Skip to content

Why medicals need explicit consent

Every other document you upload to Syndik8 (your asset’s ARC, the syndicate agreement, even your pilot licence) is ordinary personal data. You pick a file, give it a title, and tap upload. The pilot medical is different. It carries one extra screen before anything is stored, whether you are uploading the certificate or recording just its expiry date: a consent screen, where you have to read what we’ll store and tap Accept first. Even the bare expiry date is information about your health, so the date-only path is gated exactly like the upload.

This page explains why, and why the extra step is the smallest one that lets us do the right thing.

UK GDPR Article 9 sets aside a small group of personal data categories that get heightened protection. Health data is one of them. Processing health data needs both a lawful basis under Article 6 and a condition for processing under Article 9. The two have to add up; Article 6 alone isn’t enough.

A pilot’s aeromedical certificate is health data. It is, at minimum, an authoritative document saying “as of {date}, a qualified examiner found this person medically fit to fly to {standard}”. That’s a health assessment, recorded in writing, about a named person. It is unambiguously inside Article 9’s scope.

Of the conditions Article 9 offers, explicit consent (Article 9(2)(a)) is the cleanest fit for what Syndik8 actually does. The pilot chooses, of their own volition, to put the document on the platform. The platform doesn’t require a medical to use any feature. The pilot is free to say no, free to change their mind, free to withdraw the consent later. That mapping is what consent is designed for.

Other Article 9 conditions don’t fit. There is no public-health imperative. Syndik8 is not an employer running an employment health check. There is no legal obligation we discharge by reading your medical. Vital interests is a last-resort condition for things like ambulance dispatch. None of those describe “a syndicate management app keeping a copy of a medical certificate for the pilot’s own convenience”. Explicit consent does, and so explicit consent is what Syndik8 uses.

Article 9(2)(a) and Article 7 between them set a tighter standard than the Article 6 baseline. Consent must be:

  • Specific: to a particular processing operation, not blanket sign-off.
  • Informed: the consent screen has to spell out, in plain language, what will be processed and how.
  • Unambiguous: a clear affirmative action, not a pre-ticked box or a tap-through.
  • Freely given: refusing has to be a real option without penalty.
  • Documented: the controller must be able to prove later that consent was given.
  • Withdrawable: at any time, as easily as it was given.

The consent screen and the ability to delete your medical (which withdraws consent) are how Syndik8 satisfies each of those. See Medical consent for the operational detail.

Why the server enforces it, not just the app

Section titled “Why the server enforces it, not just the app”

Article 7(1) places the burden of proof on the data controller. Syndik8 has to be able to show that you consented. So the consent record (when, and to which version of the wording) is written to your profile at the moment you tap Accept, and the server refuses to accept your medical upload without it.

An app-only gate would have been simpler to build. But it has two problems. First, it doesn’t prove anything: a bug that lets the consent screen skip would silently leave us with medicals on file that we cannot prove anyone consented to. Second, it doesn’t survive any technical bypass: anyone who goes around the app could write a medical regardless of what the screen showed. The server-side gate is the belt-and-braces version. Even if every layer above it misbehaves, the certificate cannot land in storage without a current consent record on the corresponding account.

If the consent wording is materially updated (for instance, because Syndik8 changes who else might see the expiry chip, or extends what’s stored), the version on the new wording will move forward. Any existing pilots whose consent was given against an older version are re-prompted before their next medical action, and the server refuses to accept the write if the stored version is older than the current version. This is what Article 7 means by “consent must be specific”: your old “yes” was specific to the old wording, and a new wording asks the question again.

Your already-recorded medical is unaffected by the version bump. It stays on file, you keep getting its renewal reminders, and your admins keep seeing your expiry chip. The version gate is on new writes only.

Why the licence doesn’t need the same step

Section titled “Why the licence doesn’t need the same step”

The pilot licence isn’t health data. It’s a credential: a document that says “the holder is qualified to fly”. It is ordinary personal data under Article 6 (we process it on the basis of your consent to the terms when you signed up), and it does not need an Article 9 condition. So the licence upload skips the consent screen.

It’s not that the licence is less important than the medical. It’s that Article 9 specifically picks out health data for heightened protection, and the licence isn’t health data.

Designing this, we considered three alternatives:

  1. Don’t store the medical at all. Simple but unhelpful. Pilots would have to keep their own renewal calendars, and admins would have no way to see currency at a glance. The product loses an obvious value-add for a regulatory category that does allow processing with consent.
  2. Store the medical without the consent screen. Faster onboarding by exactly one screen, at the cost of putting Syndik8 in breach of Article 9 from day one. Not on offer.
  3. The consent screen we built. One extra step on the first upload only, after which subsequent renewals skip it (the existing consent covers them, as long as the wording version hasn’t moved). One extra screen, one extra button on the My documents tile, in exchange for a defensible compliance posture and a real “you control your medical” story for the pilot.

The third option wins on cost-benefit. The consent screen is not a marketing exercise. It is the smallest extra step that lets Syndik8 store health data lawfully, and a real lever the pilot can pull to say no or change their mind.