Introduction
1) For the most part, consent will only be used when there are no other conditions which permit the processing.
We will rarely use “consent” as the condition to apply to make the processing fair and lawful. This is because a data subject is able to withdraw their consent as freely as they have given it, meaning we would have to stop processing their personal data. We must tell data subjects how consent can be withdrawn. In addition, data subjects will be able to ask us to erase all of the personal data relating to the processing once they have withdrawn consent.
2) Consider all other legal bases for processing personal or special category data before looking to rely on ‘consent’. Alternative legal bases can be found on the ICO website here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ . Contact the Data Protection Officer (DPO), Tom Penlington or Deputy Data Protection Officer, Kate Butcher, for more information on legal bases.
3) Much of the processing of personal data by staff (whether temporary, permanent or contract staff; those working for or on behalf of the Electoral Registration Officer/ Returning Officer and those working for our wholly owned companies) will either take place (i) under legal obligation, (ii) public task or (iii) contract. If none of these apply, then check all other legal bases (personal or special category) first.
4) One example of when consent may be the appropriate legal basis is when personal data is processed for marketing purposes. If you are considering using electronic marketing then you will also need to ensure this is compliant with the Privacy and Electronic Communications Regulations (PECR). Please speak with your Information Asset Owner, or alternatively somebody in Legal Services, if you are unsure whether your intended processing meets the requirements of PECR.
What are the components of consent under UK GDPR/ Data Protection Act (DPA) 2018?
Consent must be requested using clear and plain language, if must also be:
a. Freely given,
b. Specific,
c. Informed, and
d. Unambiguous
5) What do these mean?
a. Freely given, means the data subject has real choice and absolute control. So, for example, consent CANNOT be used (i) as the lawful basis justifying the data subject being asked to enter into a contract with us, or (ii) where there is some detriment to the data subject if they refuse to provide their consent. You could not, for example, charge a fee for the data subject providing or withdrawing consent, and you could not provide a lesser standard of service to a data subject following the withdrawal of their consent. Where there is a significant imbalance of power between MVDC and data subjects in respect to any anticipated processing activity, consent is unlikely to be the correct legal basis to rely on. If you would like to process the data for more than one task, then consent must be given, or sought separately by MVDC, for each processing function. This could mean that the data subject would have more than one opt-in tick box and could choose which of the processing functions they want to consent to and which they do not.
b. Specific, means consent should be granular. Data subjects should be given the option to consent to each different type of proposed processing activity. Specific also means that the purposes of the processing should be clearly explained to avoid ‘function creep’ (where additional processing is taking place over and above the processing that the data subject consented to)
c. Informed, means, as a minimum:
i. Providing our contact details (and the contact details of other data controllers where we are a joint controller with others) and those of its DPO,
ii. Explaining the purposes of the processing,
iii. Confirming what type of data will be collected and used,
iv. Telling the data subject that they can withdraw consent at any time and providing contact details of who to inform if consent is withdrawn,
v. Providing information about any automated decision making (though this is unlikely to be appropriate for our processing activities where consent is the correct legal pathway),
vi. Confirming the data will not be processed outside the European Economic Area (EEA) or, if it is, that there is an appropriate reason for doing so.
vii. Informed also means data subjects must also be made aware of any recipients of their personal data, including where this is processed by third party data processors.
Unambiguous
a. Consent should be provided in writing (including email) wherever possible. Verbal consent should not be used unless this is first authorised by your Information Asset Owner who will require that the verbal consent is recorded, and that the record lists what information was provided to the data subject prior to the verbal consent being obtained.
What else?
a. Children and information society services (i.e. online services). Consent cannot be provided by any child under 13 years, meaning only person(s) with parental responsibility for any child under 13 years must provide consent. Privacy Notices and other information provided must be tailored so it is in plain language appropriate to the age of the data subject recipient.
b. There must be complete transparency. The Data Protection Project Lead will need to ensure the information provided to the data subject/s provides a full explanation and Privacy Notices will need to be updated accordingly.
c. MVDC must keep records to be able to demonstrate that consent was obtained.
d. Data subjects must be able to withdraw consent as easily as it was provided.
e. Personal data that has been processed by consent should be deleted once consent is withdrawn. If you are processing some personal data about a data subject by consent, and other personal data about the data subject by another lawful basis, then only the personal data that was processed using consent needs to be deleted once consent is withdrawn. Please speak with your Information Asset Owner if you consider there is any other purpose that enables you to retain personal data following the withdrawal of consent.
f. Once you have decided that consent is the appropriate legal pathway (i.e. because no other legal bases can be relied on to permit the processing), then you will need to adhere to the following:
g. Records evidencing the consent and the means by which it was obtained must be retained (for the duration of the processing and in-line with MVDC’s Records and Retention Schedule)
h. The records must be retained by the relevant Information Asset Owner
i. Remember that where consent is used to justify the processing of personal data, that data subjects will have more rights in respect of their data.
Who is responsible if consent is not obtained or is deemed to have been obtained in a way that is not UK GDPR/ DPA 2018 compliant?
MVDC, as the Data Controller, is ultimately responsible. Staff are also individually responsible to MVDC as their employer if they breach their contract of employment (including any non-compliance with MVDC policies). In serious cases this may lead to disciplinary action or even dismissal.
Finally, where consent is the appropriate legal pathway for the processing, it is essential if you are emailing data subjects that you “Bcc” them on emails you send out.
Further information, including a letter/email template to request consent from a data subject, can be found under the GDPR tips – Consent.