Key points at a glance
- Consent must be unambiguous, freely given, specific and the data subjects should be informed for each purpose for which the data is being processed, especially if the purposes evolve overtime
- Must be ‘explicit’ for the processing of sensitive data, renamed special category data under GDPR. Explicit consent will require clear approval from the data subject e.g. a signed consent form.
- Obtained for each separate processing activity
- Data subjects will have the right to withdraw their consent at any time
- ‘Explicit’ consent must be received for transferring personal data outside the European Economic Area (EEA.
Consent within research
The GDPR will broadly replicate the current Data Protection Act 1998 (DPA). However, all researchers, will need to consider the different types of processing they carry out as part of this activity to ensure compliance.
While they can still rely on consent as a legal basis to process personal data for their research. A data subject must be given an easy way to withdraw it. Consent must still be ‘explicit’ for the processing of sensitive data, renamed special category data under GDPR. A data controller will need to demonstrate that such consent has been given.
UCL will continue to be a Data Controller under the GDPR for all personal data processed for UCL led research. In most circumstances students are responsible for ensuring that their research involving, living, identifiable individuals complies with the requirement of the DPA and from May 2018, the GDPR.
As with the DPA, the GDPR will require data controllers to have a legitimate reason for processing personal data. If researchers are to rely on the consent of the data subject, they must be able to demonstrate that it was unambiguous, freely given, specific and informed for each purpose for which the data is being processed. The consent can be given in writing (including electronically), or as an oral statement. The GDPR provides some clarity:
This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data.
Silence, pre-ticked boxes or inactivity should therefore not constitute consent.
This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence, pre-ticked boxes or inactivity should therefore not constitute consent.
It is important to ensure that consent is obtained for each separate processing activity. Consent will not be valid if several purposes have been unnecessarily bundled together so that an individual has to accept all of them or none of them.
For example, retention of contact details to invite participants to take part in future research is a distinct processing activity to the initial research and therefore separate consent must be obtained. Likewise use of the images of participants collected as part of a research study at a conference is also a separate processing activity and individuals should not generally have to consent to this just to take part in the research study.
Under the GDPR data subjects will have the right to withdraw their consent at any time. Mechanisms should therefore be in place to ensure that the process is both simple and effective. They should also be informed of this right prior to giving their consent.
How long does consent last?
The GDPR is not specific about how long consent should last. However, any consent is likely to degrade overtime, how long it will last will be dependent upon the context of the original consent. . Some research activities may also develop over time and it will remain important to ensure that the processing of personal data is not used for purposes that go beyond the consent obtained, the consent should therefore be kept under review. There must be a clear affirmation of consent, it cannot be inferred from a failure to object, or indicate, to further uses, beyond what was originally specified. It is unlikely to be compliant to claim one-off consent remains valid several years after it was obtained if the research is continuing. Consideration should therefore be given as to how consent can be revisited.
The GDPR largely preserves the current DPA with regard to overseas transfer of personal data. For example, prohibiting transfers of personal data outside of the EEA unless certain conditions are met (adequacy).
Researchers should review their intended flows of personal data outside of the EEA, and consider what mechanisms they have in place to comply with the GDPR. For example, does the intended transfer involve a country which has an adequacy decision (deemed acceptable by the EU), or if based in the USA an organisation which has joined the EU-US Privacy Shield?
If you are intending to transfer personal data outside the EEA and the country has not been deemed to offer an adequate level of protection you will need to ensure that the transfer meets one of the other requirements of the GDPR, such as by use of standard contractual clauses or binding corporate rules (BCRs). Derogations (exemptions) are also permitted under limited additional circumstances. Explicit consent is one such derogation. If you know at the outset of your research that you intend to transfer personal data to another country you should inform data subjects of this and where necessary seek consent.