Consent

Use this guidance when intending to use personal data and none of the other legal bases (such as contractual obligation or performing a task in the public interest) are applicable.

The basic rules of consent

The requirements for consent are stringent to protect the rights of data subjects.  Consent must be:

• Freely given
• Specific and informed
• Active opt-in
• Verifiable
• Withdrawable

Consent is inappropriate if data subjects do not have a genuine choice over how data about them are being used. This would be the case if you would still process the data under a different legal basis if consent were refused or withdrawn. In these circumstances consent would be misleading and inherently unfair.  

Marketing

If you are carrying out marketing activities you must also follow the guidance on marketing as additional legislation applies.

Marketing does not only include the offer for sale of goods or services, but also the promotion of an organisation’s aims and ideals. For example, a ‘healthy lifestyle’ promotion, or a promotion of the University’s cafeterias with a free coffee for the first 20 students presenting a coupon.

Active opt-in

Under data protection legislation, consent must be an unambiguous indication, which means that consent must be either a statement or an affirmative action. Consent must be more than just confirmation that the person has read terms and conditions – there must be a clear signal that they agree.

Clear affirmative action means someone must take deliberate action to opt in.

This could be through

• ticking an opt-in box
• signing a consent statement
• oral communication
• a binary choice presented with equal prominence
• switching technical settings away from the default.

The key point is that all consent must be opt-in – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent and you may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions.

Implied consent, however, is still possible in circumstances where the individual has shown consent through an action. Again, mere silence or inactivity are insufficient.

For special categories of sensitive personal data, consent must always be in writing.

Freely given

Freely given consent means that people have a genuine choice and control over how the data controller uses their data. This means that the data subject must be able to refuse to give consent without any detriment, and must be able to withdraw consent easily at any time. There must be no imbalance in the relationship between data controller and data subject. Consent must not be a prerequisite for provision of a service.

Imbalance of power

Consent will be inappropriate if there is a clear imbalance of power between data controller and data subject. This is because consent cannot be considered to be freely given if data subjects feel they have no choice but to agree to the data processing. For example data subjects may depend on a service or fear adverse consequences if they do not consent.

Condition of service

If a data controller arranges for a service to be dependent on the data subject consenting to data processing, then consent will not be valid as it won’t be freely given. However, providing incentives such as loyalty schemes, is possible to some extent.

For example, staff and students may be persuaded to sign up to a cashless catering system and as a reward for allowing the company to send them special offers, they will receive vouchers and a free cup of coffee on their birthday.

For consent to be specific and informed, people must first be aware of the identity of who is processing their personal data. Both the University of Edinburgh and any third party data controllers relying on the consent you are aiming to obtain will need to be expressly named. It is not enough to simply define a category of third parties.

Privacy Notice

Verifiable

You must have an effective audit trail of how and when consent was given, so you can provide evidence if challenged, which means that you will need to keep a record in order to demonstrate what the person has consented to, including what information they were given, and when and in what way they consented.

You also need to record when people have withdrawn their consent. The consent record needs to be kept for as long as you continue to hold information about the data subject for that purpose. 

Withdrawable  

If you rely on consent as the legal basis for processing data subjects’ personal data, they have the right to withdraw their consent at any time. Therefore when you ask for consent, you should include details of how it can be withdrawn. Withdrawing consent must be as easy as giving it. There should be an easily accessible one-step process which people can use on their own initiative at any time. If possible, people should be able to withdraw their consent using the same method as they gave it. For example, provide an ‘unsubscribe’ link in every email or an email address, freephone telephone number or freepost address in your communications.

Once consent has been withdrawn, stop processing as soon as possible. However, if a person withdraws their consent it does not retrospectively affect the processing already undertaken.  For example, if somebody has consented to participate in research, they will not be able to ask you to remove data about them from studies which have already been published, but they can change their mind about raw data about them being used in future studies.

Unbundled

Consent requests must be clearly distinguishable from the rest of the text of the document or form you use; it needs to be separate from other terms and conditions and easily identifiable as a request for consent. Either use a separate consent form or ensure that the consent request is kept separate at the bottom of a form.

Wherever appropriate, you will need to provide data subjects with granular options to consent separately to different types of processing. If you obtain consent for, say, processing personal data for displaying student photos on your website, you must have separate consent for using the photos for newsletters or for marketing purposes. Only if the activities are clearly interdependent or if providing a granular list of consent would be disruptive or confusing can you provide a single option for consenting.

The most important factor is that you clearly explain to people what they consent to in an understandable way. Should your purposes for processing the personal data change, you will have to consider reconsenting people as there is no such thing as ‘evolving’ consent.

How long does consent last?

There is no specific time limit for consent. However, consent is likely to ‘degrade’ over time, but the exact duration will depend on the context. Both the scope of the original consent and the data subjects’ expectations need to be taken into account. 

Consent will need to be reviewed regularly to check the relationship, processing and purposes have not changed. Processes must be in place to refresh consent at appropriate intervals.

A record of when and how consent was received and of the information provided to data subjects at the time of consenting must be kept.

Should data subjects withdraw their consent, a suppression lists must be kept to manage the withdrawal of consent and ensure that these data subjects are not contacted and/or asked for consent again.

If personal data has been received from third party data controllers, you will need to ensure that they have obtained consent from the data subjects before.