Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

ICO guidance on Consent and GDPR

The Information Commissioner’s new guidance on Consent under the General Data Protection Regulation contains some useful guidance for universities and colleges in particular.

On the question of which legal bases are available to universities and colleges – in particular whether they are included within the GDPR’s disapproval of consent and legitimate interests being used by “public authorities” – the previous advice remains, that “[public task] is likely to give [public authorities] a lawful basis for many if not all of [their] activities”. However this is now qualified by the requirement that such activities must be “to perform your official functions as set down in UK law” (p.22) confirming our earlier analysis that where universities and colleges are performing functions that are not “set down in UK law”, the other five legal bases remain available, in the same way (and for the same functions) as for any other organisation.

In the light of the GDPR’s stricter conditions on consent, the guidance repeatedly mentions legitimate interests as an alternative, that will “help ensure you assess the impact of your processing … and consider whether it is fair and proportionate” (p.32). This might apply in particular where an activity will benefit an individual so much that they do not really have a free choice, and it is more appropriate to expect the data controller to assess and minimise any harmful side effects. However the guidance does confirm that a decision does not have to be completely neutral for the individual’s consent to be valid – “it may be possible to incentivise consent to some extent” (p.26).

As discussed at Jisc’s GDPR conference last year, there has been confusion between the ethical requirement for consent when doing research on human subjects and the legal basis for the data processing. The ICO confirms that these are “entirely separate” (p.33) and that a requirement to gain ethical consent does not mean that legal consent is either appropriate or even possible. As above, legitimate interests – with its extra requirement on researchers to manage risks – may be an alternative.

Finally, where consent is used, page 40 suggests how to think about renewing it. The guidance recognises that situations vary greatly, but suggests as a starting point that consent should be “refreshed” every two years. The requirement to consider “how disruptive repeated consent requests would be to the individual” sounds like an encouragement to refresh consent through normal communications, rather than a repeat of the re-consenting frenzy that has occurred over the past month.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *