Information Governance and Security
- / Information Governance and Security /
- Information Governance /
- Information Governance For The University /
- Data Protection /
- Principles for Processing /
- Consent Guidance
At a glance
- The GDPR sets a high standard for consent.
- Doing consent well should put individuals in control, build customer trust and engagement, and enhance your reputation.
- Check your consent practices and your existing consents. Refresh consents if they don’t meet the GDPR standard
- Consent means offering individuals genuine choice and control.
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default
- Explicit consent requires a very clear and specific statement of consent
- Keep your consent requests separate from other terms and conditions.
- Be specific and granular. Vague or blanket consent is not enough.
- Be clear and concise.
- Name any third parties who will rely on the consent.
- Make it easy for people to withdraw consent and tell them how.
- Keep evidence of consent – who, when, how, and what you told people
- Keep consent under review, and refresh it if anything changes.
- Avoid making consent a precondition of a service.
- Public authorities and employers will find using consent difficult
- Remember – you don’t always need consent. If consent is too difficult, look at whether another lawful basis is more appropriate
The consent of the Data Subject is one of the lawful conditions for processing both normal (non-sensitive) Personal Data and for Special Category (Sensitive) Personal Data.
If the Data Subject has consented (and fully understood what they were consenting to) then we can process the data accordingly.
Although consent is a powerful condition – it should not be your first choice as there are a number of specific requirements which may make it an incorrect or unsuitable condition (especially if there are other conditions which could be used)
If you rely on consent, this will also affect individuals’ rights. People will generally have stronger rights when processing is based on consent – for example, the right to erasure (also known as ‘the right to be forgotten’) and the right to data portability.
There are a number of common misconceptions in relation to consent:
- Consent is always needed to process personal data
No, this is most definitely not true! Consent is often the wrong basis to use!
- Students ‘agree’ to be a student at Keele and therefore must have consented to us processing their data
No, this is not consent. ‘Bundled’ or implied consent is not allowed – it needs to be specific and informed. Also ask yourself what would happen if the student withdraws consent (which they have a right to do). If the answer is that they could no longer be a student, then consent is unlikely to have been the correct basis to use.
- Staff ‘agree’ to take the job and therefore must consent to the processing of their data
This is the same as B above
For both B and C in the examples above, it is likely that we could rely on:
- The processing is necessary for the performance of a contract with the data subject, or to take steps to enter a contract; or
- The process is necessary to comply with a legal obligation (e.g. to comply with employment laws); or
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official duty vested in Keele; or
- The processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Note ; it is also the case that consent is more likely to be considered ‘unfair’ (and therefore not a valid legal basis) when used by ‘public bodies’. This is because there can often be a perceived ‘imbalance of power’ between an individual and a public body. Keele is a public body for the purposes of GDPR and so this is further reason to avoid consent.
For some activities consent will be required by other legislation or obligations:
- Consent to send electronic marketing material (e.g. by email, text, etc) may be required by PECR (see section ). This would force you to identify ‘consent’ as your data protection lawful basis (but only for the marketing purposes)
- Consent may be required to avoid breaching an obligation of confidentiality you may have with the data subject. This is not necessarily ‘data protection consent’ i.e it is feasible that you could rely on ‘Public task/Research ‘ as you data protection condition but still need to get consent to be able to share data if that data has been obtained with an expectation of confidentiality)
- Consent may be required by other bodies in order for – for example – a person to agree to participate in research study. Again consent may not be you ‘data protection condition’