In a decision from December 2023, the Danish Data Protection Agency concluded that Aarhus University Hospital’s publication of patient photos on Instagram in the specific situation could not be based on consent from the patient. This will also apply to private hospitals.
In December 2023, the Danish Data Protection Agency published a decision on Aarhus University Hospital’s publication of information, including images, about patients on Instagram.
After referral to the Data Protection Agency, the Data Inspectorate assessed that the publication could not be based on the patient’s consent due to the unequal relationship that existed between the patient and the hospital. The Danish Data Protection Agency particularly emphasised the vulnerable situation that a patient typically finds himself in as an inpatient or in a current course of treatment. The Danish Data Protection Agency also assessed that there was no other legal basis for the publication.
Private hospitals must follow the same guidelines
The conclusions reached by the Danish Data Protection Agency in the case of Aarhus University Hospital’s publication of information on Instagram will also apply to private hospitals.
However, there are a number of issues that the Danish Data Protection Agency has not addressed in its decision on Aarhus University Hospital. These include the question of what applies in relation to a completed course of treatment or when the citizen is in a control programme.
In these cases, the Danish Data Protection Agency cannot exclude the possibility that information, including images, about the patient may be published on the basis of consent after a specific assessment.
It is therefore first and foremost the data subject’s situation that must be given decisive importance when assessing whether a valid consent can be obtained. Citizens who are going to or are being treated at a private hospital or treatment centre will often be in a vulnerable situation and may generally be in a situation that creates an inequality between the citizen and the hospital/hospital staff, which is why consent cannot be considered voluntary. Conversely, consent can be considered voluntary if the citizen’s treatment programme has been completed.
It is also important to realise that the rules of data protection law only apply if personal data is involved. The data controller should therefore consider from the outset whether this is the case in the specific situation.
You should also be aware that in some cases, special rules may apply in the healthcare sector, which must be taken into account when considering publishing information about patients on social media.