The Data Protection Bill (“DPBill”) based on the General Data Protection Regulation (“GDPR”) will, hopefully, call time on what always has been a problem. Controllers who believe that the delivery of health, education and social work public sector services have to rely on “data subject consent” for the processing of personal data related to those services.
When the DPBill is enacted, any reliance on consent creates a problem because when a data subject withdraws consent, there is an expectation that the processing of personal data will cease.
The proposition that data subject consent is needed to process such personal data for these public-sector tasks has, in my view, always has been wrong and this error is quite easy to expose. For example, suppose a NHS patient withdraws (or does not provide) consent for treatment as recommended by a health professional. Should the NHS controller keep personal data concerning the refusal of that consent? Obviously “yes”. And if the data subject refuses consent for these records to be processed, should the records be deleted? Obviously “no”.
In summary, public-sector controllers often conflate consent for the actual service (e.g. to undergo a specific medical procedure) with consent for processing of the personal data associated with that service (e.g. details of what happened in that procedure), when the two are distinct. The latter processing is necessary for the public tasks of a controller in order to demonstrate it discharged its duty to deliver services and that these services were refused/declined.
Another factor is that controllers processing personal data in these caring areas do not want to be equated the processing that relates to law enforcement or tax collection. For instance, if I contacted my Local Authority and withdrew consent for the processing of my personal data for Council Tax purposes, it would politely inform me that consent was not needed and the processing was justified in terms of being necessary for the public tasks of a public authority.
However, as will be seen, the fact that data subject consent is not needed does not mean that data subjects cannot be given an element of control over the processing of personal data. This is because the DPBill will contain a right to object (Article 21) to the processing of personal data which applies whenever the processing by a public body is necessary for its public task functions.
This right to object is completely different to the corresponding right to object under the DPA. Under Section 12 of the current DPA, the data subject has the right to obtain the cessation of the processing of his personal data if the processing is legitimised in terms of being necessary for the functions of a public body (i.e. an option in paragraph 5 of Schedule 2) and if the data subject can demonstrate that such processing causes actual (or likely) substantial unwarranted damage or substantial unwarranted distress.
The threshold of “substantial unwarranted” explains why few data subjects exercise this right; it is a high barrier to overcome (especially when the objection is to a public authority).
In the DPBill, the right to object also applies to that processing which is necessary for the functions or tasks of a public body; however, if there is an objection from the data subject, the onus is on the controller to show its reasons for processing outweigh the data subject’s objection.
Note that there is a reversal of proof and in the DPBill, a data subject will no longer have to demonstrate actual/likely substantial unwarranted damage/distress. Instead, Article 21 states that the onus is on the controller to show "compelling legitimate grounds" as to why the processing should continue.
This means that under the DPBill, in appropriate circumstances, a health, teaching or social work public sector controller can allow the data subject’s wishes that processing should cease to prevail (i.e. the controller stops processing). In other circumstances, the controller can argue its requirements to process personal data should prevail.
This means that social work and health bodies can safely (when the DPBill becomes law):
- Junk the notion that consent/explicit consent is the correct grounds for the processing of social work, teaching and health personal data by public sector controllers for its public tasks.
- State that the correct grounds is that processing is necessary for a public task ground in Article 6 (clause 7 of the DP Bill at the moment).
- Identify the circumstances when the controller will resist the exercise of the right to object to the processing (e.g. when personal data will continue to be processed despite the data subject’s objection to the processed – for instance, where there are concerns for child welfare or when records of a data subject’s refusal need to be kept).
- Allow the right to object to prevail in other identified circumstances.
In other words, a data subject consent model can be replaced with a fully informed “do you object model” (where the public sector Social Work, teaching or NHS health body can accept objections in appropriate circumstances defined by it).
- We are gearing up to deliver BCS Data Protection Foundation and Practitioner Qualifications in the first quarter of 2018; if interested email firstname.lastname@example.org
- NEW DATA PROTECTION BILL ALL DAY WORKSHOP: London (10 January) https://www.amberhawk.com/bookevents3.asp