I have been rather ambivalent about the debate about consent in the Directive 95/46/EC and the proposed replacement Regulation (if it happens). However the antics of the Insurance Industry in the UK in relation to subject access have convinced me that the European Parliament’s approach towards consent needs supporting.
So what has the Insurance Industry done to deserve reproach? Well it has continued with its practice of asking, when needed, the data subject to consent to subject access to their own medical records in relation to health insurance products. Although it is not strictly “enforced subject access” (which the Government says is to be a criminal offence in relation to criminal conviction personal data), it is fair to say it is a variant on the same theme.
Legal and General, for instance, explains that its “medical records subject access request” is not enforced Subject Access request because the data subject “consents” to the process; such consent is fully informed and freely given (of course). These sensitive personal data are directly sent to the Insurer and the data subject does not see his own personal data unless he asks the insurer (see references).
Personally, I find the idea that the Insurance Industry can come up with a procedure so that a data subject’s confidential sensitive health details do not pass through the hands of the data subject truly shocking. But let’s not worry about such trifles: the data subject has given consent.
As explained in a previous blog, this consent procedure breaches some Data Protection Principles (e.g. excessive personal data are disclosed on subject access) and the process unfairly by-passes the statutory protection afforded to individuals by the Access to Medical Reports Act. (For a full description see the blog reference).
The problem is that the Insurance Industry approach towards “consent” can be generalised, especially as more and more services are personalised as they move on-line (or made “user-centric” to use the jargon term). For instance, when you apply for a job, you might in future dystopian world be asked to “consent” to a number of things (e.g. to allow others to look at your on-line bank accounts, your Facebook page, the “selfies” on your phone). You even might be asked to consent to issuing a subject access request to your previous employer as references are not what they should be these days.
Of course you can decline to “consent” with the obvious consequences for your employment prospects. In short, I think the arrangements that are increasingly surrounding “data subject consent” exposes the data subject to dubious practices.
Indeed, I can see a future where the practice of what I call “Home Office consent” (after Mr. Blunkett’s infamous ID Card) or “Hobson’s choice” consent could increase. For instance, when you go through airport security to catch your holiday flight you might be asked to go through a scanner. You have a choice: “consent” to be scanned or not go on holiday. The police “invite” you to an interview: they start the interview with the words “thank you for consenting to attend”.
In the UK, for instance, when one takes out a personal loan, you are asked to consent to a number of things, including allowing a credit reference agency to disclose your name and address to third parties for debt tracing purposes. Such “consent” to disclosure, if one wants a personal loan or mortgage, is a classic example of “Home Office consent”. No consent, no loan.
Now I am not saying there should be no tracing of data subjects. Clearly there is a public interest in ensuring that data subjects are not overloaded with debt or honour their debts, especially in these economically stressed times. However, one wonders whether degrading the concept of “consent” is the best way to deliver this public interest objective.
Far better in my view is for such disclosures to be “necessary” for a contract with the data subject or perhaps “necessary” in the legitimate interests of a third party to whom the personal data are disclosed.
The reason for this? It ensures that the data controller, or credit reference agency in this case, has to consider a test of “necessity” before making any disclosure. With the current arrangements which depend of “data subject consent”, the disclosing party does not need to assess anything – disclosure can go ahead willy-nilly on a “consensual” basis.
The European Parliament achieves the inclusion of a much needed “necessity” test very simply. It states in its amended Article 7 that “The execution of a contract or the provision of a service shall not be made conditional on the consent to the processing of data that is not necessary for the execution of the contract.
In current Data Protection Act Schedule 2 terms, the consent ground would become invalid and any other ground that legitimises the disclosure of personal data will need another ground which is qualified by the words: “the processing is necessary …..”
The European Parliament amendment will also extend to any sensitive personal data obtained by “consensual” subject access routes.
That is why this amendment should be supported; perhaps even by UKIP!
References
Legal and General approach to Subject Access; follow the three forms on: http://www.legalandgeneral.com/advisercentre/protection/underwriting/tools/disclosure-evidence/
Previous blog on this variant of enforced subject access: http://amberhawk.typepad.com/amberhawk/2012/02/enforced-subject-access-raises-its-ugly-head-in-the-context-of-medical-insurance.html
Useful comparison between the European Parliament’s amendments and the original Regulation text: http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0212&language=EN
I share your fears Chris, but I look at this issue through different glasses! I’m thinking aloud a little here, so please excuse me:
‘Home office consent’ to which you refer is what I refer to as “consent as a condition of business”. It’s not ‘consent’ in the DPA tradition, in as much that it can’t be refused. But, to be legitimate, I have always judged it against whether it would be deemed an unfair contract term. Many years ago, I judged it against the OFT’s ‘unfair contract terms’ guidance; and more recently we have had other consumer legislation and the CPUTR’s.
So, for example, requiring a loan applicant to consent to CAIS / industry data sharing was legitimised as there was govt support for data sharing, to reduce the risk of consumers taking out numerous loans and becoming over-indebted. Readers may recall the suicides linked to credit card over-indebtedness of not that many years ago. It also seems fair to the credit industry, that they can make some assessment as to whether the person will/can repay any such loan. So, whilst the loan terms might say “you consent to…….”, it is not a ‘freely given’ consent. Indeed, use of the word ‘consent’ itself is something of a fiction; but arguably ‘consenting’ to pay 7.9% APR is also not consent, in as much that the rate and other loan terms are unlikely to be capable of being negotiated.
So, should we refer to such ‘consent’ as consent at all? It is ‘freely given’ in the sense of “I can take it or leave it”, but it does not allow a ‘pick and mix’ approach of which terms to accept and which to refuse. I think it more akin to a Sch 2 ‘legitimate interests’ processing condition, in as much that if it did not also meet the ‘legit interests’ processing condition test, it would likely be an unfair contract term – and if it was an unfair contract term it would be unenforceable.
As far as the “necessity” test under the new Regs is concerned, it will be interesting to see how this plays out. But the ICO has not taken action against ‘consent as a condition of business’ so long as it has met the fairness test; so one wonders whether things will change under the Regs?
Posted by: dw | 20/06/2014 at 09:20 AM