Is consent required by law?

While it is always best to obtain consent whenever this is reasonably practicable, legally consent is not always necessary. This station will lead you through the relevant legal framework and will provide guidance on when the law requires consent to be obtained.

Is consent required under the Data Protection Act 1998?

Anonymous data

The Data Protection Act 1998 (DPA) only applies to ‘identifiable data.’ This means that if your research project only uses anonymous data which will not become identifiable even if linked with another dataset, then the DPA will not apply and therefore you will not have to seek consent under the Act.

Identifiable data

However, even if you are using identifiable data the DPA does not provide that consent must always be obtained in order for the data to be lawfully processed. The conditions for processing personal data are set out in schedule 2 and schedule 3 of the DPA. As health data is sensitive personal data under the DPA, at least one condition from both schedule 2 and 3 must be satisfied in order for the data to be processed fairly and lawfully under the Act.

Consent is one of the conditions for processing under schedule 2, and explicit consent is a condition under schedule 3. This means that if you have the explicit consent of an individual to use their personal data for your research purposes, then you will be acting in accordance with the DPA. However, consent is only one of the conditions for processing, and it may be possible to justify your data use under the DPA without having to obtain consent.

Schedule 2- the legitimate interests condition

Under schedule 2, the most relevant condition for processing personal data for research purposes other than consent is the ‘legitimate interest’s condition.’ This condition is intended to permit the processing of personal data when there is a legitimate interest in such processing and when certain requirements are met.

These requirements are:

  • The data must need to be processed for your legitimate interests or for those of a third party to whom you disclose it.
  • These interests must be balanced against the interest(s) of the individuals concerned- the legitimate interests conditions will not be fulfilled if the processing is unwarranted because of its prejudicial effect on the rights and freedom, or legitimate interests, of the individual. Where there is a serious mismatch between your interests and the interests of the individual, the interests of the individual will come first.
  • The processing of information must be fair and lawful and must comply with all the data protection principles.

Essentially therefore, in the context of health research, the legitimate interests conditions require a balancing act between the interests of the data subject and the interests of the public in the research project being completed. For more information see the guidance pages on confidentiality and public interest.

Schedule 3- necessary for medical purposes

Under schedule 3 there are two conditions for processing other than ‘explicit’ consent which can be used to justify the processing of sensitive personal data. One of these is that the processing is ‘necessary for medical purposes,’ as in s33 of the DPA it is provided that the term ‘medical purposes’ includes medical research.

Schedule 3- processing carried out in circumstances specified in an order made by the Secretary of State

The other schedule 3 condition which can be used to justify the processing of sensitive personal data is that the processing is carried out in circumstances which are specified in an order made by the Secretary of State. In accordance with this condition, additional conditions for the processing of sensitive personal data are set out in the Data Protection (Processing of Sensitive Personal Data) Order 2000. The effect of this is to permit the processing of sensitive personal data for a range of other purposes, normally those which are substantially in the public interest.

The most relevant conditions in the Order for the purposes of the secondary use of health data for research purposes is in paragraph (10) of the schedule to the Order which provides that sensitive personal data can be processed if the processing is (a) in the substantial public interest, (b) is necessary for medical purposes (defined in the DPA s33), (c) does not support measures or decisions with respect to any particular data subject otherwise than with the explicit consent of that data subject, and (d) does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person.

For more information please see the guidance page on ‘conditions for processing personal data.’

Return to top of page

Is consent required under the Human Rights Act 1998?

Obtaining the consent of the data subject to use their personal data ensures that you comply with the Human Rights Act 1998 (HRA) as you cannot be said to have breached article 8 of the European Convention of Human Rights, the right to respect for private and family life.

However, as article 8 is not an absolute right, the use of personal data without consent will not necessary amount to a breach of the right. Article 8 is a qualified right in that it allows a public authority to interfere where that interference is (1) in accordance with the law, (2) in pursuit of a legitimate aim, and (3) necessary in a democratic society. Essentially this means that if there is a competing public interest which can be used to justify an interference with individual privacy, then article 8 will not have been breached. In the context of the secondary use of data for research purposes, this means that if the use of personal data without consent can be justified with reference to a completing public interest, there will be no article 8 breach and therefore no breach of the HRA. 

For more information please see the guidance page on the ‘Human Rights Act 1998.’

Return to top of page

Is consent required under the common law of confidentiality?

Obtaining the consent of an individual to use their personal data ensures that you have not breached any obligation of confidence owed to that individual.

However, confidentiality is not an absolute right. It has long been established that acting in the ‘public interest’ is a defence to an action of breach of confidence. This means that if your proposed use of the data can be shown to be in the public interest, you may be able to justify using the data without consent.

For more information please see the guidance page on the ‘common law of confidentiality.’

Return to top of page

Return to route-map