Demystifying Data Protection Consent and What it Means for your Processes

In the Judicium UK GDPR 'Sofa Session' held on September 13th, Data Protection Consultant Jessica Gant discussed the following key topics: the definition of consent from a data protection view, our guidance on checking your consent practices and existing consents and the guidelines on recording and managing consent.

Why is it Important? 

On a daily basis, schools process a lot of information and need to satisfy one of the six lawful grounds for processing data. Schools mostly rely on “Public Task” as the processing they carry out tends to be related to educating a child.

It is important for all organisations to know and understand what data consent is, especially within schools because it is often the most appropriate way to process personal data, e.g., photographs and social media.

Here at Judicium we frequently see situations where consent is not managed properly. This commonly takes the form of having a one-fits-all consent option rather than detailing specifically what is required.

The Definition of Consent from a Data Protection View 

Organisations and individuals often assume consent is required to process personal data. However, consent is one of the six lawful grounds for processing data, so often you will not need to rely on consent within a school to process personal data. We usually only look at using consent for schools taking photographs.

Consent is defined in Article 4(11) as:

“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

• Keeping records to demonstrate consent.
• Prominence and clarity of consent requests.
• The right to withdraw consent easily and at any time.
• Freely given consent if a contract is conditional on consent.

Types of Consent

1. Freely given

Consent should be freely given – you will hear us use this term a lot when we discuss use of consent for processing data.

Freely given, means you give individuals control and choice when using personal data. If the individual has no real choice but to consent, then the consent hasn’t been freely given and will be invalid.

NB: Individuals must be able to refuse consent without any detriment, and they must be able to withdraw consent easily at any time.

The GDPR is clear that consent should not be bundled up as a condition of service unless it is necessary for the service.

2. Specific and informed

• • Clearly explain to people what they are consenting to
  • Make this explanation in a way that is easily understood.
  • The request for consent needs to be prominent, concise, and separate from other terms and conditions.

The consents should also be kept under review and should be refreshed regularly.

One concern we see often when visiting and auditing schools is consent being very vague and nonspecific. It is the school or Trust’s responsibility to ensure individuals know exactly what they are consenting to. It must be clear and specific.

NB: If the purpose for using the personal data changes, your consent should change the reflect this.

Checking your Consent Practices and Existing Consents 

How Long Does Consent Last?

The UK GDPR does not set a specific time limit for consent. Consent is likely to degrade overtime, but how long it last depends on the context.

What are the Rules on Children’s Consent?

There are slightly different rules for children’s consent. If you are wanting to use children’s photographs, and they are under the age of 13, then you would need to rely on the person who has parental responsibility. If the child is over 13, then you can rely on their consent.

When is Consent not Valid?

• You have doubts about whether someone has consented.
• An individual doesn’t realise they have consented.
• You do not have clear records to demonstrate the consent.
• There is no free choice to opt-in.
• The consent request is vague and unclear.
• You do not tell people about their right to withdraw consent.
• People cannot easily withdraw consent.
• You use pre-ticked opt-in boxes.

Recording and Managing Consent

How Should you ask for Consent?

Consent requests need to be prominent, concise, easy to understand and separate from any other information.

NB: We would recommend not having your consent form as part of your admissions form. (You could have it within the admissions pack, but this should be a separate form.)

1. Use clear and straightforward language.
2. Adopt a style which your intended audience will find easy to understand, particularly if you are asking teenagers to consent.
3. Keep your consent requests concise and specific.

What information should a consent request include:

1. The name of the organisation.
2. The purpose of the processing (why you want the data).
3. The processing activities (what you are planning to do with the consent).
4. Notification of the ability for individuals to withdraw their consent at any time

NB: We would also recommend you include how long you are going to be using the photographs for. For example, are they going on the school website? Will you retain them once the child has left? It is important to be transparent with the requester.

How to Record Consent?

Schools have a responsibility to have an effective audit trail of how and when consent was given, so your school or Trust can provide evidence if challenge.

The Information Commissioner’s Office (ICO) recommend keeping a copy of the signed consent form, which has been dated by the data subject. This should be kept in the pupil file.

Most schools also keep a separate consent record, to make it easier for them to refer back to. You can do this through some MIS systems, including SIMs, We have also seen schools use excel spreadsheets with the information on it to for ease of ensuring that only those with consent have their photograph taken.

We would also advise that you try to refresh your consent annually, to ensure that the most current consent is up to date.

The Right to Withdraw Consent

According to the ICO, data subjects need to be able to withdraw consent, it should be an easy, one step process. 

This is an important step and must be on your consent form.

NHS medical consent

It wouldn’t be a data protection issue because sharing information falls under the school’s public task.

What Happens if Consent goes Wrong?

One of the main reasons we suggest schools ask for consent is due to the issues that arise when parents do not give consent.

We have seen cases where it has been referred to the ICO. Serious scenarios can arise, such as when  a Headteacher was celebrating 30 years at the school, local press took pictures which included a child in foster care.

Another example we have seen was when a school had a photo on the school website of a child they had consent for but hadn’t recorded it properly. The parent complained, the school couldn’t find any evidence and had to pull the picture from the website.

3 Top Tips to Takeaway 

1. Refresh consent annually if possible (Suggestion: Try using a parents evening to update forms)

2. Ensure that all staff members have access to the list of children who do consent, especially when on school trips.

3. Use consent when using biometrics which require specific consent.

Helpful Information:  

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here

Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.