A primary condition for the processing of sensitive personal data is that the data subject has given his or her consent (cf. Schedule 2 (1)). Moreover, the consent must be “explicit” according to the DPA (cf. Schedule 3 (1)). Although there is no clear definition of “explicit consent” in the DPA, the ICO’s guide to data protection emphasises that there must be some form of “active communication” between the parties involved for the processing of sensitive personal data (ICO: 115). The guide also specifies that:
“(…) the individual’s consent should be absolutely clear. It should cover the specific processing details; the type of information (or even the specific information); the purposes of the processing; and any special aspects that may affect the individual, such as any disclosures that may be made” (Op.cit.: 116).
In addition, the data subject must receive information about the following for consent to be validly given:
- Sufficient information to ensure that they understand what is involved in the research and what will happen to their personal data. The information must be presented in a form that they can understand; and
- Individuals' consent must be given voluntarily, not under any pressure or influence from health professionals, family or friends (University of Bristol 2014 b)).
The legal age of consent
With regard to the legal age for consent, the ICO guide states that consent must be “(…) appropriate to the age and capacity of the individual and to the particular circumstances of the case” (ICO: 115).
According to the University of Bristol’s “Advice on Research”, it is considered good practice to obtain consent from a parent or carer with parental responsibility for any research involving young people under the age of 18. Additionally, one should also obtain the assent/consent from the child or young person (University of Bristol 2014b).
Sjekk Schedule 66 (1) and (2) for legal age- Scotland?!
According to the University of Bristol’s advice on research, it is good practice to stop the research if a participant objects and asks to withdraw. Participants who have consented to take part in a research project are entitled to withdraw their personal data from the project at any time (University of Bristol 2014b).
Obligation to provide information:
All data controllers are obliged to provide the data subject with the following information:
a) the identity of the data controller,
b) if he has nominated a representative, and if so the identity of that representative,
c) the purpose of which the data are intended to be processed, and
d) any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair (cf. Schedule 1 Part II paragraph 2 (3)).
The information must be provided the data subject unless impossible (cf. Schedule 1 Part II paragraph 2 (1) (b)), or disproportionate difficult (Schedule 1 Part II paragraph 3 (1) and 3 (2) (b)), or other conditions prescribed by the Secretary of State (cf. Schedule 1 Part II paragraph 3 (1)).
The UK Data Archive’s example information sheet:
The UK Data Archive’s examples of consent forms:
- UK Data Archive model consent form:
- Participation of children:
- Interviews in the workplace:
- Research projects gathering telephone interviews:
- Diaries- transcribed interviews:
Information for medical research:
According to the University of Bristol’s advice on research, medical research information must cover the following points:
- That there is no pressure to take part and participants can withdraw consent at any time without their medical care being affected,
- If the research is a clinical trial, the nature of the trial, and the information so far on the therapy’s effectiveness and side effects,
- If the research is a randomised controlled trial, the fact that they will be randomly assigned to the standard treatment, the new treatment or (if applicable) the placebo (University of Bristol 2014b)).
Exemptions from consent
Among the conditions for processing personal data listed in the DPA, consent (cf. Schedule 2 or explicit consent cf. Schedule 3) is simply one of the alternatives. For this reason, Beyleveld et al. claims that there is nothing in the DPA that explicitly states consent of the data subject as a necessary condition for legitimate processing of sensitive data (2004: 417).
However, as all UK legislation should (if possible) be interpreted and be compatible with the provisions of the European Convention on Human Rights (ECHR), Beyleveld et al. assert that:
(…) it is arguably that consent must be obtained for the processing of sensitive personal data unless conditions that would satisfy a breach of Article 8 (1) of the ECHR are satisfied [i.e. Right to respect for private and family life] (ibid.).
The Common Law Duty of Confidentiality
The Duty of Confidentiality according to common law is not easily defined. Common law (also known as case law or precedent law) is not written out in one document like an Act of Parliament. It is rather a form of law developed by judges through court decisions, and is applied by reference to previous legal cases. For this reason it is difficult to make clear cut definitions of this concept (Data Archive UK 2014 a)).
However, the general position with regard to the Common Law Duty of Confidentiality is that information cannot normally be disclosed without the consent of the data subject, regardless of whether it is registered on paper, computer, visually or audio recorded, or held in the memory of the professional (DHSSPS 2013). The Duty of Confidentiality also applies regardless of for example how old the patient/client is, or what the state of his/her mental health is (ibid.).
Three conditions are required in order for confidential information to be disclosed in a lawful manner:
1. Consent of the data subject,
2. Disclosure is necessary to safeguard the data subject, or others, or is in the public interest, or
3. There is a legal duty to do so, e.g. a court order (ibid.).
The Confidentiality Advisory Group (CAG) provides independent expert advice to the Health Research Authority (for research applications) and the Secretary of State for Health (for non-research applications) on whether applications to access patient information without consent should or should not be approved (Health Research Authority a)). The CAG application procedures are described here:
Disclosure of official statistics
According to the Statistics and Registration Services Act 2007, personal information can be disclosed to an “approved researcher” (part 1, article 39 (4)), i.e. “(…) an individual to whom the Board has granted access, for the purpose of statistical research, to personal information held by it” (Article 38 (5)).
Exemption from duty to inform:
If data are obtained from other sources than the data subject, the DPA exempts from the requirement to inform about e.g. the identity of the controller, if this would require “disproportionate effort” (cf. Schedule 1 Part 2 paragraph 3).
The Confidentiality Advisory Group (CAG):
Statistics and Registration Service Act 2007:
The UK Data Protection Act 1998:
Beyleveld, D., Grubb, A. Townend, D., Morgan, R. and Wrigh, J. 2004. “The UK’s Implementation of Directive 95/46/EC”, Beyleveld, D, Townend, D., Rouille-Mirza, S. and Wright, J. (eds.). Implementation of the Data Protection Directive in Relation to Medical Research in Europe. Aldershot: Ashgate, pp. 403-428.
Data Archive UK 2014 a). Duty of Confidentiality [Internet]. Data Archive UK. Available at: http://www.data-archive.ac.uk/create-manage/consent-ethics/legal?index=1, [Accessed June 19 2014].
DHSSPS 2013. The Common Law Duty of Confidentiality [Internet]. Department of Health, Social Services and Public Safety (DHSSPS). Available at: http://www.dhsspsni.gov.uk/gmgr-annexe-c8, [Accessed June 19 2014].
ICO. The Guide to Data Protection [Internet]. Information Commissioner’s Office (ICO). Available at: http://ico.org.uk/for_organisations/data_protection/~/media/documents/library/Data_Protection/Practical_application/the_guide_to_data_protection.pdf, [Accessed June 19 2014].
University of Bristol 2014 b). Obtaining consent and the collection of personal and sensitive data [Internet].University of Bristol. Available at: http://www.bris.ac.uk/secretary/dataprotection/research/consent.html, [Accessed June 19 2014].