RCGP Safeguarding toolkit
The aim of this toolkit is to enhance the safeguarding knowledge and skills that GPs already have to enable them to continue to effectively safeguard children and young people, as well as adults at risk of harm.
Part 5: Information Sharing and multiagency working
Consent
Consent can be a complex issue and there can be a lot of misunderstanding amongst all agencies about how it is used. In health, consent needs to be considered under the common law duty of confidentiality. Consent is used in a different way in the common law and in data protection law and it is important to understand the differences and how each should be used. Consent is generally not relied upon as the legal basis for information sharing under data protection law.
Under the common law duty of confidentiality, consent may be explicit or implied.
- Explicit consent is given when a patient actively agrees, either orally or in writing, to the use or disclosure of information.
- Implied consent refers to circumstances in which it would be reasonable to infer that the patient agrees to the use of the information, even though this has not been directly expressed.
Under data protection law, consent has a different meaning and standard than under the common law duty of confidentiality.
Consent is defined in the UK GDPR as:
-
Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Additional ‘conditions’ for consent include the right to withdraw consent easily and at any time.
‘Consent’, as defined in data protection law, is therefore unlikely to be appropriate to use when sharing information for safeguarding purposes and it is not required under data protection law for sharing information in a safeguarding context.
Under the UK GDPR, consent is only one of the legally defined ‘lawful bases’ for handling personal information. A ‘lawful basis’ is a valid reason in data protection law for processing personal information.
In most safeguarding scenarios you will be able to find a more appropriate lawful basis than consent. There are six available, and the most appropriate ones for safeguarding purposes are likely to be public task, legitimate interests, legal obligation and vital interests. Using the right lawful basis means you can share all the information you need to, with an appropriate organisation or individual.
You can be confident that the two differing concepts of consent mean that you may lawfully share information for the purposes of safeguarding without consent as defined under data protection law, while still obtaining consent as defined and prescribed by common law.
It is also important to be aware that consent under the common law is not always necessary to share information for the purposes of safeguarding. As outlined below, there are other legal bases allowed by the common law to share information. These are particularly important in a safeguarding context.