Consent policy

This is the organisation’s formal Consent Policy.

Published: 6 March 2023

Version: 2.0




This policy outlines when the NHS Counter Fraud Authority (NHSCFA) will rely on consent as the legal basis for processing your data. It informs you when your consent will be obtained in line with the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018.

This policy only applies where separate, specific consent is required to process your personal information, for those enquiries that fall outside the scope of NHSFCA’s business as usual where another lawful basis of processing is relied upon, or where personal information is voluntarily provided (consented to) to enable enquiries to be responded to.


Consent is one of the grounds for lawfully processing personal data under the GDPR and DPA 2018.

Under GDPR, the concept of consent has been strengthened with some new rules that require organisations to be more transparent.

It states that your consent must be freely given, be specific, informed and unambiguous; it must be given by either ‘a statement’ or ‘clear affirmative action’.

GDPR introduced a number of other changes, namely:

  • consent should be separate from other terms and conditions (‘unbundled’)
  • it bans pre-ticked opt-in options
  • stipulates separate consent is required for separate processing operations (‘granular’)
  • each party relying on that consent should be clearly identified (‘named’)
  • consent needs to be documented - organisations need to record what an individual was told, what they consented to, when and how consent was given.
  • consent must be ‘easy to withdraw’ - it must be as easy for an individual to withdraw consent as it was for them to give, and individuals need to be told that they have the right to withdraw consent and how to do so.
  • organisations cannot rely on consent where there is a clear imbalance of power between the individual and organisation, as it is unlikely that the individual’s consent will be viewed as being ‘freely given in all the circumstances of that particular scenario’.


NHSCFA processes personal data as defined in GDPR Article 6 (1), under Part 2 of the DPA 2018 on the basis that the processing is necessary and in line with what can reasonably be expected when personal information is provided for general purposes. This includes but is not limited to; responding to requests and enquires, investigating complaints, processing applications, securing goods and services or for corporate administration purposes such as maintaining our records and accounts.

Where your consent is given, NHSCFA must keep clear records to demonstrate this. The provision of consent must:

  • be unambiguous
  • be granular - (separate consent for separate processing operations)
  • involve clear affirmative action
  • not involve any pre-ticked opt-in options; and
  • allow NHSCFA to demonstrate the acquisition of that consent

It must be as easy for you to withdraw consent as it was for you to provide it. You therefore must also be informed when giving consent, the process for withdrawing it.

Consent may be used by NHSCFA in some of the following areas:

  • fraud, bribery and corruption referrals/follow ups
  • investigating complaints where further external referral may be required to facilitate a response
  • undertaking routine application checks

Where your consent is being used as the basis for processing, you need to be fully informed of the process. Where personal and sensitive information is processed within NHSCFA on that basis you will be:

  • informed of the process for consent
  • informed of any risks to the confidentiality of the information
  • informed of any risks to the security of the information that may occur as a result of the consent provided
  • where appropriate asked if you wish to place any restrictions/ time-period on the consent provided
  • notified of your rights and how to withdraw your consent.

In cases where consent has been used as the legal basis for processing data, the consent should:

  • be reviewed on an annual basis
  • lapse automatically upon conclusion of the enquiry; and
  • the individual should be notified when the consent lapses.

In certain circumstances, you may wish for someone else to act on your behalf in dealing with the NHSCFA. When this is the case and you inform us of this, we will take the following steps to obtain and record your consent.

We will issue a third-party consent form for completion (see Appendix A). It has been developed to include all the requisite information and identify the risks to you in providing consent for others to receive your information or give information on your behalf.

Following receipt of the signed consent form an acknowledgement will be sent, confirming receipt and the date from which the consent is to be applied (usually the date of the form’s receipt). It will also confirm whom the information will be issued to.

Written confirmation will be sent to your nominated person or organisation (‘the third party’) informing them that they have been nominated by you to receive correspondence from NHSCFA (see Appendix B). It will also advise the nominee to contact us, should they have any issues with the nomination.

Once the respective matter has concluded, the validity of the third-party consent will automatically lapse.

There are no specific provisions within GDPR regarding an individual’s capacity to consent. Generally, it is to be assumed that you have the capacity to consent, unless the NHSCFA has reason to determine otherwise.

Individuals who ‘lack capacity’ are unable to give consent, informed or otherwise. NHSCFA are NOT able to determine if capacity is an issue and therefore, we will rely solely on your nominated representative or other professional to inform us if capacity is an issue.

Where it is identified that an individual potentially lacks capacity, the matter will be referred to the Information Governance team for consideration.

In circumstances where consent has been used to process data, you have the right to withdraw your consent at any time.

In circumstances where written consent has been requested, the request to withdraw it should also be in writing. Therefore, if you were to advise us of the withdrawal of your consent over the telephone, we will ask you to provide the request in writing but will immediately suspend the consent held on file.

Individual rights

Where consent has been used as the basis for processing data, this will generally provide you with stronger rights under GDPR. In particular, with respect to the following:

  • right to erasure - also known as the right to be forgotten
  • right to restriction of processing
  • right to lodge a complaint with a supervisory authority
  • right to an effective judicial remedy against a controller or processor.

For further details on these rights please consult the NHSCFA’s GDPR - Data Subject’s Rights Policy.

When you notify us that you wish to exercise any of these rights, your request will be referred to the Information Governance Team for consideration.

Incorrect handling

The incorrect handling of consent and the processing of personal data on this ground could leave NHSCFA at risk of:

  • reputational damage
  • penalties
  • liability and an individual’s right to compensation.


The Information Governance Lead will ensure this policy document is reviewed no less than biennially, in accordance with the timescale specified at the time of approval.

Help us improve

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!