Under the GDPR, there are six lawful bases for processing data, one of which is consent – schools must be able to justify their processing with at least one of these bases.
This guidance outlines the key information schools need to know to ensure their consent procedures are compliant with the GDPR.
Seven things schools need to know about consent
1. Consent isn’t always needed
It is often assumed that you must always have consent to be able to process personal data – this is not true. Consent is only one of six lawful bases and, in the case of schools, consent is not likely required for the core purpose operations of running the school. Consent is, however, likely to be required for non-core operations, such as marketing.
Consent is the most lawful bases to use when you want to offer individuals a genuine choice over how you use their data. For example, consent would need to be obtained where the school wishes to use pupils’ photographs in a school magazine – there is no other lawful basis to process this data; therefore, consent must be obtained.
If you cannot offer a genuine choice over how the school uses an individual’s data, then consent is not the appropriate processing basis – this may be the case in the following instances:
- You would still process the data on a different lawful basis if consent was refused or withdrawn
- You ask for consent to the processing as a precondition of a service the school offers
- You are in a position of power over the individual – this predominantly affects public authorities and employers processing employee data
For example, consent would not need to be obtained to process data that the school provides to the DfE as part of the census data collection – this is a legal obligation; therefore, the data can be processed lawfully without consent.
2. Consent must be freely given
Consent that is not freely given is invalid under the GDPR. This means that a data subject must be able to refuse their consent without being penalised and must be able to withdraw their consent at any time.
If an individual withdraws their consent, you need to cease the processing of that subject’s data as soon as possible.
3. Consent must be specific and informed
For consent to be specific and informed, the following must be covered when obtaining consent:
- The identity of the school and any other third-party data controllers relying on the consent – you don’t need to name your processors in consent requests
- All purposes for which you are seeking consent – where possible, these should be granular
- The exact processing activities that are being consented to – where possible, you should provide granular consent options for each separate processing types
- The individual’s right to withdraw their consent at any time and how to do so
The rules around consent requests are separate to your transparency obligations under the ‘right to be informed’ – this should be covered by privacy notices.
Any requests for consent must be written in easy-to-understand age-appropriate language. Requests that use vague, sweeping or difficult to understand language will be invalid; so, make sure your requests are clear and concise, and don’t use any double negatives or inconsistent language.
4. Pre-ticked opt-in boxes are banned
For consent to be valid, it must be obvious that the individual has consented and that they know what has been consented to; therefore, consent must be unambiguous and a positive indication of agreement. Consent cannot be inferred from silence, inactivity or pre-ticked boxes. Additionally, all consent must be obtained on an opt-in basis – no more ‘tick to opt-out’ boxes.
For example, if a school wishes to use pictures of their staff on the school website, staff must provide an unambiguous indication that they consent to their picture being used – this could be done by the signing of a consent form.
5. You must keep clear records of consent
You must keep records that demonstrate who consented, when, how, what they were told at the time of consent, and if they have withdrawn their consent and when. Consent records need to be specific and granular to demonstrate exactly what the consent covers.
6. Consent needs to be kept under review
There is no set time limit for consent – it is likely to degrade over time, but how long it lasts depends on the context.
If the reason for processing or the way in which processing occurs changes, the original consent that was obtained is likely to no longer be specific or informed enough. If these factors do change, the school will need to obtain new consent or identify another lawful basis to process the data. Make sure consent reviews are built into your school’s processes.
Parental consent will not automatically expire when pupils reach an age which they can consent for themselves; however, you should ensure consent is refreshed more regularly for the use of pupil data.
7. The consent age for pupils can vary
The only age of consent that is legislated for is for online services requested and delivered over the internet for children – the age of consent for this is 13.
For all other consent-based processing, the school must decide what an appropriate age of consent is on a case-by-case basis.
Remember, for consent to be valid, the consenter must understand what they are consenting to. If you think a child wouldn’t understand what they are consenting to, then you should obtain parental consent.
Changes schools should make to their practice
You need to ensure your school’s consent mechanisms meet the standards of the GDPR – the key new points are:
- Consent needs to be unbundled from any other terms and conditions you use in school
- Make sure you’re using unticked opt-in boxes, or similar methods, when obtaining consent
- Give individuals distinct options to consent separately to different processing activities
- When obtaining consent, name the school and any other third-party data controllers who are relying on the consent
- Keep records of consent to demonstrate what has been consented to, when, how and what the individual was told
- Make sure individuals know they have the right to withdraw their consent at any time and how they can do this
- Remember, consent will not be freely given if there’s an imbalanced relationship between the school and individual – this makes consent especially difficult for public authorities and employers
You don’t need to refresh all existing consent obtained under the Data Protection Act 1998, but it’s vital to check your processes and records to ensure they meet the GDPR standards – if they don’t, they will need to be changed.
Consent will be invalid if:
- You have any doubts over whether an individual has consented.
- The individual does not realise they have given consent.
- You don’t have clear records of consent.
- There was no genuine free choice.
- The individual would be penalised for refusing consent.
- There is a clear imbalance of power between the school and the individual.
- Consent was a precondition of service and the processing isn’t necessary for that service.
- Consent was bundled with other terms and conditions.
- The request for consent was vague or unclear.
- You used pre-ticked opt-in boxes or other default consent methods.
- The school was not specifically named in the consent request.
- You did not inform individuals about their right to withdraw consent and it is not easy to withdraw.
- Your purposes or activities have evolved beyond the original consent.
If any of the above apply, consent is invalid, and you need to reobtain the consent, use another lawful basis or cease that processing activity.
FusionHR (2017) ‘Data Protection and the General Data Protection Regulation Workshop’ [CPD course completed: 4 October 2017]
ICO (2018) (Email conversation regarding the age of consent under the GDPR) [Personal communication: 6 June 2018]
ICO (2018) ‘Consent’