Here is discussion on "Consent" regarding the 1998 DPA, which is based on the European Directive;(posted 7875 days ago)One of the conditions for processing is that the processing is carried on with the consent of the data subject. The existence or validity of consent will need to be assessed in the light of the facts.
Rather surprisingly, "consent" is not defined in the ACT !!
So perhaps the only way to understand what may or may not amount to consent in any particular case one should refer back to the European Directive. This defines "the data subject's consent" as:-
"... any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed."
The fact that the data subject must "signify" their agreement means that there must be some active communication between the parties. Data controllers cannot infer consent from non-response to a communication, for example from a customer's failure to return or respond to a leaflet.
The adequacy of any consent or purported consent must be evaluated. For example, a consent which was later found to have been obtained under duress or on the basis of misleading information would not be a valid basis for processing.
Even when consent has been given it will not necessarily endure forever. While in most cases consent will endure for as long as the processing to which it relates continues, data controllers should recognise that the individual may be able to withdraw their consent.
Consent must be appropriate to the particular circumstances. For example, if the processing to which it relates is intended to continue indefinitely or after the end of a trading relationship then the consent should cover those circumstances.
SENSITIVE PERSONAL DATA
There is a distinction in the Act between the nature of the consent required to satisfy the condition for processing and that which is required in the case of the condition for processing sensitive data. The consent must be "explicit" in the case of sensitive personal data. The use of the word "explicit" suggests that the consent of the data subject should be absolutely clear. In appropriate cases it should cover
the specific detail of the processing, the particular type of data to be processed (or even the specific information), the purposes of the processing and any special aspects of the processing which may affect the individual, for example disclosures which may be made of the data.
So, the level of detail appropriate to a consent will vary. In some cases implied consent may be sufficient. In others nothing less than clear written consent will suffice. A blanket consent to the processing of personal data is unlikely to be sufficient as a basis on which to process personal data, particularly sensitive personal data. The more ambiguous the consent being relied upon by data controllers in any particular case the more likely there are to be questions about its existence or validity.