The Information Commissioner’s Office has released draft guidance for managing consent under the General Data Protection Regulation that says that public authorities will find it hard to get valid consent – but should be able to use other methods to process data.
Public authorities will have to rely on other legal ways of data processing, as gaining consent could be hard – Photo credit: Flickr, Sebastian Wiertz, CC BY 2.0
The European Union’s GDPR comes into force in May 2018 and the ICO is releasing a series of topic-specific guidance documents to help organisations prepare.
The first of these, on consent, was published yesterday and looks at the changes between the GDPR and the existing Data Protection Act, which will be superseded by the new regulation.
There is an increased focus of the rights of the individual in the GDPR compared to the DPA, with the ICO’s interim head of policy and engagement Jo Pedder saying that the GDPR “sets a high standard for consent”.
This includes more specific rules on how consent for data processing activities is gained, which covers the need for people to be offered granular options for consent and that they are unbundled from other tems and conditions.
Pedder said: “Basing your processing of customer data on GDPR-compliant consent means giving individuals genuine choice and ongoing control over how you use their data, and ensuring your organisation is transparent and accountable.”
The draft guidance emphasises that consent is only appropriate “if you can offer people real choice and control over how you use their data”.
This might be in situations where the data can be legally processed anyway – in this case offering an opt-in consent for people would be misleading, the ICO said, as their data will be used anyway.
Another area where it is hard to offer true consent to individuals is when the organisation is in a position of power, which the ICO said would include employers and public authorities.
“Consent will not usually be appropriate if there is a clear imbalance of power between you and the individual,” the guidance said.
“This is because those who depend on your services, or fear adverse consequences, might feel they have no choice but to agree – so consent is not considered freely given. This will be a particular issue for public authorities and employers.”
The ICO said that public authorities – or other organisations in a position of power – should look for another basis for processing data, such as ‘performance of a public task’.
This means that, if public bodies need to process personal data in order carry out official functions or a task in the public interest – and have a legal basis for the processing under UK law – they can.
“If you are a UK public authority, our view is that this is likely to give you a lawful basis for many if not all of your activities,” the ICO said.
However, the authority will need to justify why the processing is necessary to carry out its functions, and demonstrate that there is no less intrusive alternative.
“And, as always, you will need to ensure you are fair, transparent and accountable,” the ICO said.
The draft guidance sets out a number of recommendations for organisations, which include the use of clear, concise and specific in their wording, and that they use only positive opt-in – not pre-ticked boxes or “consent by default” methods.
Any third parties that will rely on consent must be named and it must be clear and easy for people to withdraw consent, the ICO said.
In addition, organisations are told to keep evidence of consent and keep the processes under review.
The consultation document asks whether the guidance is clear, if it contains the right level of detail and if it covers the right issues about consent under the GDPR. It also asks for examples of good or bad practice that could be used in the final document.
It is open for responses until March 2017 and the final guidance will be published in May 2017. Pedder added that the ICO would issue a call for evidence to get a better idea of the technical solutions available for obtaining and managing consent later in the year.