Consent under the DPA 1998 [Archived]
Produced in partnership with Stephanie Pritchett of Pritchetts Law
Consent under the DPA 1998 [Archived]

The following Pensions guidance note Produced in partnership with Stephanie Pritchett of Pritchetts Law provides comprehensive and up to date legal information covering:

  • Consent under the DPA 1998 [Archived]
  • Background to consent
  • What does ‘consent’ mean?
  • Is consent required and what happens if one cannot obtain consent?
  • Obtaining consent for the processing of sensitive personal data
  • How to obtain consent generally
  • Consent from children and others with incapacity
  • Withdrawing consent
  • Changes as a result of the General Data Protection Regulation

ARCHIVED: This archived Practice Note provides information on the data protection regime before 25 May 2018 and reflects the position under the Data Protection Act 1998 (DPA 1998). This Practice Note is for background information only and is not maintained.

Background to consent

To satisfy the first data protection principle in the DPA 1998 as derived from the Directive 95/46/EC (the Data Protection Directive), data controllers must be able to demonstrate, among other matters, that they have met:

  1. one of the conditions for processing personal data under DPA 1998, Sch 2, and

  2. if the data constitutes sensitive personal data, then in addition to this, one of the conditions for processing sensitive personal data under:

    1. DPA 1998, Sch 3; or under

    2. the Data Protection (Processing of Sensitive Personal Data) Order 2000, SI 2000/417, which sets out additional conditions which allow the processing of sensitive personal data in limited circumstances.

For more information, see: Further conditions for processing sensitive personal data: Encylopaedia of Forms & Precedents 12(2), [36].

One of the conditions for processing personal data as set out in DPA 1998, Sch 2 is that the individual whom the personal data is about has consented to the processing. Consent is also a condition for the processing of sensitive personal data under DPA 1998, Sch 3.

In addition, when a data controller intends to