logo text

Thursday 5 May 2016

Obtaining Valid Consent under the Data Protection Act 1998

This article was published on Lexis®PSL IT&IP in May 2016. Click for a free trial of Lexis®PSL.

Background to Consent

To satisfy the first data protection principle in the Data Protection Act 1998 (“DPA 1998”) as derived from the European Data Protection Directive 95/46/EC, data controllers must be able to demonstrate, amongst other matters, that they have met:

  • one of the grounds for processing personal data under Schedule 2 of the DPA 1998; and
  • if the data constitutes sensitive personal data, then in addition to this, one of the grounds for processing sensitive personal data under:
    • Schedule 3 of the DPA 1998; or under
    • The Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI 2000/417), which sets out additional conditions which allow the processing of sensitive personal data in limited circumstances.

One of the numerous legitimising fair processing conditions that can be complied with to enable fair and legal processing of personal data governs a situation where the data controller obtains ‘consent’ from the data subject before processing the personal data or sensitive personal data.

Under the eighth data protection principle of the DPA 1998, data controllers must also show how they can legally justify transferring a data subject’s personal data outside of the European Economic Area (the “EEA”). One of the grounds that might be used to justify such a transfer is also consent (following Article 26(1)(a) of the Data Protection Directive).

The requirements to comply with the fair processing conditions under the first data protection principle and to comply with the eighth data protection principle surrounding transfer of personal data outside the EEA apply unless a relevant exemption under the DPA 1998 exists.

What does ‘consent’ mean?

Although ‘consent’ was not defined within the text of the DPA 1998, UK courts and tribunals are required to interpret the terminology used in the DPA 1998 in accordance with the wording and purpose of the Data Protection Directive 95/46/EC.

Article 2(h) of the Data Protection Directive defines consent as:

‘any freely-given specific and informed indication of [the data subject’s] wishes by which the data subject signifies his agreement to personal data relating to him being processed’.

Article 7(a) of the Data Protection Directive goes on to set out that the data subject should have unambiguously given his or her consent.

The European Union Article 29 Working Party (the “Art 29 Working Party”) has also produced Opinion 15/2011 (“the 2011 Opinion”) on their view of what is meant by ‘consent’ for the purposes of:
  • Directive 95/46/EC; and
  • Directive 2002/58/EC which was implemented in the UK through the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) (as revised by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208)) (“E-Privacy Regulations”).

Although Art 29 Working Party opinions are not directly binding on data controllers, they will be considered by the UK Information Commissioner’s Office (the “ICO”) when it is interpreting the DPA 1998. We have therefore taken account of the 2011 Opinion in drafting this Practice Note.

Is consent required and what happens if one cannot obtain consent?

As mentioned above, consent is one of a number of:
  • Fair processing conditions that may be relied on to enable fair and lawful processing of personal data under the first data protection principle;
  • Grounds to enable fair and lawful transfer of personal data outside the EEA under the eighth data protection principle.

It is not, therefore, mandatory to obtain consent if one of the other fair processing conditions under the first principle or one of the other international transfer grounds can be relied on.

Consent is, however, often used by UK data controllers in practice as either the sole legitimising fair processing condition (or sometimes as a back-up to another fair processing condition or grounds for processing), where it is the easiest condition or mechanism by which the data controller can show that they have complied with the DPA 1998.

That is not to say that this is always the best condition or ground for data controllers to rely on. In actual fact, it can often be a poor way to secure compliance. This is because individuals may withhold their consent, their consent may be withdrawn (see below), or indeed the reasons for which consent was originally sought and granted may have changed. In the latter case, this would mean that the data controller could no longer rely on the consent originally given.

For these reasons, it is always prudent for data controllers to consider if another fair processing condition or international data transfer ground would be better to rely on in any particular case.

Obtaining consent for the processing of sensitive personal data

Where consent is used as a legitimising ground for processing:

  • Personal data under Schedule 2 of the DPA 1998, it is stated that this should be where: ‘the data subject has given his consent to the processing’;

  • Sensitive personal data under Schedule 3 of the DPA 1998, it is stated that this should be where: ‘the data subject has given his explicit consent to the processing of the personal data’.

The key distinction therefore when looking at legitimate processing of sensitive personal data is that a data subject’s consent should be ‘explicit’.

The Art 29 Working Party Opinion 15/2011 sets out that ‘explicit consent’:
  • Means the same as express consent;
  • Encompasses all situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing;
  • Is usually given in writing with a hand-written signature or in equivalent electronic form (for example, signified online through the use of clickable icons, by sending confirmation e-mails or by using electronic or digital signatures). For example, explicit consent will be given when data subjects sign a consent form that clearly outlines why a data controller wishes to collect and further process personal data;
  • While traditionally given in writing, it can also be given orally, although the Art 29 Working Party highlight that oral consent may be difficult to prove and, therefore, in practice, data controllers are advised to resort to written consent for evidentiary reasons;
  • Means that consent that is inferred, implied or an ‘opt-out’ will not normally meet the requirement of explicit consent

The ICO have also set out in their guidance that ‘explicit consent’:

  • Means that the data subject’s consent should be ‘absolutely clear’;
  • Should only be given where the data subject has been given a clear outline of the type of information (or the specific information) being processed, the purpose of the processing and ‘any special aspects that may affect the individual, such as disclosures that will be made’.

How to obtain consent generally

The Art 29 Working Party Opinion 15/2011 sets out that when obtaining consent generally, be that explicit consent or regular consent, the following requirements should be met:

  • It should be obtained before processing starts;
  • It should ‘include any indication of a wish, by which the data subject signifies his agreement’;
  • It should not be inferred from silence or inaction of the data subject;
  • It should be freely given;
  • It should be specific;
  • It should be informed;
  • It should be unambiguous.
We have explained each of these requirements in more detail below:

1. Consent should be obtained before processing starts
Neither the DPA 1998 nor Directive 95/46/EC specify exactly when consent should be obtained but the Art 29 Working Party Opinion 15/2011 suggests that, as a general rule, it should be obtained before the data controller starts processing personal data. The Art 29 Working Party does, however, explain that there is a difference between:
  • Stuations where obtaining consent is a legal requirement (for example, in some cases when sending out direct marketing electronically or where consent is the only available ground for processing personal data under the DPA 1998 because none of the other fair processing conditions can be used to justify the processing in question. In this situation, the data controller must obtain consent before the processing starts to avoid prior processing being unlawful if the data subject does not ultimately provide consent; and
  • Situations where the data subject exercises their right to object to processing. For example, the data controller may be relying on a different fair processing condition under Schedules 2 and 3 of the DPA 1998 to justify their processing (i.e. a condition other than consent). The data subject may decide to exercise their right to object to the processing being carried out or they may withdraw their consent at any time (see below), but until such times as they do so, the data controller can continue processing the personal data. Data controllers should consider any objections or withdrawal of consent promptly so that the processing continues to be fair and lawful (see below).

2. The consent should ‘include any indication of a wish, by which the data subject signifies his agreement’
The data subject should indicate his/her wishes and signify their agreement in some way that enables the data controller to understand their wishes. The method the data controller uses to obtain and record consents should be proportionate to the circumstances.
Consent does not therefore need to be in writing. It is, however, usually best practice to obtain written consent for evidentiary purposes, particularly when dealing with sensitive personal data, as the Art 29 Working Party recommends. (see above).

Obtaining consent orally or from ‘behaviour from which consent could be reasonably concluded’ may be perfectly acceptable in some circumstances, though. The Art 29 Working Party gives the example of dropping a business card in a glass bowl or an individual sending his name and address to an organisation in order to obtain information from it. “In this case his action should be understood to constitute to the processing of such data insofar as it is necessary to process and respond to the request.”

The ‘indication of wishes’ from the data subject must be clear to enable valid consent for the processing for data. To extend the example given by the Art 29 Working Party, let us assume that the data subject may have dropped their business card in a bowl in response to a sign advertising that a competition winner would be drawn from the business cards in the bowl but stating nothing else. If the sign does not make it clear that the business also intends to use the information from the business card for on-going marketing use, is it fair to assume the person consented to that, or that they merely consented to participating in the competition and being contacted for those purposes only? It seems likely that the latter would be considered the case.

3. Consent should not be inferred from silence or inaction of the data subject

The ICO’s guidance and the Art 29 Working Party Opinion 15/2011 set out that:
  • For an individual to signify their agreement, there must usually be some type of active communication between the parties;
  • Data controllers should not infer consent from non-response to a general communication (for example, from passive behaviour like failure to respond to a communication, return a form, tick a box or respond to a leaflet).

The Art 29 Working Party suggests that without active communication data controllers will often be unable to prove whether the data subject intended to consent.

4. Consent should be freely given

Consent has to be freely given. The Art 29 Working Party Opinion 15/2011 states that:
  • Consent “can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent”.
  • It has explored the limits of consent in several opinions in relation to situations where consent cannot be freely given (e.g.in its opinions on electronic health records (WP131), on the processing of data in the employment context (WP48) and on processing of data by the World Anti-Doping Agency (WP162)).
  • If, once consent is withdrawn, the data processing continues based on another legal ground, doubts could be raised as to the original use of consent as the initial legal ground: if the processing could have taken place from the beginning using this other ground, presenting the individual with a situation where he is asked to consent to the processing could be considered as misleading or inherently unfair.
  • In practice the data subject must have a genuine ability to refuse to give their consent or to withdraw their consent in order for consent to be ‘freely given’. In the employment context, for example, consent may be freely given provided there are appropriate safeguards in place to ensure that the employee has a genuine option to decline (see Opinion 15/2011 for more discussion about the use of consent in an employment relationship.
5. Consent should be specific

The ICO’s guidance and the Art 29 Working Party Opinion 15/2011 set out that:
  • The wording used to obtain any consent should:
    • Be clear and understandable;
    • Relate to the actual type of data and the actual purposes of the data processing to be carried out, not to ‘an open-ended set of processing activities’ (i.e. blanket generic processing consents should not be sought for all processing, but instead the different purposes must be identified individually (e.g. international data transfer, data sharing, direct marketing etc.));
    • Reflect the reasonable expectation of the parties;Give the data subject the choice to consent in respect of specific processing activities. As the ICO has described: “If you process information for a range of purposes, you should explain this to people. When doing so, you should provide a clear and simple way for them to indicate that they agree to each type of processing. In other words, people should not be forced to agree to several types of processing simply because your privacy notice only includes an option to agree or disagree to all. People may wish to consent to their information being used for one purpose but not another”.
    • The ICO recommends that you should list the different purposes where you are relying on consent with individual unticked opt-in boxes for each or Yes/No buttons of equal size and prominence. Opt-in boxes can be prominently placed in your privacy notice or, with online products and services you may wish to use ‘just-in-time’ notices so that relevant information appears at an appropriate time.
  • Consent will be valid ‘as long as the processing to which it relates continues'.
  • If new kinds of data processing are required, new consents will need to be obtained. Consents linking back to the original notified purposes will not be valid to cover new data processing activities. Note that other fair processing conditions under Schedules 2 and 3 of the DPA 1998 might apply (as discussed above) but in any event it is likely that new fair processing information will need to be provided to the data subject in relation to the new processing that the controller intends to be carried out.
  • It is acceptable for data controllers to obtain consent only once for related but different operations that take place at different times if each of those operations falls within the reasonable expectation of the data subject at the time the individual consented.
6. Consent should be informed

The ICO’s guidance and the Art 29 Working Party Opinion 15/2011 set out that:
  • Adequate fair processing information should be provided to enable compliance with the first data protection principle;
  • Consent should be ‘based [on] appreciation and understanding of the facts and implications’;
  • Any information given in order to obtain consent should:
    • Be in a language that is clear, legible and intelligible to an average user;
    • Be set out in a clear, understandable, transparent, clearly visible and prominent manner. As the ICO have stated “good practice is to use an unticked opt-in box. If your consent mechanism consists solely of an “I agree” box with no supporting information then users are unlikely to be fully informed and the consent cannot be considered valid”;
    • Be easy to understand, perhaps using a multi-layered approach to privacy notices to aid understanding but ensuring that these are all clearly signposted and easy to access. See the ICO’s Privacy Notices Code of Practice for more information;
    • Make clear any adverse consequences associated with the data processing; and
    • Provide more detailed and appropriate information where there are complex data processing operations involved.
  • Consent should be based on honest information. You should not lead people to believe that they can exercise choice over the collection and use of their personal data if in reality they have not got that choice. As the ICO have stated, “there is a fundamental difference between telling a person how you’re going to use their personal information and getting their consent”.
  • To gain consent to using personal data for direct marketing purposes, you should have a separate, unticked, opt-in box prominently displayed. See the ICO’s Guidance on Direct Marketing and the ICO’s Personal Information Online Code of Practice for more detailed information on how to gain valid consent in the marketing context.
7. Consent should be Unambiguous

The ICO’s guidance and the Art 29 Working Party Opinion 15/2011 set out that for consent to be unambiguous:
  • It should not usually be based on inaction or silence from data subjects as this always carries inherent ambiguity;
  • There should be ‘no doubt as to the data subject's intention to deliver consent’ i.e. as per the Opinion, “the indication by which the data subject signifies his agreement must leave no room for ambiguity regarding his/her intent. If there is a reasonable doubt about the individual's intention, there is ambiguity”;
  • Data controllers should have implemented robust procedures to capture consents appropriately (whether that is clear express consent or clear inferred consent) and to ensure that the person giving consent is actually the data subject (especially where consent is obtained over the telephone or online)
  • Data controllers should keep evidence of the consents obtained and how they were obtained.
Unambiguous consent may be obtained using different methods of collection (such as signed or written statements, online forms which are ticked or express oral recorded consent), as discussed elsewhere in this practice note.

We have set out below some examples below of how one might gain valid consent in different scenarios (e.g. in relation to children, where there are incapacity issues etc.).

Consent from Children and Others with Incapacity

Neither the DPA 1998 nor Directive 95/46/EC specify how consent should be obtained from individuals who lack full legal capacity, including children.

The Art 29 Working Party Opinion 15/2011 sets out that:
  • The conditions for obtaining valid consent from children vary across the EEA.
  • When children's consent is sought, legal requirements may require obtaining the consent of the child and the representative, or the sole consent of the child if he or she is already mature. The ages when one or the other rule applies vary. There are no harmonized procedures for verifying a child’s age.

The ICO's ‘Personal Information Online Code of Practice’ sets out how to obtain consents from vulnerable individuals and children in the context of the online environment. This guidance may perhaps be extended to offline processing of information relating to children and vulnerable people as well, but the ICO has not made this clear. Some of the key points coming out of that ICO guidance are as follows:

  • The ICO refers to ‘vulnerable people’ as, “anyone who, for whatever reason, may find it difficult to understand how their information is used. This could be because they are children, have a learning disability or lack technological understanding”.
  • The DPA 1998 requires fair processing of personal data – this applies regardless of the level of understanding of the people you collect information from. Data Controllers should therefore assess the level of understanding of the people their service is aimed at and must not exploit any lack of understanding from those people. This can be particularly challenging when engaging with people online.
  • In the UK there is no simple legal definition of a ‘child’ based on age alone. Children of a similar age can have different levels of maturity and understanding. Data Controllers should consider the particular circumstances of the processing as well as the individuals’ ability to understand these to ensure that children’s data is processed fairly.
  • Assessing understanding, rather than merely determining age, is the key to ensuring that personal data about children is collected and used fairly. Having said that, a practical view would be that some form of parental consent would normally be required before collecting personal data from children under 12. You will need to look at the appropriate form for obtaining consent based on any risk posed to the child. You may even decide to obtain parental consent for children aged over 12 where there is greater risk. This has to be determined on a case by case basis.
  • The ICO recommends consideration of other laws, industry rules and codes of practice to consider if any restrictions on apply to children under a certain age.
  • The ICO also highlights various instances in which it is good practice to seek parental consent relating to the collection or use of information about a child.

Withdrawing consent

Data subjects may withdraw their consent to data processing at any time but it will not have retroactive effect.

The Art 29 Working Party refer in Opinion 15/2011 to its previous Opinion 5/2005 on Article 9 of Directive 2002/58/EC in which it formulated the view that:
  • Withdrawal of consent relates to withdrawal in relation to future processing, not for the data processing that took place in the past, in the period during which the data was collected legitimately;
  • Decisions or processes previously taken on the basis of this information can therefore not be simply annulled. However, if there is no other legal basis justifying the further storage of the data, they should be deleted by the data controller.

This means that in practice a withdrawal of consent requires data controllers to stop processing any personal data where that processing was carried out on the basis of that consent (see ‘Is consent required and what happens if we can’t obtain consent?’ above).

Rights around withdrawal of consent were further considered in the ECJ case of Google Spain SL and another v Agencia Española de Protección de Datos (AEPD) and another (Case C-131/12) in which data subjects were entitled to ask a search engine operator that has ‘a branch or a subsidiary’ in an EU member state to delete from websites any links to the data subject’s name.

What is changing in relation to consent under the GDPR?

It is intended that Directive 95/46/EC will be replaced by a new General Data Protection Regulation (the “GDPR”), which is due to come into force on 25 May 2018. For more information on the GDPR reforms and their likely impact on your organisation, contact us.

No comments:

Post a Comment