Mental health and best practice: Appropriately processing data from individuals with mental health problems under the Data Protection Act (1998)

Mental health and best practice: Appropriately processing data from individuals with mental health problems under the Data Protection Act (1998)


Author: Jenny Ogden

The joint Money Advice Liaison Group (MALG) and Royal Collage of Psychiatrists (RCP) brefing note on appropriately processing data from individuals with mental health problems was released on 4 April 2013.

Briefing Note 4 sets out recommended best practice for dealing with sensitive personal data about an individual's mental health, and contains very useful quotes from the Information Commissioner's Office (ICO), as well as input from interested groups such as the Office of Fair Trading (OFT).

Previous briefing notes have been supported by the FSA, OFT and other industry groups, so it is likely this one will be, too.

While the briefing note is 'guidance' only, firms which take that guidance on board are more likely to be viewed favourably when Treating Customers Fairly and Irresponsible Lending are being evaluated.

Also, this briefing note contains an insight into the way the ICO is likely to view best practice in processing personal data should the matter be referred, so it is worth reading for that alone.

The briefing note opens with an executive summary and the key messages MALG and RCP want to get across, while the input from the ICO carries a very clear message: firms must be very transparent about how they are going to process sensitive personal data concerning a person's mental health.

Unless an individual knows from the outset what their information will be used for, they are not in a position to make an informed decision. The briefing note therefore recommends that best practice is to obtain explicit consent from an individual before processing data about their mental health.

If firms are to be able to explain in a consistent and accurate way how sensitive information about an individual's mental health is to be recorded and processed, they will need to have a written mental health policy. Firms will also need to have trained their staff in how to explain the policy and to obtain explicit consent.

You may be thinking that it is obvious that when a person has disclosed a mental health condition to you that they want you to record it, or that your usual written/oral privacy notice is enough. But the briefing note says otherwise, and is supported in this by the ICO.

The briefing note makes clear that a firm should not assume that it will be reasonably obvious to an individual, who shares information about their mental health, how that data will be processed, and should not, therefore, conclude that an explanation is not required.
The ICO says 'getting' a message out to creditors about the importance of being clear and transparent about how customers' personal data will be processed is extremely important.

It goes on to say: "If individuals know at the outset what their information will be used for, they will be able to make an informed decision about whether to enter into a relationship. Assessing whether information is being processed fairly depends partly on how it is obtained."

So firms are on notice that if they continue to assume understanding and consent - rather than explain and obtain explicit consent - they will be in danger of the ICO saying the processing of that information is unfair, due to the way it was obtained.

You may also be thinking that as you are processing the data for debt collection, you do not need to get explicit consent because it is exempt, as the processing is necessary for legal action. There is a legal exemption under the DPA, which provides that where processing is 'necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights', then sensitive personal data can be processed without explicit consent.

However, the ICO has stated that this is only a very narrow exemption and that it could easily be misinterpreted to mean something wider. The exemption needs 'more than just the possibility of legal action; it requires the decision to take legal action to have already been made'.

No doubt solicitors and barristers specialising in data protection could have a field day with the interpretation of the exemption and the words of the ICO, based on the facts of individual cases in which explicit consent was not obtained.

But most firms processing sensitive personal data want to be able to establish a process to cover the majority of cases, and not have to worry about whether or not their general process will hold up when cases are looked at on their individual facts.

The safest option, therefore, may be to review your general policy and change it so that explicit consent is sought as a matter of course. Only where it cannot be obtained should firms look at whether the legal or any other exemption applies.

Firms will also need to review their process for evaluating what information is recorded, and for ensuring that that information remains pertinent and up-to-date. The briefing note makes clear that only the minimum necessary information should be held; that it should be held for only so long as is necessary; and if that requires information to be held over an extended period, it should be routinely checked to ensure it remains accurate and up-to-date.

So what do you need to do?

Look very closely at what you have in place at the moment. If you do not have a written mental health policy, write one!

If you already have a mental health policy, check you are asking for explicit consent in all cases, not simply relying on the assumption of consent.

Check how you maintain the accuracy of the information you store, how you audit the policy, and your processing. It is no longer good enough to do the job correctly; you have to be able to prove you are doing the job correctly.

This means maintaining records showing you have complied with the policy, auditing to monitor compliance, and ensuring adequate training for staff so they are doing it properly. It is no good having a fabulous written policy if no one follows it.

Although basic mental health awareness training for all staff is a good idea, you may want to limit follow-on training to designated people, so they become specialist, rather than rolling out training to all employees.

You may also want to look at establishing a referral chain for more complicated matters, where an employee has either been unable to obtain explicit consent or should a case requires more specialist handling due to the nature of the mental health problem.

A mental health policy document should be a 'live' document, so that results of audits can be implemented together with input from related areas such as complaints. The policy should be reviewed regularly, as the guidance given in this area is changing constantly. This will ensure your mental health policy remains up-to-date and reflects current working practices.

The briefing note may well only suggest what best practice should be, but the ICO input and the likelihood that it will be supported by industry regulators and other interest groups mean firms ignore it at their peril.

Note: Briefing Note 4 - Appropriately processing data from individuals with mental health problems under the Data Protection Act (1998)