UK GDPR: seeking consent for processing personal data

Use our guidance to help you decide whether you need to seek consent for processing personal data under the UK GDPR. If you do, download our template consent forms, or use our checklist to make sure your own forms meet the requirements.

Last reviewed on 26 October 2023
School types: AllSchool phases: AllRef: 34308
Contents
  1. Find out when you need to seek consent 
  2. Ask yourself these questions to work out if you need to seek consent
  3. If you do, download our template consent forms
  4. Use our checklist to create your own UK GDPR-compliant form 
  5. Refresh consent when appropriate
  6. What to do when consent was mistakenly sought
  7. Brief your team on data protection 

This article is based on guidance from the Information Commissioner's Office (ICO): 

Find out when you need to seek consent 

In short, probably not very often

Under the UK General Data Protection Regulation (UK GDPR), you need to have a ‘lawful basis’ (legal reason) for processing personal data.

Consent is only 1 of the 6 lawful bases you can use.

Only use consent if none of the other lawful bases apply 

There are a lot of criteria to meet to make sure consent is genuine and valid, and that individuals can say no or withdraw their consent at any time. 

This could cause you problems – what if you asked a parent whether they want to receive any communications from the school, and they opted out? You'd still need to record their details and contact them, as you're legally required to report to them on their child's progress, but you've unfairly given them the illusion of control.

So, before choosing consent, work through the other 5 lawful bases and decide if any apply instead. If they do (and they're likely to), it will make your life easier. If the other bases don't apply, you'll have to follow the rules in this article to seek consent.

Examples where you WILL need to seek consent

These will usually be situations where you want to use personal data for things like fundraising, marketing and promotional activities. Examples where you'll probably need consent include:

  • Using names, photos, videos or other identifying information about pupils on your school’s website, in your school's newsletter, or other promotional material
  • Sending marketing material to prospective parents
  • Sending fundraising requests to alumni

You must seek parental consent if you're processing pupils' biometric data, such as their fingerprints. This is due to separate legislation to the UK GDPR – read more in our other article.

Examples where you WON'T need to seek consent

Situations covered by other lawful bases include:

  • Sharing child protection concerns and records with the appropriate people or agencies
  • Submitting census data to the DfE
  • Sharing assessment data with other teachers, to allow you to moderate work
  • Holding parents’ contact details, as you’re required to do this. However, if you want to contact them for reasons beyond your legal obligations (for example, about fundraising activities), you’ll likely need to seek consent

Ask yourself these questions to work out if you need to seek consent

If you do, download our template consent forms

Use these forms, which cover the situations where you're most likely to need to seek consent for processing personal data.

Before you use them, make sure you’ve asked yourself the questions in the grey box above, to make sure consent is the most appropriate lawful basis.

We'd like to thank our associate education expert, Mark Trusson, for his help making these. They've been approved by Forbes Solicitors.   

KeyDoc: consent form for parents for processing pupils' personal data DOC, 192.5 KB
KeyDoc: consent form for pupils for processing data DOC, 194.0 KB
KeyDoc: consent form for contacting parents DOC, 186.5 KB
KeyDoc: consent form for using staff images DOC, 181.5 KB
KeyDoc: consent form for processing governors' personal data DOC, 183.0 KB
KeyDoc: consent form for contacting alumni DOC, 180.5 KB

We've also created a generic form you can download and adapt:

KeyDoc: consent form (generic) DOC, 177.0 KB

Use our checklist to create your own UK GDPR-compliant form 

If none of our template consent forms above are relevant to your situation, you can use our checklist to help create your own form to seek genuine, valid consent. 

When you’re seeking consent from anyone, you must:

  • Offer genuine choice and control
  • Be clear and concise, so they can understand exactly why you want to process their data
  • Allow them to positively opt in – you can’t use pre-ticked boxes, or any other method of consent by default
  • Seek a very clear and specific statement of consent
  • Be specific – vague or blanket consent isn’t enough
  • Separate consent requests from other terms and conditions
  • Tell them how they can withdraw their consent if they want, and make it easy for them to do this
  • Keep evidence of consent
KeyDoc: checklist for seeking consent DOC, 209.0 KB

Refresh consent when appropriate

Keep consents under review

There are no rules on when you must refresh consent.

However, you should keep your consents under review, as you'll need to refresh them if anything changes that would mean the original consent isn't specific or informed enough – for example, if your way of processing individuals' data or your purposes for processing it changes.

Additionally, if you're relying on parental consent, this won't automatically expire once their child reaches the age at which they can consent for themselves, but you may need to refresh consent more regularly at this point.

If you're in any doubt about whether consent is still valid, you should refresh it.

Consider automatic refreshers at appropriate intervals

Whether you decide to do this will depend on:

  • People's expectations
  • Whether you're in regular contact with the individuals
  • How disruptive repeated consent requests would be to the individuals

If in doubt, the Information Commissioner's Office recommends you consider refreshing consent every 2 years.

You could also consider sending occasional reminders to individuals of their right to withdraw consent and how to do so.

What to do when consent was mistakenly sought

If you asked for consent from someone to use their personal data, and you later find out that another lawful basis would be more appropriate for 1 or more of these tasks, then:

  • Review your privacy notice to see if it needs updating
  • Send a letter to everyone you asked for this consent from, including those who didn't give their consent, explaining the situation and that you no longer require their consent to carry out the relevant task(s)

Use our template letter to help with this:

KeyDoc: letter following mistaken consent request DOC, 173.0 KB

This is based on advice we were given by Forbes Solicitors.

Brief your team on data protection 

Get staff up to speed with all things UK GDPR with our training materials, designed to help you deliver 30-minute sessions on: 

Sources

Mark Trusson is a headteacher and National College-accredited school improvement partner. He has previously served as the principal and director of a multi-academy trust, and has expertise in the innovative use of ICT with pupils and leading church schools.

What did you think?

Rate this article

Why did you give this rating?

Your feedback helps us to ensure our articles are helpful to all members.

Our researchers read every comment.

Can't find what you need? Try searching, or ask us a question.