The General Data Protection Regulation (GDPR) will be applicable in less than a year, and experts are still discussing the extent to which the new regulation will have a significant impact upon the ‘legal basis’ requirement. However, as Bob Miller suggests in this guest blog post, it might not be enough to read and re-read the GDPR to understand what the role of ‘consent’ could or should have.
Here is what Bob writes:
The ICO’s guidance on the GDPR contains the helpful reminder that if you don’t have consent ‘you can rely on alternative legal bases to consent’ (ICO – Lawful Processing). However, it doesn’t mention that those alternatives apply to data protection law only, and not to what the ICO itself calls ‘the legal regime which… operates in parallel with the DPA’ (Information Commissioner’s Response). It is like an exam paper in two parts that gives instructions on how to answer one part but not the other. Even worse, the other part is kept out of sight and not mentioned at all.
The parallel regime is the law of the misuse of private information (MPI). The GDPR caters for it by ‘providing a margin of manoeuvre for Member States to specify its rules… including determining more precisely the conditions under which the processing of personal data is lawful’ (Recital 10).
MPI started life as part of the common law of confidentiality (CLC). Personal information CLC still exists as a separate cause of action but is for the most part subsumed by MPI. CLC depends on the existence of a relationship of confidence – or trust – ‘between the person who imparted the information and the person who received it’ (Naomi Campbell v MGN (2004), para 44).
That focus on relationships rather than the information itself has led to misapprehension. In particular, the common belief that if A shares information about B with C in confidence, C will owe a duty of confidentiality to A in respect of it. If you put yourself in the shoes of B, the person the information is about, you will see how wrong that is. A might be owed a duty of confidence as to the fact that she shared the information, but not in respect of the information itself.
Moreover, what if there is no confidential relationship whether express or implied – implied, for example, in the relationship between doctor and patient? What protects the information then?
The answer was given by Lord Hoffmann as long ago as 2004 in the case of Naomi Campbell v Mirror Group Newspapers. He said, ‘There have been two [recent] developments of the law of confidence… One has been an acknowledgement of the artificiality of distinguishing between confidential information obtained through the violation of a confidential relationship, and similar information obtained in some other way. The second has been the acceptance, under the influence of… article 8 of the European Convention, of the privacy of personal information as something worthy of protection in its own right’ (Campbell, para 46).
Lord Hoffmann added that the law (MPI) now ‘focuses upon the protection of human autonomy and dignity – the right to control… information about one’s private life and the right to the esteem and respect of other people’ (Campbell, para 51). That is a great objective indeed and data protection law by itself doesn’t always achieve it.
Going back to the doctor and patient, under data protection law by itself special category data can be processed by the doctor for medical purposes without consent. The provision is drafted generously in the DPA, even more so in the GDPR, in favour of data controllers (DPA Sch 3(8); GDPR Art 9(2)(h)). In some ways that is a very good thing, but what control does the patient have? What about his or her autonomy and dignity?
This is where MPI comes in. If an individual can reasonably expect information about her to be kept private (the threshold for MPI: see Campbell at para 21), it can normally only be processed – to use data protection terminology – with her informed consent. The alternatives to consent under MPI are few and apply infrequently. They are: statute expressly requires or permits the processing; or a court has ordered it; or it is a proportionate response to a pressing public interest need (for example, safeguarding) (see 3.89-90 of Law Commission Data Sharing). (Hence all the anxiety in the NHS and the Department of Health about the extent to which informed consent can properly be implied for the purposes of treatment and care (see, for example, Part 3 of NDG Review).)
In the case of health and social care the GDPR, exceptionally, specifically applies Recital 10 room for manoeuvre by stipulating that processors must be ‘subject to an obligation of secrecy under Member State law’ (Art 9(3). In the UK that is MPI and because of it the doctor needs the patient’s freely given, specific and informed consent. But it is not just health and social care information that people can reasonably expect to be kept private under MPI. The information need not even be ‘special category’ as defined by the GDPR, Art 9(2). Financial personal information springs to mind.
All of this needs careful thought and application, but it has been ignored by the ICO as well as more widely. The ICO’s failure seems to stem from its conception of itself. Responding to a consultation paper, it says, ‘confidential information is generally not something for the ICO to comment on as the regulator responsible for the DPA. We do however have some comments about the context that this code will apply in… We are keen to ensure that the code acknowledges that organisations must take the requirements of the DPA into account as well as those of confidentiality’ (Information Commissioner’s Response).
The ICO does not practise what it preaches. It is blind to ‘the context that [the GDPR] will apply in’ and as a result its guidance is very misleading. The ICO describes itself as an ‘independent body set up to uphold information rights’. It should uphold all those rights, or make it very clear that it upholds some of them only, and say why it is selective.
This post was first published on the Society of Computers & Law’s website. It is reproduced with thanks.