Recently via a LinkedIn debate prompted by my My Health Record blog, I was asked a number of questions by people in the health and tech sectors, along the lines of whether or not the My Health Record’s ‘opt out’ approach is a valid consent (me: no, it’s not consent at all) – and if so, how is it legal (me: because the My Health Record system has its own legislation to authorise data flows, and does not need to rely on patient consent at all).
That then prompted much further furrowing of brows and asking of questions about why I believe an ‘opt out consent model’ is not appropriate / unethical / illegal in healthcare settings (note: I never said any of those things), and if so how on earth are companies supposed to manage their data if they need to ask for opt-in consent all the time?
Here’s an edited version of my response.
‘Opt out consent’ is an oxymoron. There is no such thing. I am not saying it is illegal or unethical, I am saying that anything premised on an ‘opt out’ basis is simply not ‘consent’ in the first place. Because to be valid under privacy law, a consent must be a proactive choice exercised by the individual. If you design a system which will do something with people’s data unless they opt out, you have no idea whether or not any given user has consciously chosen to stay in. You, as system designer or system owner, have no way of proving that the person made a choice to stay in, as opposed to being in without even realising it. Or, they might understand that they are ‘in’, but they have not read the fine print about precisely what you are planning to do with their data, and had they understood, they would not have agreed to it.
But that’s not the entire discussion about consent, managing data or system design.
I suggest thinking about things in a different way. Start by taking the word ‘consent’ out of the equation. Don’t even ask about consent to start with. Instead, my starting point is always to think about whether or not an organisation has the legal authority to collect, use or disclose an individual’s personal information. The precise answer will depend on which privacy law/s apply to that organisation, but typically, privacy principles offer multiple options for legally collecting, using or disclosing personal information. Only one of those grounds will be ‘with consent’.
Grounds on which personal information can be lawfully collected, used or disclosed might include for the primary purpose; for a directly related secondary purpose; for an approved research project in the public interest; for a law enforcement purpose; as authorised under another law; to find a missing person; to prevent a serious and imminent threat … you get the picture. It’s typically a long list. None of those grounds require the consent of the individual to whom the information relates.
Some of those grounds may work in a pragmatic sense on a ‘opt-out’ basis, such as if relying on a test worded something like ‘for a directly related secondary purpose within the reasonable expectations of the individual’. To ensure that your proposal is within the person’s reasonable expectations, you would give them a nice clear collection notice, and possibly allow them to opt out at that point. Just don’t use the word ‘consent’ to describe what you are doing in such a case.
But if the only legal basis on which your organisation can collect, use or disclose personal information is on the basis of first gaining the consent of the individual (i.e. if none of the other grounds will work for you), then you have to be very careful to ensure that you are gaining that consent in a legally valid way. Under Australian law, like under GDPR, a valid consent must be proactive, voluntary, informed, specific, current, and given by a person with capacity. It must be as easy for the person to refuse or withdraw consent as it is to provide it.
When translated into system design, that can only mean ‘opt in’. Whether a paper form or an online method, that means a truly optional, not-pre-ticked box that says “Yes I want you to do X with my data”. The default setting must be that unless the user proactively ticks the box to say ‘yes’, then their answer is ‘no’.
Further, for a consent to be considered genuinely voluntary, the user who has chosen not to tick the box must not suffer a penalty. They should still be able to receive the primary good or service they are asking for. When we run privacy training, I describe asking for consent as the “Would you like fries with that?” moment. The customer must be free to say yes or no to the fries, and still receive their burger.
Nor can consent be inferred by telling people in a collection notice, Privacy Policy, buried in the fine print on your website or anywhere else that “by continuing to use our service, you are consenting to…”. That’s not a valid consent. Even if they could be bothered to read your fine print (and let’s face it, almost no-one will), the person has no choice to say ‘no’ and still use your service.
I then pointed my online questioners to another blog containing nine truth bombs about consent, collection notices and privacy policies, and I assumed I had masterfully cleared up their misunderstandings.
But no. One guy working deep in the health research sector came back asking me yet again about ‘opt out consent’. He was trying to understand when ‘opt out consent’ would be OK, because he had been following advice saying it was OK. After beating my head against my desk a couple of times, I followed the links he provided, to the Royal Children’s Hospital Melbourne. Oh the horror! Their website talks about ‘opt out consent’! No wonder the poor guy was confused.
Here’s the problem. The hospital website repeatedly uses the language of ‘opt out consent’, when what they really mean is an ‘opt out approach’. The website, which is offering advice on research governance and ethics, ties itself in linguistic knots, by talking about ‘opt out consent’ and then saying that it is “unlikely to constitute consent if you are applying Commonwealth privacy legislation”. So, they are saying that here is a kind of consent that will not constitute consent?
I then heard the same oxymoron about ‘opt out consent’ uttered in a radio interview by the operator of clinical registries at Monash University, in response to another person claiming that privacy laws posed a barrier to sharing critical information about patients with medical implants. I wanted to scream at both of them. Why so many misconceptions about privacy law?
The RCHM website says “For more information about opt out consent, see Chapter 2.3, 2.3.5 – 2.3.6 of the National Statement”. By that they mean the National Statement on Ethical Conduct in Human Research. Of course, if you look at the National Statement, it doesn’t talk about ‘opt out consent’ at all. It talks about an ‘opt out approach’. And it makes clear that opt out is not consent.
And yes, of course there are circumstances in which an ‘opt out approach’ will be legally valid under privacy law, such as if the ground on which you are seeking to collect, use or disclose personal information is a research exemption which allows projects to proceed without consent, subject to various other tests. Or where the personal information is collected under a legislated scheme, which is typically the case for cancer registries, as another example.
Just don’t call it consent. Because ‘opt out’ is not consent.
(UPDATED 13 December 2018: The Hospital’s website has since been changed, with the page about ‘opt out consent’ referred to above now removed, and replaced with a new page about ‘opt out approach’. Hurrah, and kudos to RCH.)
Likewise, bundled terms are not consent. Mandatory T&Cs are not consent.
Indeed, the world is only just waking up to the implications of this little truth bomb: The GDPR does not allow you to obtain consent via mandatory T&Cs.
If the user has to click “I accept” before they can access your service, buy your product or download your app, you cannot describe what the user has just done as ‘consent’.
Just imagine how many online services a typical consumer uses, which for years have claimed to be gathering their customers’ consent via mandatory T&Cs, or via a privacy statement. (For a one-word explanation as to why so many businesses operate this way, see ‘America’. For a longer explanation, see this blog.)
Now imagine how many of those businesses are scrambling to deal with the implications of the GDPR. Especially now that regulators are starting to enforce it. (Australian privacy law says all the same things about consent, and has done for years, but it doesn’t get obviously enforced, or the same kind of airplay that GDPR does.)
The UK privacy regulator, ICO, has told the publishers of The Washington Post that their cookie policy does not meet the requirements for a valid ‘consent’, because only the highest paying subscribers were given a choice to accept or reject the use of tracking cookies; others were not offered a genuine choice to say ‘no’ to the cookies, and still access the newspaper.
Even more significantly, a recent decision by the French privacy regulator, CNIL, rejected the practice of ‘bundling’ consent into T&Cs. The robust enforcement of the consent requirements in privacy law has the potential to remake not only the entire adtech market for online behavioural advertising, but could overturn the business models of Facebook and Google, and remake the media landscape for the better. I can only hope.
But in the meantime, is it too much to expect institutions handling clinical data in Australia to educate themselves and their researchers properly about what privacy law does and does not allow? They might be pleasantly surprised.
Photograph (c) Shutterstock
