When lenders become aware that a customer has a mental health issue, but that customer will not give consent to the lender processing that information as sensitive personal data under the Data Protection Act (DPA), they face a dilemma between the requirement to treat their customer fairly and an inability to record or process this information without breaching the DPA.
In terms of the DPA, when a customer makes a disclosure of sensitive personal information the lender should explain to the customer how the information disclosed will be used and obtain explicit consent for the use of that information for those purposes.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
The FCA’s Consumer Credit Sourcebook requires consideration of any aspect of vulnerability in creditworthiness assessments (which could, as well as mental capacity, include mental health issues) and debt collection (requiring policies dealing specifically with vulnerable customers). However, a customer not giving consent makes dealing fairly with customers who are vulnerable more difficult. It’s permissible to process sensitive personal data for a customer who can’t give consent if it is necessary to protect their "vital" interests, but this provision does not apply to customers who won’t give consent.
Current best practice states that disclosure of mental health issues should be encouraged to enable better engagement between the lender and customer, serving the interests of both parties by ensuring that the lender can deliver the best outcomes for itself, particularly in a collections context, by securing an early sustainable repayment arrangement, while also protecting the customer’s best interests.
However, the lender should not use mental health to exclude the customer from access to its products and services. Mental health issues can amount to a disability in certain cases, and exclusion based on such conditions could amount to discrimination and a breach of the Equality Act 2010.
While not directly related to mental health, mental capacity requires particular consideration in both a lending and debt recovery context. For all these reasons, a lender does need to take into account any mental health and mental capacity issues in its decision-making process. When doing so, it will have to address the DPA issues identified.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataCurrent Information Commissioner’s Office guidance offer little comfort. It states that if the firm is acting in the customer’s best interests, then enforcement action for processing sensitive personal data without the conditions for doing so being met (which would be a breach of the DPA) is unlikely.
It seems anomalous that a regulatory requirement can "trump" primary legislation and involve breach of a statutory requirement. However, we believe that, without a change in the law or FCA rules, in the absence of consent, lenders will continue to risk breaches of the DPA (and potential customer action for redress) in order to meet their TCF obligations. Until then, lenders should still request consent, explaining the purposes for which the information will be processed, but if consent isn’t given, should carefully consider the customer’s individual circumstances and ask whether they can truly treat their customer fairly if they do not record and act upon any mental health disclosure; any such decision-making process should be properly recorded along with the detailed justification for the decision.
David Wood is a partner at DWF
