Everything about digital informed consent in clinical psychology. Legal requirements in Portugal, GDPR implications, best practices for obtaining and storing electronic consent securely.

Digital Informed Consent: What You Need to Know

Informed consent is a fundamental pillar of clinical practice in psychology. With the increasing digitization of mental health services, the transition to digital informed consent has become not just a convenience but a necessity. However, this transition raises legal, ethical, and practical questions that every professional must understand before implementing it. This article explores the requirements, implications, and best practices of digital informed consent in Portugal.

What Is Informed Consent?

Informed consent is the process through which the patient receives sufficient information about the proposed treatment to make an autonomous and informed decision about their participation.

Essential Elements

To be valid, informed consent must include:

Nature of the treatment: What psychotherapy is, what approach will be used.
Objectives: What the treatment aims to achieve.
Risks and benefits: Including the possibility of temporary worsening of symptoms.
Alternatives: Other available treatment options.
Right to refuse: The patient may refuse or withdraw at any time.
Confidentiality: Its limits and exceptions.
Estimated duration and frequency: Forecast of the therapeutic process.
Fees and payment policy: Rates, methods, and cancellation policy.

Legal Basis in Portugal

Informed consent in healthcare is regulated by multiple sources:

Code of Ethics of the Portuguese Order of Psychologists (OPP): Articles 7 to 9.
Health Framework Law (Law No. 95/2019): Recognizes the right to consent.
Oviedo Convention: Ratified by Portugal, establishes standards on consent in healthcare.
GDPR (Regulation 2016/679): Specific requirements for health data.
Portuguese Civil Code: Articles on personality rights.

The Transition to Digital

Moving from paper-based consent to digital is not merely a change of medium — it is a transformation of the process that offers significant advantages.

Advantages of Digital Consent

For the professional:

Elimination of paper and physical filing.
Complete traceability (when it was sent, opened, signed).
Centralized version management.
Easy to update when legislation or practice changes.
Integration with the digital clinical record.

For the patient:

Can read at their own pace, before the first session.
Ability to review the document at any time.
Accessible format across multiple devices.
No pressure to sign at the time of the consultation.

Legal Validity of Digital Consent

In Portugal, consent given electronically is legally valid, provided it meets certain requirements:

Decree-Law No. 12/2021: Regulates electronic signatures and electronic documents.
eIDAS Regulation (910/2014): Establishes the European framework for electronic signatures.
Article 7 of the GDPR: Conditions for valid consent.

Consent does not require a qualified electronic signature (with a digital certificate) to be valid in a clinical context. A simple electronic signature — such as clicking an acceptance button after reading the document, with a record of date, time, and IP address — is generally sufficient.

GDPR Requirements for Consent in Mental Health

Mental health data is classified as sensitive data (special category) by the GDPR, requiring enhanced protection.

Applicable Principles

Transparency: The patient must clearly understand:

What data is collected.
For what purposes.
Who will have access.
How long it will be retained.
How they can exercise their rights.

Specificity: Consent must be specific to each purpose. A generic consent covering all possible uses is not valid.

Freedom: Consent must be genuinely free. The patient cannot be penalized for refusing.

Revocability: The patient must be able to withdraw consent as easily as they gave it.

Consent vs. Other Legal Bases

It is important to distinguish: not all data processing in a clinical context is based on consent.

Clinical treatment: The legal basis may be vital interest or the provision of healthcare (Art. 9(2)(h) of the GDPR), not necessarily requiring explicit consent for strictly necessary data.
Recording sessions: Requires explicit consent.
Sharing with other professionals: Requires explicit consent.
Use for research: Requires explicit and specific consent.

Consent for Minors

In Portugal, for the processing of minors' personal data in information society services, the GDPR is complemented by national legislation:

Under 13 years old: parental consent is mandatory.
13-17 years old: depends on the context and maturity, but in mental health, parental involvement is generally recommended.
From 16 years old: increasing autonomy in health decisions.

To explore GDPR issues in mental health further, see our detailed article on GDPR and mental health in Portugal.

Content of Digital Informed Consent

A complete digital informed consent for clinical psychology should include specific sections.

Section 1: Identification

Professional's details (name, OPP license number, specialty).
Patient's details (name, date of birth, contact).
In the case of minors: legal guardian(s) details.

Section 2: Treatment Information

Nature of psychotherapy and approach used.
General treatment objectives.
Estimated duration and frequency of sessions.
Expected risks and benefits.
Alternatives to the proposed treatment.

Section 3: Confidentiality and Its Limits

General rule of professional secrecy.
Legal exceptions: risk to life, child abuse, court order.
Sharing with other professionals (if applicable).
Clinical supervision (if applicable, with anonymization).

Section 4: Data Protection

What data is collected and processed.
Purposes of data processing.
Legal basis for processing.
Retention period.
Data subject rights (access, rectification, erasure, portability).
Contact details of the data controller.
Right to lodge a complaint with the CNPD (Portuguese Data Protection Authority).

Section 5: Financial Aspects

Session fees.
Accepted payment methods.
Cancellation and no-show policy.
Invoicing information.

Section 6: Online Modality (if applicable)

Platform used and its security measures.
Specific risks of teleconsultation.
Emergency procedures.
Patient responsibilities (private space, connection stability).

Section 7: Specific Consents

Checkboxes or separate signatures for:

General consent for treatment.
Consent for session recording (if applicable).
Consent for sharing with other professionals.
Consent for use of data in research (if applicable).
Consent for electronic communications (reminders, questionnaires).

Section 8: Declaration and Signature

Declaration that the patient has read and understood the information.
Date and signature (digital).
Automatic recording of metadata (IP, device, timestamp).

Technical Implementation

Platform Requirements

The platform used to manage digital consent must ensure:

Encryption: Data encrypted in transit (TLS) and at rest.
Access control: Only the authorized professional can access the document.
Audit trail: Immutable record of all actions (creation, sending, opening, signing).
Backup: Regular backup copies.
GDPR compliance: Processing within the EU, DPA available.

Mena.ai's patient portal includes digital informed consent management with all these guarantees: secure delivery, electronic signature, versioning, and complete audit trail.

Recommended Workflow

Before the first session: Consent is sent to the patient via the portal or secure email.
Patient reads: The patient can read at their own pace, on any device.
Questions: The patient can contact the professional for clarification.
Signature: The patient signs digitally.
Confirmation: Both parties receive a signed copy.
Filing: The document is stored in the digital clinical record.

Version Management

Informed consent is not a static document. It should be updated when:

Applicable legislation changes.
The therapeutic approach changes.
New services are added (e.g., online therapy).
The pricing or cancellation policy changes.
The technology platform changes.

When the document is updated, active patients should be informed and sign the new version.

Common Mistakes to Avoid

Generic Consent

Avoid consent documents that try to cover every possible situation with generic text. Consent should be specific to the context of your practice.

Inaccessible Language

The document should be written in clear, accessible language, not legalese. The patient must genuinely understand what they are consenting to.

Consent as a Formality

Consent is not a form to sign quickly before the session. It is a communication process. Set aside time to discuss the content with the patient.

Ignoring Revocation

If a patient revokes consent (in whole or in part), that revocation must be recorded immediately and its implications acted upon.

Not Updating

Outdated consent can be as problematic as having no consent at all. Review the document at least annually.

Special Cases

Couples and Family Therapy

Each adult member must sign their own consent.
Include specific rules about intra-couple confidentiality (what is shared and what is not).
Define what happens if one member withdraws.

Forensic Assessment

Consent must explicitly state the forensic nature of the assessment.
The patient must understand that the report will be shared with third parties (court, lawyer).
Confidentiality limits differ from the clinical context.

Research

Separate and specific consent for research participation.
Must be submitted to an ethics committee.
The patient must be able to participate in treatment without participating in the research.

Frequently Asked Questions

Does digital consent have the same validity as paper consent?

Yes. In Portugal, consent given electronically is legally valid, provided it can be proven that it was given freely, informedly, and specifically. The digital record (with timestamp, IP, and signer identification) offers, in practice, greater traceability than a paper signature.

Do I need a qualified electronic signature (Chave Movel Digital)?

No, for clinical consent. A simple electronic signature (clicking an acceptance button with metadata recording) is sufficient for most clinical contexts. A qualified signature may be recommended in forensic contexts or situations of high legal risk.

What happens if the patient withdraws consent?

Withdrawal of consent applies going forward — it does not invalidate data processing already carried out with a legal basis. The professional must cease processing data for which consent was withdrawn and document the withdrawal.

How long should I keep the consent?

Consent should be retained throughout the treatment period and, after its conclusion, for the legally required period for clinical record retention. In Portugal, a minimum of 5 years after the last consultation is recommended, although some sources suggest 10 years.

What if the patient does not have digital access?

Always maintain the option of paper consent for patients without digital access or skills. The format should not be a barrier to accessing healthcare.

Can I send the consent by email?

You can, but email is not considered a secure channel for sensitive data. Ideally, consent should be managed through a secure platform with encryption. If you use email, avoid including health data in the email body and use secure links to the document.

Conclusion

Digital informed consent is not merely a modernization of the process — it is an opportunity to make it more transparent, more accessible, and more secure. With the right platform, the professional saves administrative time, ensures legal compliance, and offers the patient a respectful and informed experience from the very first contact.

Mena.ai's integrated clinical management includes digital informed consent with electronic signature, automatic versioning, and full integration with the clinical record — so you can begin every therapeutic relationship on the right foundation.

Informed consent is not a bureaucratic obstacle — it is the first therapeutic act. The way you manage it reflects the respect you have for your patients' autonomy.