The Information Commissioner’s new guidance on Consent under the General Data Protection Regulation contains some useful guidance for universities and colleges in particular.
On the question of which legal bases are available to universities and colleges – in particular whether they are included within the GDPR’s disapproval of consent and legitimate interests being used by “public authorities” – the previous advice remains, that “[public task] is likely to give [public authorities] a lawful basis for many if not all of [their] activities”. However this is now qualified by the requirement that such activities must be “to perform your official functions as set down in UK law” (p.22) confirming our earlier analysis that where universities and colleges are performing functions that are not “set down in UK law”, the other five legal bases remain available, in the same way (and for the same functions) as for any other organisation.
In the light of the GDPR’s stricter conditions on consent, the guidance repeatedly mentions legitimate interests as an alternative, that will “help ensure you assess the impact of your processing … and consider whether it is fair and proportionate” (p.32). This might apply in particular where an activity will benefit an individual so much that they do not really have a free choice, and it is more appropriate to expect the data controller to assess and minimise any harmful side effects. However the guidance does confirm that a decision does not have to be completely neutral for the individual’s consent to be valid – “it may be possible to incentivise consent to some extent” (p.26).
As discussed at Jisc’s GDPR conference last year, there has been confusion between the ethical requirement for consent when doing research on human subjects and the legal basis for the data processing. The ICO confirms that these are “entirely separate” (p.33) and that a requirement to gain ethical consent does not mean that legal consent is either appropriate or even possible. As above, legitimate interests – with its extra requirement on researchers to manage risks – may be an alternative.
Finally, where consent is used, page 40 suggests how to think about renewing it. The guidance recognises that situations vary greatly, but suggests as a starting point that consent should be “refreshed” every two years. The requirement to consider “how disruptive repeated consent requests would be to the individual” sounds like an encouragement to refresh consent through normal communications, rather than a repeat of the re-consenting frenzy that has occurred over the past month.