You may need to get consent from people affected by the technology you plan to use. They must understand all the information they need to make their decision. This is called 'informed consent'.
Consent to care or treatment
People must usually give their consent before you give them care or treatment, whether or not it involves using technology.
- They must understand the benefits and risks of what you are asking them to consent to.
- They need to have made their decision of their own free will, without pressure.
- Someone's consent could be as simple as saying yes or rolling up their sleeve to have an injection.
If someone lacks the mental capacity give their consent, you must follow the best interests principle.
Consent to handling personal information
Using technology often involves collecting or recording information.
- When you handle personal information, you must comply with The General Data Protection Regulation (GDPR).
- Under GDPR, you must have a 'lawful basis' for handling information that's about individuals.
- Consent is one example of lawful basis. Consent to process personal data is different to consent to care or treatment, and follows different rules.
If someone lacks mental capacity, you may be able to obtain consent from someone appointed to make decisions for them. Otherwise you must find a different lawful basis to handle their personal information.
Consent must be clear and explicit
Consent to handling personal information must be "freely given, specific, informed and unambiguous". This is set out by GDPR.
When you ask for consent to process personal information, you must separate it clearly from other things. You can't hide your request in the small print.
You must tell the person:
- who you are and how to contact you
- how you will gather their information
- what type of information you will gather (or even the specific information)
- why you're gathering it
- how you'll use and access it
- who you are likely to share it with
- how long you'll keep personal data (or how you'll decide this)
- their rights under data protection law, including their right to withdraw consent
- if not giving their consent means you will not be able to provide a particular service to them.
You usually give this information in a written 'privacy notice'. But you can also say it to the person if that's more appropriate in the circumstances.
The person does not have to give their consent in writing. But they must give consent with a 'clear affirmative action'. This means they must opt in. You must keep records that show they gave their consent.
The person must give their consent freely
Where you need consent, it must be given freely. This means:
- the person giving consent must not feel pressured or forced to say yes
- you cannot use coercion or threat.
Consent cannot be freely given where there is a significant imbalance of power. For example, it would not be valid if a person felt they would be disadvantaged if they refused.
Refusal or withdrawal of consent
People have a right to change their minds and withdraw their consent later. It must be as easy for them to withdraw consent as it was to give consent in the first place.
You must respect any refusal or withdrawal of consent.
Think about what types of personal data you might collect
GDPR also sets out some 'special categories of personal data'. These are more sensitive things like race, politics, religion, health or sexual orientation.
You need to meet extra conditions to handle special category data.
Think about who else the technology might affect
It's important to think about whether the technology you plan to use will affect anyone else. For example, if you are recording sound or images you might record other people unintentionally.
Have you told these people you could be recording them? Have they given informed consent?
If you can't get or don’t need consent
In some circumstances, it might not be possible or appropriate to get consent.
There are also times you do not need it. For example, you might use a different lawful basis for collecting personal information. GDPR tells you what these are.
Get legal advice before you use technology to monitor people without their explicit consent.
If you do rely on consent, make sure you keep records that show evidence of the consent you’ve obtained.
Example 1
A person who receives care in her own home feels vulnerable and concerned about having carers in her house. She has raised this concern with the provider of her care. They suggest a CCTV system in her home. She can switch this on during visits from carers or at other times when she feels vulnerable. To make this lawful, the person receiving care would need to give her consent to her personal data being processed. Care staff attending the person’s home should be informed about the cameras. They are unlikely to need to give their consent.
Example 2
A hospital gives a patient a wearable device that monitors heartbeat, skin temperature and blood sugar. It means doctors can adjust medication levels to meet the patient's needs. This reduces the need for regular check-ups.
Because data on health is 'special category' data, the hospital asks for the patient's 'explicit consent' to process it.
To give explicit consent, the patient must have clear, straightforward and complete information on how the data will be collected and used. This includes any way the data might be shared or disclosed to third parties. The hospital must bring this to the patient's attention, so it's not hidden among other information. The patient must give their agreement. Their agreement has to be clear and unambiguous.
If the patient lacks mental capacity to consent and there's no one appointed to give consent on their behalf, the hospital will need a different lawful basis to process special category data. They might also need to seek a 'best interests' decision before they can give the device to the patient in the first place.