Back to previous
Client consent, privacy statements and UK GDPR
The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 together form a legal framework that sets out the requirements for how a person’s data can be processed. There are six lawful bases for processing data under the UK GDPR – consent is one of them.
You require explicit consent to process sensitive personal data, known as ’special category data’.
Consent includes ensuring the client understands what you will be doing with their data, who it will be shared with and how it will be used. This information should be covered in a privacy statement and given to the client.
Without obtaining explicit consent from a client over how their personal data will be processed, an organisation/agency and an adviser may be at risk of substantial fines under UK GDPR.
Data protection principles
There are seven data protection principles:
    lawfulness, fairness and transparency; and
    purpose limitation; and
    data minimisation; and
    accuracy; and
    storage limitation; and
    integrity and confidentiality (security); and
    accountability.
Any data you process should comply with data protection principles.
Further details are available on the Information Commissioner’s Office (ICO) website.1ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles
Lawful basis
There are six lawful bases for processing data and each organisation should identify the correct lawful basis for how the personal data will be processed. The most common of these for debt advice processing are legitimate interest, consent and public task (for a public body).
Consent mandate and privacy statements
A consent mandate is a form stating the client is giving the debt adviser consent to use the information they have provided. It must be easy to understand, concise and separate from any other information the client needs to review. It should avoid technical or legal jargon, unexplained abbreviations and confusing terminology. It must be written in a manner which the client understands.
It must include the following:
    the name of the debt advice agency and the names of any other controllers who will rely on the consent; and
    why the debt adviser needs the data; and
    how the debt adviser will use the client’s data; and
    confirmation that the client can withdraw their consent at any time and, how to withdraw consent.
A privacy statement supports a consent mandate to ensure the client is aware of what will happen to the personal information they provide to the adviser.
It should include the following:
    who is responsible for the client’s information; and
    how long the information will be kept; and
    who it will be shared with; and
    what information will be collected and shared; and
    who the client can contact if they have concerns over how their information is being used.
Consent includes ensuring the client understands what you will be doing with their data, who it will be shared with and how it will be used.
Explicit consent
Many debt advice organisations use consent as their lawful basis and use explicit consent to process special category data. When you are processing data that is special category data, you must have an additional legal basis.
The most common special category data legal basis for debt advice processing are explicit consent and a public interest condition. Explicit consent requires a clear and specific statement of consent which will be understood and signed by the client.
Special category data is data about someone’s:
    health; or
    racial or ethnic origin; or
    sex life; or
    sexual orientation; or
    religious or philosophical beliefs; or
    political opinions; or
    genetic or biometric data; or
    trade union membership.
This data is considered more sensitive and therefore requires additional considerations before processing it.
Each organisation will have different approaches and applicable legal bases. You should refer to your organisation’s data protection policies and procedures for further details.
Explicit consent can only be given if the client understands:
    why the adviser wants the data; and
    what they will do with it; and
    which organisation and any third parties are asking for consent; and
    they can withdraw consent at any time and how they can do that.
You should speak to your data protection officer or refer to internal policies and procedures about sharing data externally for advice. You should only ever share the minimum amount of data necessary to support the client.
Further guidance on data sharing is available on the ICO website.1ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing
The client must actively opt in to give consent and a record must be kept of who consented when, how and what they were told.