This is the organisation’s formal Consent Policy.
This policy outlines when the NHS Counter Fraud Authority (NHSCFA) will rely on consent as the legal basis for processing your data. It informs you when your consent will be obtained in line with the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018.
This policy only applies where separate, specific consent is required to process your personal information, for those enquiries that fall outside the scope of NHSFCA’s business as usual where another lawful basis of processing is relied upon, or where personal information is voluntarily provided (consented to) to enable enquiries to be responded to.
Consent is one of the grounds for lawfully processing personal data under the GDPR and DPA 2018.
Under GDPR, the concept of consent has been strengthened with some new rules that require organisations to be more transparent.
It states that your consent must be freely given, be specific, informed and unambiguous; it must be given by either ‘a statement’ or ‘clear affirmative action’.
GDPR introduced a number of other changes, namely:
NHSCFA processes personal data as defined in GDPR Article 6 (1), under Part 2 of the DPA 2018 on the basis that the processing is necessary and in line with what can reasonably be expected when personal information is provided for general purposes. This includes but is not limited to; responding to requests and enquires, investigating complaints, processing applications, securing goods and services or for corporate administration purposes such as maintaining our records and accounts.
Where your consent is given, NHSCFA must keep clear records to demonstrate this. The provision of consent must:
It must be as easy for you to withdraw consent as it was for you to provide it. You therefore must also be informed when giving consent, the process for withdrawing it.
Consent may be used by NHSCFA in some of the following areas:
Where your consent is being used as the basis for processing, you need to be fully informed of the process. Where personal and sensitive information is processed within NHSCFA on that basis you will be:
In cases where consent has been used as the legal basis for processing data, the consent should:
In certain circumstances, you may wish for someone else to act on your behalf in dealing with the NHSCFA. When this is the case and you inform us of this, we will take the following steps to obtain and record your consent.
We will issue a third-party consent form for completion (see Appendix A). It has been developed to include all the requisite information and identify the risks to you in providing consent for others to receive your information or give information on your behalf.
Following receipt of the signed consent form an acknowledgement will be sent, confirming receipt and the date from which the consent is to be applied (usually the date of the form’s receipt). It will also confirm whom the information will be issued to.
Written confirmation will be sent to your nominated person or organisation (‘the third party’) informing them that they have been nominated by you to receive correspondence from NHSCFA (see Appendix B). It will also advise the nominee to contact us, should they have any issues with the nomination.
Once the respective matter has concluded, the validity of the third-party consent will automatically lapse.
There are no specific provisions within GDPR regarding an individual’s capacity to consent. Generally, it is to be assumed that you have the capacity to consent, unless the NHSCFA has reason to determine otherwise.
Individuals who ‘lack capacity’ are unable to give consent, informed or otherwise. NHSCFA are NOT able to determine if capacity is an issue and therefore, we will rely solely on your nominated representative or other professional to inform us if capacity is an issue.
Where it is identified that an individual potentially lacks capacity, the matter will be referred to the Information Governance team for consideration.
In circumstances where consent has been used to process data, you have the right to withdraw your consent at any time.
In circumstances where written consent has been requested, the request to withdraw it should also be in writing. Therefore, if you were to advise us of the withdrawal of your consent over the telephone, we will ask you to provide the request in writing but will immediately suspend the consent held on file.
Where consent has been used as the basis for processing data, this will generally provide you with stronger rights under GDPR. In particular, with respect to the following:
For further details on these rights please consult the NHSCFA’s GDPR - Data Subject’s Rights Policy.
When you notify us that you wish to exercise any of these rights, your request will be referred to the Information Governance Team for consideration.
The incorrect handling of consent and the processing of personal data on this ground could leave NHSCFA at risk of:
The Information Governance Lead will ensure this policy document is reviewed no less than biennially, in accordance with the timescale specified at the time of approval.
Was this page helpful?
Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.