You are here:
GDPR: seeking consent for processing personal data
- 1 When do you need to seek consent?
- 2 Template consent forms
- 3 Criteria and checklist for genuine, valid consent
- 4 Only re-seek existing consent where necessary
- 5 Refresh consent when appropriate
- 6 How to proceed when consent was mistakenly sought
We updated this article with a new template letter for if you've mistakenly sought consent in section 6 (2 August 2018)
This article is based on guidance from the Information Commissioner's Office (ICO).
When do you need to seek consent?
In short, probably not very often.
Under the General Data Protection Regulation (GDPR), you need to have a ‘lawful basis’ (legal reason) for processing personal data. Consent is one of 6 lawful bases you can use.
You should only use consent where none of the other bases apply.
The GDPR sets a high standard for consent. This means there are a lot of criteria to meet to ensure consent is genuine and valid, and individuals can say no or withdraw their consent at any time.
This could cause you problems – what if you asked a parent whether they want to receive any communications from the school, and they opted out? You would still need to record their details and contact them, as you're legally required to report to them on their child's progress, but you have unfairly given them the illusion of control.
So, before choosing consent, work through the other 5 lawful bases here and decide if any of those apply instead. If they do (and they are likely to), it will make your life much easier. If the other bases don't apply, you'll have to follow the rules in this article to seek consent.
You'll also need to re-seek consent if your existing consents don't meet the GDPR standard. We look at this in section 4 below (headed 'Only re-seek existing consent where necessary').
Age thresholds for consent
The GDPR does not define the age at which children can provide consent other than in the context of online services.
Read the requirements around age thresholds for consent, and follow good practice advice on seeking consent from pupils.
Examples where you WILL need to seek consent
You’ll only need consent in situations where none of the other bases apply. These will usually be situations where you want to use personal data for things like fundraising, marketing and promotional activities. Examples where you'll probably need consent include:
- Using names, photos, videos or other identifying information about pupils on your school’s website, in your school's newsletter, or other promotional material
- Sending marketing material to prospective parents
- Sending fundraising requests to alumni
Examples where you will NOT need to seek consent
You don't need to seek consent in situations that are covered by other lawful bases. For example:
- Sharing child protection concerns and records with the appropriate people or agencies
- Submitting census data to the Department for Education
- Sharing assessment data with other teachers, to allow you to moderate work
- Holding parents’ contact details, as you’re required to do this. However, if you want to contact them for reasons beyond your legal obligations (for example, about fundraising activities), you’ll likely need to seek consent
You also don't need to change how you ask for other types of consent, as the rules only apply to personal data. So don't worry about changing how you seek consent for:
- School trips
- Showing pupils a specific video in a lesson
- Pupils using specialist equipment e.g. in food technology or art
- After-school clubs
- After-school collection
Questions to ask to see whether you can use ‘consent’
- Have we checked that none of the other lawful bases can apply to the personal data we want to process?
If yes, proceed to the next question. If no, work through the other lawful bases.
- Can we offer a genuine choice to people about whether we process the data, or would we still process the data anyway?
If you can offer a genuine choice, proceed to the next question. If you would still process the data, for example because you're legally obliged to collect it, take another look at the other lawful bases as one is likely to be more appropriate.
- Do we require consent to data processing as a condition of a service? If so, is the consent necessary to provide that service?
If no, proceed to the next question. If yes, and the consent is essential to providing that service, look at the 'contract' lawful basis instead. If yes, and you could provide the service without the data processing, look at the other lawful bases instead.
- Are we in a position of power over the individual, where they are likely to feel that they have no choice but to consent?
If yes, consider another lawful basis (as public authorities, it’s likely that you're in a position of power). If you think consent would be freely given and there is no pressure to consent, then proceed to the next question.
- Are we asking for a child's consent?
If no, then great, you can use consent. Use the appropriate template form below to do so or if you're creating your own consent form, use the checklist below to make sure the consent you're seeking is genuine and valid.
If yes, you can still use consent but you need to be confident the child can understand the data protection implications. Consider asking for parental consent instead if you're unsure. As above, use one of our template forms below, or the checklist below if creating your own consent form.
In another article we look at how two schools collect and record consent to process pupil's personal data under the GDPR.
Template consent forms
We’ve created template consent forms to cover the situations where you’re most likely to need to seek consent for processing personal data, with the help of our associate education expert Mark Trusson and Forbes Solicitors.
Before you seek consent, make sure you’ve asked yourself the questions in the grey box above, to make sure it’s the most appropriate lawful basis.
We have also created a generic form for you to download and adapt.
Criteria and checklist for genuine, valid consent
The GDPR sets a high standard for consent, and there are rules to follow to make sure you’re obtaining genuine, valid consent, set out in the ICO's guidance. If none of our template consent forms above are relevant to your situation, you can use our checklist to help you create your own GDPR-compliant form.
The basic concept and role of consent under the GDPR remains similar to under the Data Protection Act 1998, but there are a few more requirements to meet.
When you’re seeking consent from people, you must:
- Offer genuine choice and control
- Be clear and concise, so people can understand exactly why you want to process their data
- Allow people to positively opt in – so you can’t use pre-ticked boxes, or any other method of consent by default
- Seek a very clear and specific statement of consent
- Be specific – vague or blanket consent isn’t enough
- Separate consent requests from other terms and conditions
- Tell people how they can withdraw their consent if they want, and then make it easy for them to do this
- Keep evidence of consent
Only re-seek existing consent where necessary
You’re not automatically required to refresh all your existing consents you obtained before the introduction of the GDPR.
However, you should use the above checklist to check your processes and records in detail, to make sure your existing consents meet the GDPR standard.
For example, if you ever used a pre-ticked box, or said “if you don’t respond, we’ll assume you have consented”, it’s likely you’ll need to re-seek this consent.
If existing consents don’t meet the standards, or are poorly documented, you have 3 options:
- Seek fresh consent – you can use our GDPR-compliant forms above
- See if there’s a different lawful basis that justifies your processing (and ensure continued processing is fair)
- Stop the processing
Refresh consent when appropriate
Keep consents under review
There are no rules on when you have to refresh GDPR-standard consent.
However, you should keep your consents under review, as you'll need to refresh them if anything changes which would mean the original consent isn't specific or informed enough, for example if your way of processing individuals' data or your purposes for processing it changes.
Additionally, if you are relying on parental consent, this won't automatically expire once their child reaches the age at which they can consent for themselves, but you may need to refresh consent more regularly at this point.
If you're in any doubt about whether consent is still valid, you should refresh it.
Consider automatic refreshers at appropriate intervals
Whether you decide to do this will depend on:
- People's expectations
- Whether you are in regular contact with the individuals
- How disruptive repeated consent requests would be to the individuals
If in doubt, the ICO recommends you consider refreshing consent every 2 years.
You could also consider sending occasional reminders of their right to withdraw consent and how to do so.
How to proceed when consent was mistakenly sought
If you asked for consent from someone to use their personal data, and you later find out that another lawful basis would be more appropriate for one or more of these tasks, then:
- Review your privacy notice to see if it needs updating
- Send out a letter to everyone you asked for this consent from, including those who did and didn't give their consent, explaining the situation and that you no longer require their consent to carry out the relevant task(s)
Use our template letter to help you with this:
This is based on advice we were given by our legal experts Forbes Solicitors.
Mark Trusson is a headteacher and National College accredited school improvement partner. He has previously served as the principal and director of a multi-academy trust, and has expertise in the innovative use of ICT with pupils and leading church schools.
More from The Key
Covering topics including differentiation, assessment, SEND and growth mindset, CPD Toolkit has been created by subject experts and tested by teachers to guarantee practical, engaging training that's also excellent value for money.
The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence.