Find out if you need consent to use technology as part of someone's care

Page last updated: 26 April 2022
Organisations we regulate

You may need to get consent from people affected by the technology you plan to use. They must understand all the information they need to make their decision. This is called 'informed consent'.

Consent to care or treatment

People must usually give their consent before you give them care or treatment, whether or not it involves using technology.

  • They must understand the benefits and risks of what you are asking them to consent to.
  • They need to have made their decision of their own free will, without pressure.
  • Someone's consent could be as simple as saying yes or rolling up their sleeve to have an injection.

If someone lacks the mental capacity give their consent, you must follow the best interests principle.

Consent to handling personal information

Using technology often involves collecting or recording information.

  • When you handle personal information, you must comply with The General Data Protection Regulation (GDPR).
  • Under GDPR, you must have a 'lawful basis' for handling information that's about individuals.
  • Consent is one example of lawful basis. Consent to process personal data is different to consent to care or treatment, and follows different rules.

If someone lacks mental capacity, you may be able to obtain consent from someone appointed to make decisions for them. Otherwise you must find a different lawful basis to handle their personal information.

Consent must be clear and explicit

Consent to handling personal information must be "freely given, specific, informed and unambiguous". This is set out by GDPR.

When you ask for consent to process personal information, you must separate it clearly from other things. You can't hide your request in the small print.

You must tell the person:

  • who you are and how to contact you
  • how you will gather their information
  • what type of information you will gather (or even the specific information)
  • why you're gathering it
  • how you'll use and access it
  • who you are likely to share it with
  • how long you'll keep personal data (or how you'll decide this)
  • their rights under data protection law, including their right to withdraw consent
  • if not giving their consent means you will not be able to provide a particular service to them.

You usually give this information in a written 'privacy notice'. But you can also say it to the person if that's more appropriate in the circumstances.

The person does not have to give their consent in writing. But they must give consent with a 'clear affirmative action'. This means they must opt in. You must keep records that show they gave their consent.

The person must give their consent freely

Where you need consent, it must be given freely. This means:

  • the person giving consent must not feel pressured or forced to say yes
  • you cannot use coercion or threat.

Consent cannot be freely given where there is a significant imbalance of power. For example, it would not be valid if a person felt they would be disadvantaged if they refused.

Refusal or withdrawal of consent

People have a right to change their minds and withdraw their consent later. It must be as easy for them to withdraw consent as it was to give consent in the first place.

You must respect any refusal or withdrawal of consent.

Think about what types of personal data you might collect

GDPR also sets out some 'special categories of personal data'. These are more sensitive things like race, politics, religion, health or sexual orientation.

You need to meet extra conditions to handle special category data.

Think about who else the technology might affect

It's important to think about whether the technology you plan to use will affect anyone else. For example, if you are recording sound or images you might record other people unintentionally.

Have you told these people you could be recording them? Have they given informed consent?

If you can't get or don’t need consent

In some circumstances, it might not be possible or appropriate to get consent.

There are also times you do not need it. For example, you might use a different lawful basis for collecting personal information. GDPR tells you what these are.

exclamation mark icon

Get legal advice before you use technology to monitor people without their explicit consent.

If you do rely on consent, make sure you keep records that show evidence of the consent you’ve obtained.