Consent in the GDPR
Consent is not a new concept and has been a core part of data protection & privacy laws for decades. However the GDPR raises the bar considerably on 'conditions for processing' personal data.
Simply put, 'consent' means obtaining clear permission to hold and process a person's data for a specific use. Although it is already required, practices such as 'opt out' have become common-place, e.g. pre-ticked checkboxes to receive marketing material, making it more of an assumption of consent rather than explicit permission. The GDPR is far more explicit about what constitutes consent and aims to entirely remove this kind of deception.
Article 7 GDPR Conditions for consent
As a school, do I need to worry about consent?
It's important to understand that you need a lawful basis with which to process data and 'consent' is an option with which to do that but it might not be the most appropriate. You should choose the lawful basis that most closely reflects your relationship with your data subjects and the use of their data. Since you cannot operate as a school unless you process student data, asking (i.e. giving an option) for consent would be meaningless. In this case, school/parent agreements or employment contracts provide a lawful basis (contractual necessity) with which to hold and process their personal data.
However, you cannot automatically use this as a lawful basis to then piggyback other activities, like sharing data with 3rd parties. As an example, a school event organised by another company that requires the use of your student, parent or staff data may require specific consent.
Lawful basis and conditions for processing
Aside from consent, lawful basis for processing personal data include:
- Contractual necessity (minimum data needed in order to provide the service)
- Compliance with legal obligations (apart from contractual obligations)
- Vital interests (protecting someone's life)
- Legitimate interests (e.g. a company may need to pass on details to a debt collection company if the customer decided to evade payment).
- Public Interest (e.g. background checks for anyone working with children)
It's important to understand that processing data based on consent alone is relatively weak. The Data subject can withdraw it at anytime and unless you have another legal basis with which to process that data, you will have to delete it.
In terms of sensitive data, consent must be explicit. For example, if you wish to use a data subject's medical data you will need to seek specific consent for its use.
Again, consent is not the only lawful or necessarily appropriate way to process sensitive data. Employment law, Vital Interests, Legal claims, Data already made public by the data subject themselves are all legally acceptable reasons for processing sensitive data, as long as that processing is necessary.
ARTICLE 6 GDPR: Lawfulness of processing
Processing must also be 'necessary'
Stating a use for processing data in an agreement or contract is not enough without proving that the processing of that data is 'necessary'. For instance, this includes outsourcing a HR function that can reasonably be done internally. This will require formal 'consent' from the employee as a lawful basis, since outsourcing this processing was not strictly necessary.
In practice, you will still need to need to be clear and concise about your use of personal data and seek consent for any use outside the standard school agreements with students, parents or staff.
Guardians have a legal obligation called Parental Responsibility for the child up to the age of 18 (in most cases). Under the GDPR, although parental consent will be required for children under 16 (or 13 for countries like the UK), 'Parental Responsibility gives parents the right and duty to manage consent for the child while at school.
This means telling parents:
- exactly what they are agreeing to, very clearly. This means consent should not be hidden away in 'terms and conditions' which, for example, might contain a small line that suggests you may share people's data with 'trusted 3rd parties'.
- all consent must be affirmative and unambiguous - in other words, nothing that looks like 'opt out'. You must also collect proof of consent and be able to show that you have this explicit permission to use each person's data for a specific use. Vague catch-all consent will not do;
- providing control. Where appropriate, You must make people aware that they can withdraw consent and give them an easy way to do so at any time.
ARTICLE 8 GDPR: Conditions applicable to child's consent in relation to information society services.
If you already collect consent you should conduct a review of your data collection process to ensure it complies with the GDPR. You may find you do not need to do anything significant to get in line.
If for any reason you have used consent as a lawful basis with which to process personal data, you need to:
- make sure it was active and 'opt in' and not assumed consent,
- make sure there was enough clarity around the reason for consent and that you can show, in an audit, the reason for consent. (e.g. the text next to the checkbox describing what the consent is for)
- consent was not obtained for 'general use' e.g. data is then sent to multiple 3rd party services, even if they are providing a service directly to the school,
- providing a service was not conditional on consent unrelated to that service and
- make sure the data subjects are aware they can withdraw consent and do so easily.