"GDPR Says Yes"

(This page reflects my own analysis of this subject, which I've discussed at length with a number of people, but which hasn't yet been formally validated by specialists in the field.  Given the sensitivity of the issue, I'd welcome comments on this section in particular.)

 

Consent (GDPR Art. 6 (1)(a) and Art. 9 (2)(a)) is the most widely understood and accepted lawful basis for processing.  However, to be valid, the consent must be freely and explicitly given and capable of being withdrawn at any time.

 

“Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.” (ICO website)

 

“Take care to get [your lawful basis for processing] right first time – you should not swap to a different lawful basis at a later date without good reason. In particular, you cannot usually swap from consent to a different basis.  (ICO website)

 

Much of the information we're discussing here will be processed under the lawful bases of Public Task (Art. 6 (1)(c) and (e)), vital interests (Art. 9 (2)(c) and/or health and social care (Art. 9 (2)(h)).  Since these are lawful bases for processing (including sharing) in their own right, consent to share is not required. This doesn’t appear to be universally understood.

​

For example, TLAP's report on Data for People implies a belief that consent is required for all cases of data sharing.  The right to opt out is referenced several times, highlighted in green in my annotated copy of the report. This view seems to be shared by many professionals. “Caldicott 2” refers to information sharing for direct care on the basis of implied consent. This was published in 2013, so predates GDPR and the Data Protection Act by five years, but is still being used as a point of reference by professionals – see, for example, the NDG "Barriers to information sharing" survey and the General Medical Council's data sharing guidance. NHS England’s Guide to confidentiality in health and social care, although last updated in 2022, still references a pre-GDPR confidentiality/data sharing regime.

 

In reality, GDPR-compliant consent - particularly consent which complies with Art. 9 (2)(a) - is simply too cumbersome for the urgent needs around health and care (or emergency services) data sharing.  This is reinforced by the ICO's advice on data sharing in an urgent situation or in an emergency and by PFD reports, none of which imply that consent is required for the many scenarios in which they call for data to be shared.

​

Given the sensitivity of health and care information, if consent were required, it would presumably need to be “explicit consent” under GDPR Art. 9 (2)(a), which effectively states that implied consent isn't enough. In general, explicit consent isn’t sought for professional data sharing in health and social care. Current professional data sharing mechanisms, including the Summary Care Record and Shared Care Record, must therefore be operating under 9 (2)(h).

 

Nevertheless, TLAP's statement that "data sharing requires trust – that data will be shared safely and appropriately. At present, people have real concerns about how their data is being shared, which is leading to mistrust" (p10) is entirely valid, and needs to be given due weight alongside the alternative lawful bases to consent.  

​

This is reinforced by the public engagement report (National engagement on data: cohort 2 report) published in June 2025, which sets clear expectations for tiered access and role-based access control, and highlights a specific desire to be able to "flag specific pieces of data they don’t want to see shared" (p.23). The report also demonstrates that the more people understand about the detailed benefits and risks of professional data sharing, the more supportive they are of it.

 

In other words, whichever lawful basis is relied on, it’s still vitally important to build and maintain public confidence in the way we hold, use and share data – even more so because of people’s repeated poor experience of data being shared (or not shared), because of the lack of clarity around consent vs public task, and because of negative and alarmist media coverage about data sharing issues.  

​​​​