With the introduction of the General Data Protection Regulation (GDPR) in May 2018, interest in the topic of privacy has skyrocketed. Misunderstandings are also more persistent. One such misunderstanding is the concept of 'consent.' In common parlance, the meaning of the word 'consent' is different from 'permission' as a lawful basis for doing anything with personal data.
A common misconception is that consent must always be sought from the individual. For example, one institution had the client sign six times:
To record personal data
As confirmation that the client has read the privacy statement
To sign the service agreement
To request information from third parties
On the form 'declaration of right to access client file'.
to close the file and move it to the archive.
This institution, when the AVG was introduced in 2018, had appointed an HBO intern to implement the new legislation. He, after reading Art. 6 AVG, advised the receptionist to ask the client's permission to connect him to a social worker.
Then it was time to consult a privacy lawyer. "Whether it could be done differently?" Yes it can be done differently. There is only one situation where a signature is required: if the caregiver wants to request information from or provide it to a third party. The other signatures have been abolished because they are not required under the AVG and only lead to red tape.
The misunderstanding about consent may arise because consent must always be present in assistance; that is what the voluntary nature of assistance entails: a person is informed of the possibilities for assistance, consents to it, and only then is it necessary to record personal data. After all, it is not possible to provide assistance without recording data. (1)
Consent to record data is not a requirement in the social domain. There are other legitimate bases for processing data. This means, therefore, that it must first be clear what is allowed without the consent of the person concerned.
No permission is required:
To create a file;
to share data with directly involved colleagues when necessary for the purpose of proper treatment or care, in the best interest of the client (this should be interpreted narrowly), or for the management of the facility;
If the responsible party is required or authorized to provide personal data under a law;
in cases of conflict of duties, where the duty of confidentiality conflicts with the right to disclose data due to compelling interests of the client or another;
of a legal representative when a guardian or minor seeks free help and counseling services, such as the Children's Telephone.
Thus, permission is only needed if one wants to do something that is outside the regular operating procedure.
Asking consent from the data subject is cumbersome and is also a very shaky basis for processing and providing data. After all, consent can be revoked at any time and then the processing or disclosure must be stopped immediately. Even more important is the requirement that the consent must be freely given.
The definition of consent reads as follows: "any freely given, specific, informed and unambiguous expression of will by which the data subject signifies, by means of a statement or an unambiguous active act, his consent to the processing of personal data relating to him."(1)
The data subject must be fully informed in advance (informed consent) and the person responsible has the duty to prove this. So usually in writing, or in any case by a note in the file. And make sure that the signature with which consent is given does not also relate to other subjects, for example: 'herewith I declare that the form has been filled in truthfully and I agree with the conditions of service and the retrieval of data'.
Consent is lawful only if it is freely given. This is often not the case in the relationship between government and citizen and between care provider and care recipient. With the government we have a "compulsory" relationship and towards the care worker the client is often in a vulnerable and dependent position. These relationships are not very equal. The legislator has recognized this. Recital 43 to the AVG contains the following phrase about 'consent':
'To ensure that consent is freely given, consent should not be a valid legal basis for processing personal data in a specific case where there is a clear imbalance between the data subject and the controller, particularly where the controller is a public authority and this makes it unlikely that consent was freely given in all the circumstances of that specific situation.'
And this makes it difficult, because if a citizen needs a facility or assistance, then there is soon an unequal, because dependent, relationship. The fact that social domain legislation mentions consent as a legitimate basis in various provisions is therefore highly debatable.(3) The legislator did not address this when the AVG was introduced.
If the person in charge asks permission in incidental cases, it will have to be guaranteed that this permission is always freely given. In the social domain, that seems virtually impossible.
If consent is chosen as the lawful basis for a data processing, retrieval or disclosure, the controller should always ask itself whether consent is the most appropriate basis, and, whether another basis may not be applicable. Consent can only be a basis if the data subject is offered a genuine choice in terms of accepting or refusing the conditions offered without any adverse consequences.
The person giving consent must be fully informed and know what will happen to their data;
There is no unequal balance of power;
Personal data is used for a legitimate purpose;
The purpose for which consent is given is sufficiently specific and defined;
The data subject has been informed that he or she may withdraw consent at any time and the consequences of doing so;
The consent is in writing (not in the fine print of the terms and conditions);
The identity of the person giving consent is established;
The consent form is dated and signed.
Only when all of these conditions are met does it constitute explicit consent required in the social domain.(4)
(1) So did the Personal Data Authority in its report "Processing Personal Data in the Social Domain: The Role of Consent," April 2016, pp. 7 and 11.
(2) Art. 4(11) AVG
(3) Consent can be found, among others, in the Participation Act art. 53a paragraph 2 part b, in the Wmo art. 3.4, 5.1.1, 5.2.1, 5.2.5, 5.3.3 and 5.3.6 and in the Youth Act art. 5.4, 7.3.11, 7.3.13 and 7.9.16.
(4) Art. 22(2) part a Implementing Act AVG.
In August, the book Privacy in the Social Domain was published by Corrie Ebbers, Paulien Bunt, Sophie Vastenhout and Micha Venderbos. In it, extensive attention is paid to the misunderstandings in the social domain. Also see Corrie Ebbers' earlier blog on the processor in the social domain.