How and when to use consent as the legal basis for processing personal data.
Use this guidance when intending to use personal data and none of the other legal bases (such as contractual obligation or performing a task in the public interest) are applicable.
The basic rules of consent
The requirements for consent are stringent to protect the rights of data subjects. Consent must be:
- Freely given
- Specific and informed
- Active opt-in
Consent is inappropriate if data subjects do not have a genuine choice over how data about them are being used. This would be the case if you would still process the data under a different legal basis if consent were refused or withdrawn. In these circumstances consent would be misleading and inherently unfair.
If you are carrying out marketing activities you must also follow the guidance on marketing as additional legislation applies.
Marketing does not only include the offer for sale of goods or services, but also the promotion of an organisation’s aims and ideals. For example, a ‘healthy lifestyle’ promotion, or a promotion of the University’s cafeterias with a free coffee for the first 20 students presenting a coupon.
Under data protection legislation, consent must be an unambiguous indication, which means that consent must be either a statement or an affirmative action. Consent must be more than just confirmation that the person has read terms and conditions – there must be a clear signal that they agree.
Clear affirmative action means someone must take deliberate action to opt in.
This could be through
- ticking an opt-in box
- signing a consent statement
- oral communication
- a binary choice presented with equal prominence
- switching technical settings away from the default.
The key point is that all consent must be opt-in – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent and you may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions.
Implied consent, however, is still possible in circumstances where the individual has shown consent through an action. Again, mere silence or inactivity are insufficient.
For special categories of sensitive personal data, consent must always be in writing.
“Would all those who want to be in the conference photo please make their way onto the stage. We’ll publish the photo on the conference website.”
This would suffice for consent as conference participants have shown their consent through an action, i.e. going onto the stage.
At recruitment fairs or the University Open Day, potential applicants consent to receiving information material by providing their email address.
Freely given consent means that people have a genuine choice and control over how the data controller uses their data. This means that the data subject must be able to refuse to give consent without any detriment, and must be able to withdraw consent easily at any time. There must be no imbalance in the relationship between data controller and data subject. Consent must not be a prerequisite for provision of a service.
Imbalance of power
Consent will be inappropriate if there is a clear imbalance of power between data controller and data subject. This is because consent cannot be considered to be freely given if data subjects feel they have no choice but to agree to the data processing. For example data subjects may depend on a service or fear adverse consequences if they do not consent.
Condition of service
If a data controller arranges for a service to be dependent on the data subject consenting to data processing, then consent will not be valid as it won’t be freely given. However, providing incentives such as loyalty schemes, is possible to some extent.
For example, staff and students may be persuaded to sign up to a cashless catering system and as a reward for allowing the company to send them special offers, they will receive vouchers and a free cup of coffee on their birthday.
Examples of inappropriate consent
A lecturer asks students for consent to have their photos and contact details displayed on a public website linked to a project, and says otherwise they will not be able to participate in the project.
The HR department asks potential employees for their consent to have their dates of birth, salary and private addresses transferred to the cashless catering system as otherwise they won’t be able to participate.
Specific and informed
For consent to be specific and informed, people must first be aware of the identity of who is processing their personal data. Both the University of Edinburgh and any third party data controllers relying on the consent you are aiming to obtain will need to be expressly named. It is not enough to simply define a category of third parties.
This consent request would not be sufficient:
“You agree to the University of Edinburgh, and any recruitment agencies with whom we might consult, processing your personal data in order to help you with your career choice.”
This consent would be sufficient:
“You agree for the University of Edinburgh to transfer your data to the University’s Careers Service to help you with your career choice.”
People must also know what it is they consent to. This means that you must provide information in the relevant privacy notice about all the purposes for which personal data is being processed. Refer to the guidance about privacy notices.
You must have an effective audit trail of how and when consent was given, so you can provide evidence if challenged, which means that you will need to keep a record in order to demonstrate what the person has consented to, including what information they were given, and when and in what way they consented.
You also need to record when people have withdrawn their consent. The consent record needs to be kept for as long as you continue to hold information about the data subject for that purpose.
If you rely on consent as the legal basis for processing data subjects’ personal data, they have the right to withdraw their consent at any time. Therefore when you ask for consent, you should include details of how it can be withdrawn. Withdrawing consent must be as easy as giving it. There should be an easily accessible one-step process which people can use on their own initiative at any time. If possible, people should be able to withdraw their consent using the same method as they gave it. For example, provide an ‘unsubscribe’ link in every email or an email address, freephone telephone number or freepost address in your communications.
Once consent has been withdrawn, stop processing as soon as possible. However, if a person withdraws their consent it does not retrospectively affect the processing already undertaken. For example, if somebody has consented to participate in research, they will not be able to ask you to remove data about them from studies which have already been published, but they can change their mind about raw data about them being used in future studies.
Consent requests must be clearly distinguishable from the rest of the text of the document or form you use; it needs to be separate from other terms and conditions and easily identifiable as a request for consent. Either use a separate consent form or ensure that the consent request is kept separate at the bottom of a form.
Example of ‘bundled’, invalid consent
“We will collect your name, date of birth and any medical conditions from you. We will process the information you have provided us in order to enable you to use the University Sports Centre and take part in classes. You agree to us passing your personal data on to our sponsor who will send you marketing material for sportswear with the University’s logo. We will also use the information you have provided us with to ensure you are kept informed of any new classes we offer. We will keep the information you have provided for as long as you are matriculated. We do not use automated decision-making or profiling.
Please sign here………………………………………………………..”
Wherever appropriate, you will need to provide data subjects with granular options to consent separately to different types of processing. If you obtain consent for, say, processing personal data for displaying student photos on your website, you must have separate consent for using the photos for newsletters or for marketing purposes. Only if the activities are clearly interdependent or if providing a granular list of consent would be disruptive or confusing can you provide a single option for consenting.
The most important factor is that you clearly explain to people what they consent to in an understandable way. Should your purposes for processing the personal data change, you will have to consider reconsenting people as there is no such thing as ‘evolving’ consent.
How long does consent last?
There is no specific time limit for consent. However, consent is likely to ‘degrade’ over time, but the exact duration will depend on the context. Both the scope of the original consent and the data subjects’ expectations need to be taken into account.
Consent will need to be reviewed regularly to check the relationship, processing and purposes have not changed. Processes must be in place to refresh consent at appropriate intervals.
A record of when and how consent was received and of the information provided to data subjects at the time of consenting must be kept.
Should data subjects withdraw their consent, a suppression lists must be kept to manage the withdrawal of consent and ensure that these data subjects are not contacted and/or asked for consent again.
If personal data has been received from third party data controllers, you will need to ensure that they have obtained consent from the data subjects before.
The University Sports Centre runs a promotion that gives members the opportunity to opt in to receiving emails with tips about healthy living to get in shape for the summer holidays this year. As the consent request specifies a particular timescale and end point – the summer holiday – the expectation will be that no more emails will be sent out once the summer is over. The consent will then expire.
Development & Alumni can under the legal basis of legitimate interest contact individuals that are not alumni of the University and ask them to become donors. If an individual refuses consent to any further communication, then that individual’s name and contact details must be entered into a suppression list to avoid any future contact.