Under the General Data Protection Regulation (GDPR) – coming into effect on 25 May 2018 – the definition and role of consent remains similar to that under the Data Protection Act 1998; however, the GDPR does set a higher standard for consent.
In order to comply with the definition of consent set out in the GDPR, schools will need to review how they seek, obtain and record consent to ensure they meet the standards. Any consent obtained under the DPA will also need to be reviewed to ensure it is compliant with the GDPR; if it isn’t, it needs to be refreshed.
This guidance outlines the key information schools need to know to ensure their consent procedures are compliant with the GDPR.
Seven things schools need to know about consent
1: Consent isn’t always needed
Consent is only one of six legal grounds for processing data under the GDPR. Other legal processing conditions are outlined in Article 6 of the GDPR, and conditions for processing ‘special categories of data’ (i.e. personal data revealing race, ethnicity, political opinions, religion, beliefs or trade union membership, sexual orientation, sex life, and biometric/genetic data used to identify a person) are outlined in Article 9.
Schools only need to obtain consent to process data when they cannot do so under any other lawful basis, such as complying with a regulatory requirement.
For example, consent would not need to be obtained to process data that the school provides to the DfE as part of the census – this is a legal obligation; therefore, the data can be processed lawfully without consent.
Consent would need to be obtained, for example, where the school wishes to collect parents’ email addresses to send fundraising and marketing emails to them – there is no other lawful basis to process this data; therefore, consent must be obtained.
Asking for consent when the data would be processed anyway (i.e. there is another lawful basis for processing) is misleading.
2: Consent must be freely given
Consent that is not freely given will be invalid under the GDPR. This means that a data subject (the individual to whom the personal data relates) must be able to refuse their consent without being penalised and must be able to withdraw their consent at any time.
3: Consent must be specific and informed
Schools need to obtain separate consent for different processing arrangements. For example, if a parent has consented for their child’s picture to be used on the school website, this cannot be used to infer that a parent consents for their child’s picture to be used in a school newsletter – the school must obtain consent for both processing activities.
When asking for consent, schools must outline exactly what is being consented to, i.e. why the data is being used and how the data will be used. If any of the purposes for processing or processing activities change after consent is obtained, the consent will need to be refreshed. Consent requests should also let the data subject know that they have the right to withdraw their consent at any time, and how this can be done.
If the school will be outsourcing the data to a third party, this needs to be made clear when requesting consent. For example, if a school operates a parent text message service, they might send parents’ contact information to a third party who runs the message service – in this case, the school, when obtaining consent, must inform parents that their data will be shared with a third party.
4: Pre-ticked opt-in boxes are banned
For consent to be valid, it must be obvious that the individual has consented and that they know what has been consented to; therefore, consent must be unambiguous and a positive indication of agreement. Consent cannot be inferred from silence, inactivity or pre-ticked boxes. Additionally, all consent must be obtained on an opt-in basis – no more ‘tick to opt-out’ boxes.
For example, if a school wishes to use pictures of their staff on the school website, staff must provide an unambiguous indication that they consent to their picture being used – this could be done by the signing of a consent form.
5: Consent needs to be kept under review
The GDPR does not specify that consent is only valid for a certain time; however, it is likely that it will degrade over time – how long the consent lasts depends on the context.
If the reason for processing or the way in which processing occurs changes, the original consent that was obtained is likely to no longer be specific or informed enough. If these factors do change, the school will need to obtain new consent or identify another lawful basis to process the data.
Parental consent will always expire when the child reaches the age at which they can consent for themselves; therefore, schools will need to review and refresh consent as appropriate.
6: Consent can be withdrawn
Under the GDPR, data subjects can withdraw their consent at any time. If this happens, schools need to cease the processing of that subject’s data as soon as possible, unless there is another lawful basis to process the data.
If an individual withdraws their consent, this does not affect the processing of any data for which they have given consent previously.
7: Parental consent will likely be needed for pupil data
The GDPR does not specifically prescribe the age at which a person is considered to be a child. The general rule in the UK for processing children’s data is that it should be considered if the child has the competence to understand consent for themselves. Where the child is assessed to not have this competence, parental consent must be obtained. If it is assessed that a child has the competency to consent for themselves, schools should ensure any requests are written in easy-to-understand language.
Young children, such as children in primary school and the start of secondary school, are likely to not have the competence to consent to the processing of their data, so, schools are likely to need consent from parents to process pupil data.
The ICO is developing further guidance on the processing of children’s data.
Changes schools should make to their practice
When obtaining, recording and managing consent, schools should make sure:
- Their request for consent is specific about why they want the data, what they will do with the data, if the data will be outsourced to a third party, and that the data subject has the right to withdraw their consent at any time.
- The request for consent asks people to actively opt-in.
- Wherever possible, they give granular options to consent separately to different purposes and different types of processing.
- Records are kept to evidence consent, including who consented, when, how, and what they were told.
- It is easy for the data subject to withdraw their consent at any time – ensure they are told how to withdraw.
- Consents that have been obtained are kept under review and are refreshed if any of the processing reasons or activities change.
Schools should review their processes for obtaining, recording and managing consent to ensure they are compliant with the GDPR in time for May. Any consent obtained under the DPA should also be reviewed as it will need refreshing if it doesn’t meet the GDPR standards.
Members of TheSchoolBus can take the next steps outlined below. If you're not a member, why not take a free trial and access 5 articles for free today.
Consent isn’t the only area of a school’s data protection practices that will need to be amended to ensure they are in line with the GDPR. Our GDPR: School Survival Guide outlines the ways in which the GDPR will affect schools and how schools can prepare.
Our GDPR Data Protection Policy outlines GDPR-compliant data protections procedures that schools should implement in time for May 2018.
Our GDPR Document Checklist: What do Schools Need? is designed to help schools become GDPR-compliant, ensuring that you have all the necessary documents in place ahead of May 2018 – whether that be a data protection impact assessment (DPIA) template, a role descriptor for a data protection officer (DPO), or privacy notices for pupils and staff.
FusionHR (2017) ‘Data Protection and the General Data Protection Regulation Workshop’ [CPD course completed: 4 October 2017]
Harrison Clark Rickerbys Solicitors (2017) ‘Preparing for the General Data Protection Regulation (GDPR) – 10 Steps for Schools’ <https://www.hcrlaw.com/preparing-general-data-protection-regulation-gdpr-10-steps-schools/> [Accessed: 22 November 2017]
ICO (2017) ‘Consultation: GDPR consent guidance’
ICO (2017) ‘Lawful bases for processing’ <https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-bases-for-processing/> [Accessed: 22 November 2017]