'Consent' is one of the legal grounds under which organisations, such as ourselves, can use to make sure processing personal data is lawful. Under the previous Data Protection Act 1998, we asked our citizens and service users for their consent, for us to process their personal data in a wide variety of situations. We did this for almost all situations - other than where we were acting as a regulatory or investigatory body.
Under the General Data Protection Regulation (GDPR) which came into force on 25 May 2018, there is now a fundamental change to our approach.
Under the new legislation, in the vast majority of situations, 'consent' will no longer be the legal basis under which we process personal data.
This has caused some confusion because in many cases we will still be seeking an individual's consent for us to provide the service to them.
This support guide will explain the difference between 'consenting to processing of personal data' and 'consenting to service delivery'.
1. Legal basis for processing - key points
· Consent under GDPR is much stricter than consent under the Data Protection Act 1998.
· Consent now has to be freely and positively given and must be separate from any other aspects the person is agreeing to.
· Consent must also be freely given.
Guidance on GDPR makes it clear that consent is unlikely to be the appropriate legal basis for public authorities such as the council. There are a number of reasons for this, but essentially it is because members of the public do not generally have any real choice - if you want to access the public services we provide in the City of Glasgow, in effect you have no choice but to come to us.
And in reality, in most cases, we cannot provide services to people without using their personal information so it could be seen as misleading to ask for consent to use of personal data where we cannot provide the service without using the data.
Therefore, Services and ALEOs analysing the personal data they use have been encouraged to look for alternatives to consent as the legal basis for processing. In most cases, we will instead be processing personal data because it is necessary for us to do so in order to carry out tasks in the public interest.
For example, we need to process the data to carry out our statutory functions.
There are a number of other legal justifications, such as processing which is necessary for performance of a contract with the data subject, but the public task/statutory function ground would appear to be the most common.
2. Consenting to us providing a service
Apart from regulatory and enforcement activity, we do not generally provide services to people who do not want us to provide that service to them.
· We do not force children to attend our schools. Children can be educated privately or at home.
· We do not force homeless people to attend the homelessness assessment centre.
This element of choice, as to taking or leaving a service which we offer, has however led some people into thinking that because there is an element of choice, the processing of personal data associated with the elective service must somehow need to be based on consent. This is not correct.
A person may or may not take up our services, but if they choose to do so then in many cases it will be necessary for us to process their personal data in order to provide that service.
If you choose to send your child to a Glasgow school then that is your choice - but having chosen to do so, we must by law hold the appropriate school pupil record on your child in order to carry out our functions as Education Authority for the city. If this processing were stated as being on the basis of consent, this would imply that it was possible to have your child at one of our schools without us being allowed to process their personal data.
Clearly we cannot have a pupil at a school without holding information on that pupil so it is not possible to separate delivery of the service from the processing of personal data required to deliver that service.
In situations where we cannot deliver without using the data then consent cannot be the correct approach to processing personal data, even where the service is one which the customer has chosen to take up. Agreeing to take up an elective service is conceptually very different from the issue of what legal basis we rely on to justify processing the data to deliver the service.
In such cases, we should be advising people that if they choose to take up service A, then in order to provide that service to them we will need to do x, y and z with their personal information. This is not asking for their consent, it is however being open and transparent with them about what will happen to their data if they want to use the service.
3. Where consent to data processing may still be relevant
The guidance makes it clear that it is unlikely that consent will be the appropriate legal basis for public authorities to rely on. However, it does not shut the door entirely.
In a few areas consent will remain a valid basis for us to rely on.
To date the identified instances of this have all related to people consenting to a particular method of communication.
For example, opting in to receive a newsletter by email - however, there may be some others.