful data collection protects both patients and practices from unnecessary data protection risks.
Significance & Practical Recommendations for Healthcare Providers
The new information sheet is a wake–up call for all healthcare providers – from individual practices to therapy centres. Anyone who processes patient data should now check:
- Are my patient forms understandable, up to date and compliant with data protection regulations?
- Are the duty to provide information and consent clearly separated and documented?
- Is digital communication sufficiently secure from a technical standpoint?
- Is only data that is actually necessary being collected?
A practice that complies with data protection regulations not only strengthens legal certainty, but also patient trust – the foundation of all medical activity.
Frequently asked questions on data protection and patient forms Datenschutz
No. There is a legal basis for most processing carried out as part of medical treatment (Art. 31 para. 1 FADP, cantonal health laws). Express consent is only required if data is processed outside the scope of the treatment order or passed on to third parties – for example, for research purposes, marketing or insurance assessments. It is crucial that every patient is informed about data processing, even if consent is not required.
Yes, but only with a clear separation of functions. The EDÖB emphasises that the duty to provide information and consent must be distinguishable in terms of content and visually. Patients must understand which processing operations are mandatory (by law) and what they are voluntarily consenting to. It is advisable to use separate sections or checkboxes to ensure that consent is voluntary.
Health data is classified as particularly sensitive personal data (Art. 5 lit. c FADP). It may only be transferred electronically if the confidentiality and integrity of the data is guaranteed – for example, through encrypted emails, secure patient portals or specialised communication solutions. Unencrypted transfer is only permitted if the patient gives their express consent after receiving comprehensive information.
No. The Federal Act on Data Protection obliges service providers to minimise data collection: only information that is necessary for diagnosis, treatment or administrative purposes may be collected. Questions about occupation, religion or marital status are only permissible if they have a clear medical relevance.
Yes. Consent must be revocable at any time. The revocation is valid from the time of its declaration and takes effect for the future. However, data that has already been processed lawfully (e.g. for treatments carried out or services invoiced) may continue to be stored if there are legal obligations to do so, such as for documentation or invoicing purposes.
