Part 1: Introduction to consent…
Did you know that studies repeatedly find that most people fail to read most terms most of the time and no person can credibly claim to have read all the terms all of the time1, such that our response to most consent agreements does not constitute true informed consent? (Barnett, 2002; Good et al, 2007; Kim, 2013).
We are not always aware of the many times we tacitly provide consent each day, as the matter for consent will not always be presented in obvious language alerting us to the fact that we are providing our consent. We may also remain unaware because: (i) the consent text may form part of a shrink-wrap agreement that often cannot be read until you have opened the packaging2; (ii) the consent terms may be buried within the digital agreement, terms of service, a click-thru or popup box that many people either don’t read or just scroll through to get to the ‘accept’ or ‘continue’ button; or (iii) it may be because the law says our consent can be assumed - in some cases by virtue of our having done some other enabling act or at other times as a result of nothing more than our mere silence3 (Barnett, 2002; Saunders, 2010). It may also be because consent was given in circumstances of: coercion4; haste; a lack of due care and attention; or simple human naiveté. Consent may also have been granted without you even being notified, as seen in the case of NHS patient records in the UK where access to health service user’s electronic data was approved for secondary uses5, seemingly6 on the basis of a small sample size self-selected survey7 (Heslop et al, 2020; Hughes, 2019; Riordan et al, 2015). Whatever the reason, it is in these concealed consent situations that our right to certainty, autonomy, choice and privacy is most at risk (Kulynych et al, 2017; Price & Cohen, 2019). It is also in these situations that the negative outcomes and personal costs we experience can turn out to be the most severe.
Over these first few posts let’s explore the concept of consent, especially as it relates to a number of common examples in our everyday lives:
medical treatment
loyalty scheme consent
cookie consent, and
data collection and usage consent in today’s connected vehicles.
It is only once we have explored, defined and gotten comfortable with what consent is, we can investigate the consent process in situations like the Covid-19 vaccinations and transgender clinic treatments that some patients claim represent examples of what consent isn’t.
Does consent matter?
There have been many different public conversations regarding consent. Post-WW2 much of the focus was on consent to medical experimentation and resulted in significant changes in how participants are asked to consent for clinical trials. This produced a follow-on benefit for all patients in that stronger requirements for informed consent prior to therapeutic medical treatment were introduced. In 1885 public and legislative focus had been on withdrawing the girl under 16’s right to consent to sexual intercourse (Bates, 2015). While beginning with the Rape Crisis Movement in the 1970’s8 that focus shifted to enshrining the girl over 16’s right to decline; which in the early 1990’s paradoxically became both “no means no” (Hall, 2004) and “yes means yes” (Mettler, 2018). More recently, there has been the issue of secondary use of an individual’s health data in systems like the UK’s 2013 Care.Data and Australia’s 2012 MyHealthRecord that disingenuously appeared to focus on the patient’s right to control use of their personal information once in the new system (Taylor, 2016). Such emphasis ignored public concerns around: (i) the coercive opt out consent process used to mandate collection and storage of this highly personal data; (ii) storage and access overseen by government organisations who were already infamous for poorly safeguarding State-held personal data; (iii) the continued sale of patient data to pharmaceutical companies, debt collectors, telecommunications providers; (iv) quiet linkage of health records with the government datasets of census, benefits, law enforcement and taxation agencies; and (v) health services partnering with big data tech firms who go on to illegally process health record data or re-identify the subject patients in poorly anonymised records (Annystudio, 2021; Musil, 2019; Stilgherian, 2018; Vincent, 2017). It also completely missed the fact that even when the patient did opt out of having their record in these publicly managed health records systems, all they were really doing was divesting themselves of the ability to access and manage their own data. While not always being maintained as up-to-date, that data was retained and often remains available to a broad range of researchers and clinicians9 (Annystudio, 2021; Fernando, 2021).
The presence of truly informed consent alters the perception of acts that casual observers may find immoral or abhorrent, while the absence of consent can make innocuous or ostensibly justifiable acts unlawful. Consent is provided not just at obvious times, such as when we allow doctors to treat us (medical consent), or when we agree to an intimate encounter (sexual consent), but also when we install a new piece of software on our computers (EULA consent), browse a website (data collection and cookie consent), drive a car (implied consent), or lease a property (tacit consent). And while consent may seem a wholly modern concept, we know it was contemplated in the context of medical matters in ancient Greece (Dalla-Vorgia et al, 2001; Murray, 1990) and marriage, sexual matters and contracts in ancient Rome (Ashmore, 2015; Decock, 2012).
In the next post we will characterise the necessary elements of truly informed consent as we search for an overarching, all-encompasing definition…
Join me then as we explore… What is Consent?
References:
Annystudio, (2021). Why you may want to opt out or delete Australian My Health record. Annystudio. Last accessed: 4 July, 2022. Sourced from: https://annystudio.com/think/opt-out-of-my-health-record/
Ashmore, M. (2015). Rape culture in ancient Rome. Connecticut College, Classic Honors Papers. https://digitalcommons.conncoll.edu/cgi/viewcontent.cgi?article=1003&context=classicshp
Barnett, R. E. (2002). Consenting to form contracts. Fordham L. Rev., 71, 627.
Dalla-Vorgia, P., Lascaratos, J., Skiadas, P., & Garanis-Papadatos, T. (2001). Is consent in medicine a concept only of modern times?. Journal of Medical Ethics, 27(1), 59-61.
Decock, W. (2012). Theologians and contract law: the moral transformation of the IUS commune (ca. 1500-1650). In Theologians and Contract Law. Brill Nijhoff.
Fernando, J. (2021). Commonwealth Health Department going for data grab under cover of COVID. Australian Privacy Foundation. Sourced from: https://privacy.org.au/2021/05/21/commonwealth-health-department-going-for-data-grab-under-cover-of-covid/
Good, N. S., Grossklags, J., Mulligan, D. K., & Konstan, J. A. (2007, April). Noticing notice: a large-scale experiment on the timing of software license agreements. In Proceedings of the SIGCHI conference on Human factors in computing systems (pp. 607-616).
Hall, R. (2004). “It can happen to you”: Rape prevention in the age of risk management. Hypatia, 19(3), 1-19.
Heslop, P. A., Davies, K., Sayer, A., & Witham, M. (2020). Making consent for electronic health and social care data research fit for purpose in the 21st century. BMJ Health & Care Informatics, 27(1).
Hughes, O. (2019). One London to begin deliberative dialogue on data use, privacy and consent. Digital Health. Last accessed: 2nd October, 2022. Sourced from: https://www.digitalhealth.net/2019/08/one-london-to-begin-deliberative-dialogue-on-data-use-privacy-and-consent/
Kim, N. S. (2013). Wrap contracts: Foundations and ramifications. Oxford University Press.
Kulynych, J., & Greely, H. T. (2017). Clinical genomics, big data, and electronic medical records: reconciling patient rights with research when privacy and science collide. Journal of Law and the Biosciences, 4(1), 94-132.
Mettler, K. (2018). ‘No means no’ to ‘yes means yes’: How our language around sexual consent has changed. The Washington Post. Last accessed: 4 July, 2022. Sourced from: https://www.washingtonpost.com/news/soloish/wp/2018/02/15/no-means-no-to-yes-means-yes-how-our-language-around-sexual-consent-has-changed/?noredirect=on
Murray, P. M. (1990). The history of informed consent. The Iowa orthopaedic journal, 10, 104.
Musil, S. (2019). Google and University of Chicago sued over patient records. CNET. Last accessed: 2nd October, 2022. Sourced from: https://www.cnet.com/news/privacy/google-and-university-of-chicago-sued-over-patient-records/
Price, W. N., & Cohen, I. G. (2019). Privacy in the age of medical big data. Nature medicine, 25(1), 37-43.
Riordan, F., Papoutsi, C., Reed, J. E., Marston, C., Bell, D., & Majeed, A. (2015). Patient and public attitudes towards informed consent models and levels of awareness of Electronic Health Records in the UK. International journal of medical informatics, 84(4), 237-247.
Saunders, B. (2010). Normative consent and opt-out organ donation. Journal of Medical Ethics, 36(2), 84-87.
Stilgherian, P. (2018). My Health Record opt-out debate is getting silly but government is at fault. ZDNet. Last accessed: 4 July, 2022. Sourced from: https://www.zdnet.com/article/my-health-record-opt-out-debate-is-getting-silly-but-government-is-at-fault/
Taylor, R. (2016). Why the closure of Care.Data is bad news for the NHS and society. The guardian. Last accessed: 4 July, 2022. Sourced from: https://www.theguardian.com/healthcare-network/2016/jul/19/caredata-closure-bad-news-nhs-society-data-sharing
Vincent, J. (2019). Google’s DeepMind and UK hospitals made illegal deal for health data says watchdog. The Verge. Last accessed: 2nd October, 2022. Sourced from: https://www.theverge.com/2017/7/3/15900670/google-deepmind-royal-free-2015-data-deal-ico-ruling-illegal
Adapted from Barnett (2002).
Which is generally too late, because traditional shrink-wrap agreements activated when you remove the shrink-wrap.
Sir Thomas More coined the maxim qui tacet consentiret - ‘silence gives consent’ - and while courts of the day did not generally hold this maxim to be part of the law of contract, it still may apply where it has been written into a contract or legislation or where other actions create the implication of acceptance. Examples such as when governments have quietly introduced opt-out organ donation on driver’s license renewals demonstrate the legal fiction of silent assent. People may remain silent not because they consent but because they are either unaware of how to opt out, or are unaware of the rule change that prescribed that by not opting out, it can be inferred that they have given consent. Another example might be the long-running conflict between the right to silence enshrined in the legislation and common law of some countries (that you may choose to remain silent when being interrogated by police) and the rule of tacit admission (your silence may be considered an indicator of guilt) which is based on the belief that all innocent men would loudly deny any serious charge.
Coercion can be seen as a result of pressure from the recipient of consent (i.e. when the consentor places the consentee in a no choice situation that they must agree by creating fear in the consentee regarding harm that could be applied to affect the comfort and safety of themselves or someone close to them), or pressure from a third party (i.e. when family members tell the consentee they must agree to allow the doctor to perform some particular medical treatment in order to continue to have a home or receive support).
Including incorporation into the HDRUK, One London Shared Care and other NHS medical records datasets that are made available to researchers and for sale to pharmaceutical and medical device companies, local authorities and many other organisations.
In seeking to promote the HDRUK and Digital Records Exemplar mission, and support their need for broad access to patient data, Heslop et al (2020) rely on the Riordan study to make the claim that most people in the UK are happy to consent to use of their routinely collected electronic health and social care data for research
5331 self-selected volunteers responded to a survey placed in the medical reception waiting areas of a limited number of NHS clinics and medical practices in a small suburb of West London. The authors of this study use a number of statistical and classification tricks to first ensure that the study appeared to be a diverse cross-section of London’s entire population when it was not (such as by hiding white people who were not British citizens under the classification of white non-British and then counting them with Blacks and Asians in order to make the claim that only 55% of the study participants were white British) and secondly by removing respondents who did not complete all questions in the survey potentially because they were more concerned about their privacy (where respondents did not or were not willing to answer every question, including the broad range of demographic questions that may have made them re-identifiable, the researchers removed these people from the final sample. People who were unwilling to answer these demographic questions may have represented a group who were opposed to automatic unconsented or opt out style sharing of their medical information, and their exclusion may have unfairly biased the study’s results in favour of making health records automatically available to HDRUK and other health data aggregators.)
https://www.wcsap.org/advocacy/program-management/new-directors/history/history-movement
However, patient registration forms of many Australian medical clinics and General Practices were quietly altered between 2018 and 2021 such that many people who had opted out of having a MyHealth Record have been unknowingly consenting to having their health data, often anonymised, uploaded to the system and made available to researchers. When anonymised, the government service responsible for MyHealth Records, the Western Australia Primary Health Alliance claims “patients and providers cannot be re-identified.” This claim was shown not to be true when in 2016 the health and medicines claim data of over 3 million Australians were made available to researchers and downloaded more than 1000 times. When researchers demonstrated it was possible to first identify the providers, and later patients, rather than seek to deal with the issue that led to the data being re-identifiable the government’s response was a failed attempt to legislate against all attempts, including those of security and privacy researchers, to study or attempt re-identification of anonymised government data with the overreaching Privacy Amendment (Re-Identification Offence) Bill 2016 that the Australian Senate and Parliamentary Human Rights scrutinised and government did not proceed to enact at the time. The Bill has been reintroduced during the 2021-22 Parliamentary year.