How to obtain and record consent

Similar documents
GDPR Consent. Data Protection Practitioners Conference 2018

Principles and Rules for Processing Personal Data

16 March Purpose & Introduction

ARTICLE 29 DATA PROTECTION WORKING PARTY

EUROPEAN PARLIAMENT Committee on the Internal Market and Consumer Protection

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

Information about the Processing of Personal Data (Article 13, 14 GDPR)

General Data Protection Regulation

Comment to the Guidelines on Consent under Regulation 2016/679 by Article 29 Working Party

AmCham EU Proposed Amendments on the General Data Protection Regulation

closer look at Rights & remedies

The legal framework and guidance on data protection under the. Cross-border ehealth Information Services (CBeHIS) T6.2 JAseHN draft v.2 (20.10.

International Privacy Laws: Those New EU Data Protection Regulations Do Apply to You!

Factsheet on the Right to be

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

DATA PROTECTION POLICY STATUTORY

EUROPEAN GENERAL DATA PROTECTION REGULATION CONSEQUENCES FOR DATA-DRIVEN MARKETING

eacademic Foundations Release 4.12

9091/17 VH/np 1 DGD 2C

The GDPR: The Impact of EU Privacy Law on US Organizations. Orla O Hannaidh February 8, 2019

SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

My Health Online 2017 Website Update Online Appointments User Guide

Port Glasgow St Andrew s Data Protection Policy

Data Protection Act 1998 Policy

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

DATA PROTECTION LAWS OF THE WORLD. Ireland

Data Protection Policy

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

The freely given consent and the bundling provision under the GDPR

The Impact of Surveillance and Data Collection upon the Privacy of Citizens and their Relationship with the State

The installation of CCTV can provide information on activities at the Water,

BJB Motor Company Limited (BJB) - Data Protection Act 1998 Policy & Procedures

ARTICLE 29 DATA PROTECTION WORKING PARTY. Article 29 Working Party Guidelines on consent under Regulation 2016/679

The European Union General Data Protection Regulation (GDPR) Barmak Nassirian, Federal Director Thursday, February 22, 2018

Access to Personal Information Procedure

DATA PROTECTION LAWS OF THE WORLD. Romania

ID Checker Guidance Notes. DBS Online Disclosure Guide (ebulkplus)

Data Protection Policy. Malta Gaming Authority

Processor Agreement SURF Model Agreement

A closed circuit television system is used at the Memorial Hall by the Parish Council.

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

ecourts Attorney User Guide

Analysis of the Workplace Surveillance Bill 2005

MEMORANDUM. Internet Corporation for Assigned Names and Numbers. Thomas Nygren and Pontus Stenbeck, Hamilton AdvokatbyrÄ

Can consent to cookies be expressed through web browser settings or other applications?

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

Checklist. Industry Requirements for E-Bonding Solutions. Based on Surety Association of Canada Vendor Guidelines. Version date: October 19, 2009

Law No. 13 of 2016 Promulgating the Protection of the Privacy of Personal Data Law

The Green-Campus Committee

INVESTIGATION REPORT

(1) General information

Consultation on the General Data Protection Regulation: CAP s evaluation of responses

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

Staff Data Protection Policy

- and - OPINION. Reasons

Declaration on the protection of personal data in the company TAJMAC ZPS, a.s.

Compliance & Ethics. a publication of the society of corporate compliance and ethics MAY 2018

Guidelines for Performance Auditing

Beaufort Primary School and Beaufort Nursery

ONLINE ACCOUNT ACCESS: YOUR USER GUIDE. access to your portfolio anytime, anywhere

HEARING HEARD IN PUBLIC

Data Protection. Policy & Procedure. Greater Manchester Police

A REPORT BY THE NEW YORK STATE OFFICE OF THE STATE COMPTROLLER

AIA Australia Limited

FULL-FACE TOUCH-SCREEN VOTING SYSTEM VOTE-TRAKKER EVC308-SPR-FF

Data protected. A report on global data protection laws in 2016.

CODE OF PRACTICE FOR COMMUNITY- BASED CCTV SYSTEMS

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

PE-CONS 71/1/15 REV 1 EN

SUBJECT ACCESS REQUEST

Electronic Voting Machine Information Sheet

Data Processing Addendum

Data Protection REFERENCE NUMBER. IMPLEMENTATION DATE June 2014 NEXT REVIEW DATE: September 2020 RISK RATING

Freedom of Information Act 2000 (Section 50) Decision Notice

E-Verify Solutions effective January 2015 page 1

Schengen Joint Supervisory Authority Activity Report January 2004-December 2005

Data Protection Bill, House of Lords second reading Information Commissioner s briefing

North Yorkshire County Council. Subject Access Request Guidance and Procedure. Data Protection Act 1998

Court reporting: What to expect. Information for the public

Information leaflet about processing of personal data for Newsletter Recipients (hereinafter Data Subject)

STARTING UP. Constitution of a Charitable Incorporated Organisation with voting members other than its charity trustees

HOW TO RUN AN ONLINE ELECTION

CODE OF ETHICS OF ALBANIAN MEDIA

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

Annex - Summary of GDPR derogations in the Data Protection Bill

Get Started with your UKnight Interactive Assembly Site First Steps. v.1.0

Antrobus Parish Council Personal Data Management and Audit Policy 1

Children and Young People (Information Sharing) (Scotland) Bill. Response to the call for evidence. Alistair Sloan

EU Data Protection Law - Current State and Future Perspectives

EDPS Opinion 7/2018. on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents

ARTICLE 29 DATA PROTECTION WORKING PARTY

PREPARING FOR NEW PRIVACY REGIMES: PRIVACY PROFESSIONALS VIEWS ON THE GENERAL DATA PROTECTION REGULATION AND PRIVACY SHIELD

PUBLIC 14707/1/14REV1DATAPROTECT147JAI803MI806 DRS136DAPIX151 FREMP179COMIX569CODEC /1/14REV1 GS/np 1 DGD2C LIMITE EN

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

A paramount concern in elections is how to regularly ensure that the vote count is accurate.

CCTV POLICY. Document Type Corporate Policy. Unique Identifier HS-103

TekSavvy Solutions Inc.

Data Processing Agreement

PERSONAL DATA PROCESSING AGREEMENT

Transcription:

St Thomas C of E VA Primary School, Heaton chapel How to obtain and record consent Change History Author / Editor Details of Change Date Vrsn Change Becky Swan New Document 25.06.2018 0.1 1

Contents 1. Overview of consent Definition Key themes 2. When should consent be obtained? 3. Best practice when obtaining consent How to obtain consent Practical examples 4. How to record consent Recording consent Managing consent 5. Obtaining consent for the use of images General Staff images Children s images 6. Consent from children 7. Lacking capacity to consent 8. Importance of gaining consent 9. Consent Flow chart 2

1. Overview of consent Definition of consent any freely given, specific, informed and unambiguous indication of the data subjects wishes by which he or she, by statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her Key themes Consent is offering individuals genuine choice and control It must be demonstrable Presented in a way which is clearly distinguishable from other information Easily accessible and understandable Written or explained in clear and plain language Clearly explain to the data subject who the data controller will be Name any third parties who will rely on the consent Clearly explain the purpose for processing the personal data Freely given by the data subject Must be as easy to withdraw consent as it was to give Must not rely on inactivity, silence or pre-ticked boxes Consent cannot be relied upon where there is a clear imbalance between the data subject and data controller Keep evidence of consent, who, when, how and what individuals were told 3

2. When should consent be obtained? Understanding when to obtain consent can be complicated. Many people mistakenly believe schools must always obtain consent prior to processing personal data. This is not true, consent is o n l y one of the GDPR s six conditions for processing, and it is recommended that consent is used where none of the other conditions apply. A lack of consent would not constitute a breach providing another condition can be met. As a reminder below is a list of alternative GDPR conditions under Article 6; Necessary for contract Necessary for a legal obligation Vital interests Necessary for official authority / task carried out in the public interest Necessary for legitimate interest Consent is not the easy option under GDPR, you may wish to rely on another legal condition if possible. If the processing of personal data is needed consent should not be relied upon, as it would not be considered to be freely given. Where the subject has no genuine choice, consent would not be considered valid. If consent is requested and then declined, another condition cannot t h e n be used. Please ensure there is not a more suitable option from the above list before pursuing the consent route. It must be clarified that informing individuals how their personal data will be handled via a privacy notice does not constitute asking for their permission. Schools can rely on consent where there is no imbalance of power and the p a r e n t, pupil or staff member has a genuine choice to consent to the processing of their personal data. In order to build trust and engagement, consent would be considered appropriate here. It may be worth looking back retrospectively at where consent has been sought and ensure this was gathered in line with the more recent GDPR provisions. 4

3. Best practice when obtaining consent Unambiguous we must ensure that the parents, pupils and staff members can easily understand what they are signing up for. When collecting the information there should be no doubt about the intentions. Schools must aim to use simplistic language and avoid using double negatives. For example, I would like to receive emails from, or please sign me up for email communications. Statement or clear affirmative action it is possible for parents, pupils and staff to show their consent with an action, as well as make a statement when giving their consent. There must be an active opt in as opposed to a pre-ticked box or consent by default and the options given to the service users must be given e qual importance. Freely given there must not be an imbalance between the data subject and data controller, for example in an employee/employer situation. Parents, pupils and employees must have a genuine free choice to consent. They must not be misled, intimidated or negatively impacted by withholding their consent. For example, if you do not give your consent to the use of images your child cannot take part in the School production this would not be complaint consent. Specific you must ensure that the information given, when requesting consent, covers all processing activities. It can be hard where there are multiple processing activities taking place. One catch all style consent document will not be specific enough. Informed a lack of clarity is a lack of valid consent. Parents, pupils and staff must be informed of the identity of the data controller and how/why their data will be processed. They should also be informed immediately how to withdraw consent. It should be as easy t o w i t h d r a w as it were to give consent ideally via the same method. For example if consent were given online to receive marketing information, a sentence underneath advising if you wish to stop receiving communications please follow this link. To ensure parents, pupils and staff are thoroughly informed any information relating to consent must not be hidden within pages of terms and conditions, they must be separated and presented in a way which is clearly distinguishable. Granular when requesting parents, pupils and staff consent to a number of different processing activities, you will need to ensure you offer them to option to consent to each activity individually. Service users may wish to consent to some areas and not to others. Examples of lawful consent The following list give practical examples of how service areas may seek to gain valid consent from parents, pupils and staff; 5

Signing a consent statement in paper form Clicking an opt in button or link online Selecting from equally prominent yes/no options Responding to an email requesting consent Answering yes to a clear oral consent request Volunteering information for a specific purpose However, there are some activities laid out by the ICO which should be avoided when gathering consent such as; Avoid using opt out boxes If you are seeking consent for a number of processing activities avoid using a catch all consent option each type of processing should have its own individual opt in box Adopt a user-friendly method of obtaining consent. If for example a service user does not use the internet they must have an alternative option to consent/withdraw Do not force parents, pupils and staff to create online accounts and log in, in order to give their consent / withdraw consent The ICO will consider that the quality of consent is not sufficient if it has in any way been retrieved due to inaction, via a pre-ticked box, opt out box or any other method which is deemed to have taken advantage. 4. How to record consent Recording consent When ensuring consent is valid under GDPR the evidence needs to be recorded to demonstrate it was appropriately obtained. This includes making a note of the following criteria; Details of the parent, pupil or staff m e m b e r who has consented When they consented How they consented The school details Any third parties who will rely on the consent Exact details of the information you provided to the individual at the time How to withdraw consent If it was passed on, when and how The records must be specific enough to demonstrate exactly what information the consent related to, to avoid any confusion and ensure accurate audit trails. Managing consent 7

Once we are satisfied we have recorded the correct information we then need to continue to monitor the information in the following way; Regularly review to check the processing and purpose have not changed - it may be possible that over time the purpose of your activity evolves and the original purpose for which consent was sought is no longer accurate. In which case you would be acting outside of the data subjects consent and this would constitute a breach of the GDPR. Set reminders to refresh consent at appropriate intervals Act on withdrawals of consent as soon as possible. If for example the consent relates to marketing communications, we must ensure the personal data is removed from both the mailing list and removed from the list of recorded consent to prevent any future issues occurring. Build regular consent reviews into business processes 13 5. Obtaining consent for the use of images Consent must be sought if you are using images of people, as images still constitute personal data. However, a person must be clearly recognisable within the image consent may not be needed where an individual is out of focus or has their back to the camera. This would need considering on a case by case basis. Names should not accompany images for promotional literature. There are certain circumstances where names or other identifiable information can accompany images for example where there has been a competition winner. Staff members consent would not be needed to store their photos for security reasons, for example to control building access, but if the school wished to use those images for any additional purposes they would need explicit consent. Where images of children are being used, particular attention must be paid to the safety and consent of those children and parents. Schools must allow additional time when gathering consent for the use of children s images, as this process must be thoroughly explained and understood. 8

As with other forms of consent, good practice would be to keep images and consent forms together to demonstrate this has been obtained. It must be clear on the consent forms exactly what the images are being used for, and agree not to use them for any further activities. Extreme care must be taken to re gain consent prior to using images for alternative projects. 6. Consent from children Consent for children is expected to be clear and age appropriate. If services are offered directly to children all information relating to consent or privacy notices must be written in a clear, plain way to ensure understanding. If you offer online services (information society services) to children there are specific rules which must be followed. Children under 13 cannot consent themselves, and so a person holding parental responsibility must consent on the child s behalf. You therefore must consider having functions on internal systems to log and verify parental consent on behalf of a minor. A child can consent to the use of online services after the age of 13 but as a general rule a child must have sufficient understanding and maturity to exercise their consent. A common sense approach will be adopted in the event a child or young person consents to the processing of their own data via the consent method. Children can be less aware of risks to their safety and consequences of sharing their personal data and so service areas must take extreme precautions when processing this type of data. 7. Lacking capacity to consent Consent will be valid unless you have been made aware, or have reason to believe the individual who consented lacks the capacity to do so. This must be judged on the capacity of the individual and on an individual basis. 9

8. Why is gaining consent so important? Gaining the appropriate levels of consent can in turn improve t h e parents, pupils and staff members trust and engagement and will enhance the school s reputation. In turn inappropriately using personal data or relying on invalid consent can seriously harm our reputation, trust from parents, pupils and staff and result in fines or enforcement action from the ICO. 1

9. Practical list to follow in order to obtain consent lawfully (this may be used as an easy guide for staff to reference when determining whether to use consent as a lawful condition, and how to obtain and manage that process) 1. Is consent the most appropriate of the 6 legal conditions? If the answer is yes move on to no.2 Necessary for contract Necessary for a legal obligation Vital interests Necessary for official authority / task carried out in the public interest Necessary for legitimate interest 2. Are you able to obtain consent in compliance with the GDPR? If the answer is yes move on to no.3 Offering individuals genuine choice and control It must be demonstrable Presented in a way which is clearly distinguishable from other information Easily accessible and understandable Written or explained in clear and plain language Clearly explain to the data subject who the data controller will be Name any third parties who will rely on the consent Clearly explain the purpose for processing the personal data Freely given by the data subject Must be as easy to withdraw consent as it was to give Must not rely on inactivity, silence or preticked boxes Consent cannot be relied upon where there is a clear imbalance between the data subject and data controller Keep evidence of consent, who, when, how and what individuals were told 10

3. Can consent be accurately recorded? If the answer is yes move on to no.4 Who consented? How did they consent? Via which method? When did they consent? A record of the information presented to them at the time Any third parties involved? How to withdraw 4. Can you remain compliant with data subject rights? Right to withdraw consent Right to have data removed after the agreed period of time Right to be forgotten Right to data portability Ability to restrict data processing Right to rectification 11

12

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback