I have been rather ambivalent about the debate about consent in the Directive 95/46/EC and the proposed replacement Regulation (if it happens). However the antics of the Insurance Industry in the UK in relation to subject access have convinced me that the European Parliament’s approach towards consent needs supporting.
So what has the Insurance Industry done to deserve reproach? Well it has continued with its practice of asking, when needed, the data subject to consent to subject access to their own medical records in relation to health insurance products. Although it is not strictly “enforced subject access” (which the Government says is to be a criminal offence in relation to criminal conviction personal data), it is fair to say it is a variant on the same theme.
Legal and General, for instance, explains that its “medical records subject access request” is not enforced Subject Access request because the data subject “consents” to the process; such consent is fully informed and freely given (of course). These sensitive personal data are directly sent to the Insurer and the data subject does not see his own personal data unless he asks the insurer (see references).
Personally, I find the idea that the Insurance Industry can come up with a procedure so that a data subject’s confidential sensitive health details do not pass through the hands of the data subject truly shocking. But let’s not worry about such trifles: the data subject has given consent.
As explained in a previous blog, this consent procedure breaches some Data Protection Principles (e.g. excessive personal data are disclosed on subject access) and the process unfairly by-passes the statutory protection afforded to individuals by the Access to Medical Reports Act. (For a full description see the blog reference).
The problem is that the Insurance Industry approach towards “consent” can be generalised, especially as more and more services are personalised as they move on-line (or made “user-centric” to use the jargon term). For instance, when you apply for a job, you might in future dystopian world be asked to “consent” to a number of things (e.g. to allow others to look at your on-line bank accounts, your Facebook page, the “selfies” on your phone). You even might be asked to consent to issuing a subject access request to your previous employer as references are not what they should be these days.
Of course you can decline to “consent” with the obvious consequences for your employment prospects. In short, I think the arrangements that are increasingly surrounding “data subject consent” exposes the data subject to dubious practices.
Indeed, I can see a future where the practice of what I call “Home Office consent” (after Mr. Blunkett’s infamous ID Card) or “Hobson’s choice” consent could increase. For instance, when you go through airport security to catch your holiday flight you might be asked to go through a scanner. You have a choice: “consent” to be scanned or not go on holiday. The police “invite” you to an interview: they start the interview with the words “thank you for consenting to attend”.
In the UK, for instance, when one takes out a personal loan, you are asked to consent to a number of things, including allowing a credit reference agency to disclose your name and address to third parties for debt tracing purposes. Such “consent” to disclosure, if one wants a personal loan or mortgage, is a classic example of “Home Office consent”. No consent, no loan.
Now I am not saying there should be no tracing of data subjects. Clearly there is a public interest in ensuring that data subjects are not overloaded with debt or honour their debts, especially in these economically stressed times. However, one wonders whether degrading the concept of “consent” is the best way to deliver this public interest objective.
Far better in my view is for such disclosures to be “necessary” for a contract with the data subject or perhaps “necessary” in the legitimate interests of a third party to whom the personal data are disclosed.
The reason for this? It ensures that the data controller, or credit reference agency in this case, has to consider a test of “necessity” before making any disclosure. With the current arrangements which depend of “data subject consent”, the disclosing party does not need to assess anything – disclosure can go ahead willy-nilly on a “consensual” basis.
The European Parliament achieves the inclusion of a much needed “necessity” test very simply. It states in its amended Article 7 that “The execution of a contract or the provision of a service shall not be made conditional on the consent to the processing of data that is not necessary for the execution of the contract.
In current Data Protection Act Schedule 2 terms, the consent ground would become invalid and any other ground that legitimises the disclosure of personal data will need another ground which is qualified by the words: “the processing is necessary …..”
The European Parliament amendment will also extend to any sensitive personal data obtained by “consensual” subject access routes.
That is why this amendment should be supported; perhaps even by UKIP!
Legal and General approach to Subject Access; follow the three forms on: http://www.legalandgeneral.com/advisercentre/protection/underwriting/tools/disclosure-evidence/
Previous blog on this variant of enforced subject access: http://amberhawk.typepad.com/amberhawk/2012/02/enforced-subject-access-raises-its-ugly-head-in-the-context-of-medical-insurance.html
Useful comparison between the European Parliament’s amendments and the original Regulation text: http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0212&language=EN