Last updated: 
2 weeks 6 days ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

ICO guidance on Consent and GDPR

Tuesday, June 5, 2018 - 11:24

The Information Commissioner’s new guidance on Consent under the General Data Protection Regulation contains some useful guidance for universities and colleges in particular.

On the question of which legal bases are available to universities and colleges – in particular whether they are included within the GDPR's disapproval of consent and legitimate interests being used by "public authorities" – the previous advice remains, that "[public task] is likely to give [public authorities] a lawful basis for many if not all of [their] activities". However this is now qualified by the requirement that such activities must be "to perform your official functions as set down in UK law" (p.22) confirming our earlier analysis that where universities and colleges are performing functions that are not "set down in UK law", the other five legal bases remain available, in the same way (and for the same functions) as for any other organisation.

In the light of the GDPR's stricter conditions on consent, the guidance repeatedly mentions legitimate interests as an alternative, that will "help ensure you assess the impact of your processing … and consider whether it is fair and proportionate" (p.32). This might apply in particular where an activity will benefit an individual so much that they do not really have a free choice, and it is more appropriate to expect the data controller to assess and minimise any harmful side effects. However the guidance does confirm that a decision does not have to be completely neutral for the individual’s consent to be valid – "it may be possible to incentivise consent to some extent" (p.26).

As discussed at Jisc's GDPR conference least year, there has been confusion between the ethical requirement for consent when doing research on human subjects and the legal basis for the data processing. The ICO confirms that these are "entirely separate" (p.33) and that a requirement to gain ethical consent does not mean that legal consent is either appropriate or even possible. As above, legitimate interests – with its extra requirement on researchers to manage risks – may be an alternative.

Finally, where consent is used, page 40 suggests how to think about renewing it. The guidance recognises that situations vary greatly, but suggests as a starting point that consent should be "refreshed" every two years. The requirement to consider "how disruptive repeated consent requests would be to the individual" sounds like an encouragement to refresh consent through normal communications, rather than a repeat of the re-consenting frenzy that has occurred over the past month.