Duncan Lewis

Family Law

know matters can be both

highly sensitive and confusing

Mental health policy has to take explicit consent of individuals on data usage by firms

Date: (7 May 2013)    |    

Total Comments: (0)    |    Add Comments

The best practice for processing data from individuals with mental health problems under the Data Protection Act (1998) was published last month which sets out the best practices for dealing with sensitive personal data about an individual’s mental health.
The briefing note is only for guidance which applied by firms would more likely be viewed favourably when treating customers fairly’ and ‘irresponsible lending’ are being evaluated. It gives an insight on how the Information Commissioner’s Office ICO was likely to view best practice in processing personal data if the matter is referred.
Unless an individual knows from the outset what their information will be used for, they are not in a position to make an informed decision. The briefing note therefore recommends that best practice is to obtain explicit consent from an individual before processing data about their mental health.
If firms are to be able to explain in a consistent and accurate way how sensitive information about an individual's mental health is to be recorded and processed, they will need to have a written mental health policy. Firms will also need to have trained their staff in how to explain the policy and to obtain explicit consent.
The briefing note makes it clear that a firm should not assume that the individual giving information is already aware of how his data was going to be used by the firms and that meaning they are not required to give any explanation. The ICO says 'getting' a message out to creditors about the importance of being clear and transparent about how customers' personal data will be processed is extremely important.
Just because the data is processed is meant for legal action and assuming an explicit consent is not required as it is exempt under the Data Protection Act for the reasons in relation to legal proceedings or defending legal rights then sensitive personal data can be processed without explicit consent. But, the ICO has stated that this was only a very narrow exemption and that it could easily be misinterpreted to mean something wider. The exemption needs 'more than just the possibility of legal action; it requires the decision to take legal action to have already been made.
Most firms processing sensitive personal data want to be able to establish a process to cover the majority of cases, and not have to worry about whether or not their general process will hold up when cases are looked at on their individual facts.
The safest option, therefore, may be to review the general policy and change it so that seeking of explicit consent becomes as a matter of course. Only where it cannot be obtained should firms look at whether the legal or any other exemption applies. The firms should have a written mental health policy if they don’t have one and if they have one then check if it asks for explicit consent in all cases and not rely on assumption of consent.
A mental health policy document should be a 'live' document, so that results of audits can be implemented together with input from related areas such as complaints. The policy should be reviewed regularly, as the guidance given in this area is changing constantly. This will ensure firms mental health policy remains up-to-date and reflects current working practices.