Public authorities ‘will find using consent difficult’, says ICO GDPR guidance

Written by Rebecca Hill on 3 March 2017 in News
News

The Information Commissioner’s Office has released draft guidance for managing consent under the General Data Protection Regulation that says that public authorities will find it hard to get valid consent – but should be able to use other methods to process data.

Pen signing a form

Public authorities will have to rely on other legal ways of data processing, as gaining consent could be hard - Photo credit: Flickr, Sebastian Wiertz, CC BY 2.0

The European Union’s GDPR comes into force in May 2018 and the ICO is releasing a series of topic-specific guidance documents to help organisations prepare.

The first of these, on consent, was published yesterday and looks at the changes between the GDPR and the existing Data Protection Act, which will be superseded by the new regulation.

There is an increased focus of the rights of the individual in the GDPR compared to the DPA, with the ICO’s interim head of policy and engagement Jo Pedder saying that the GDPR “sets a high standard for consent”.

This includes more specific rules on how consent for data processing activities is gained, which covers the need for people to be offered granular options for consent and that they are unbundled from other tems and conditions.

Pedder said: “Basing your processing of customer data on GDPR-compliant consent means giving individuals genuine choice and ongoing control over how you use their data, and ensuring your organisation is transparent and accountable.”


Related content

ICO stresses importance of data protection post-Brexit
Same difference? How the GDPR will differ from the DPA – and what public servants need to do now


The draft guidance emphasises that consent is only appropriate “if you can offer people real choice and control over how you use their data”.

This might be in situations where the data can be legally processed anyway – in this case offering an opt-in consent for people would be misleading, the ICO said, as their data will be used anyway.

Another area where it is hard to offer true consent to individuals is when the organisation is in a position of power, which the ICO said would include employers and public authorities.

“Consent will not usually be appropriate if there is a clear imbalance of power between you and the individual,” the guidance said.

“This is because those who depend on your services, or fear adverse consequences, might feel they have no choice but to agree – so consent is not considered freely given. This will be a particular issue for public authorities and employers.”

The ICO said that public authorities – or other organisations in a position of power – should look for another basis for processing data, such as ‘performance of a public task’.

This means that, if public bodies need to process personal data in order carry out official functions or a task in the public interest – and have a legal basis for the processing under UK law – they can.

“If you are a UK public authority, our view is that this is likely to give you a lawful basis for many if not all of your activities,” the ICO said.

However, the authority will need to justify why the processing is necessary to carry out its functions, and demonstrate that there is no less intrusive alternative.

“And, as always, you will need to ensure you are fair, transparent and accountable,” the ICO said.

The draft guidance sets out a number of recommendations for organisations, which include the use of clear, concise and specific in their wording, and that they use only positive opt-in – not pre-ticked boxes or “consent by default” methods.

Any third parties that will rely on consent must be named and it must be clear and easy for people to withdraw consent, the ICO said.

In addition, organisations are told to keep evidence of consent and keep the processes under review.

The consultation document asks whether the guidance is clear, if it contains the right level of detail and if it covers the right issues about consent under the GDPR. It also asks for examples of good or bad practice that could be used in the final document.

It is open for responses until March 2017 and the final guidance will be published in May 2017. Pedder added that the ICO would issue a call for evidence to get a better idea of the technical solutions available for obtaining and managing consent later in the year.

Tags

Share this page

Tags

Add new comment

Related Articles

scientists, user, science, data, analytics ONS launches Data Science Campus
27 March 2017

The Office for National Statistics has today launched its Data Science Campus in Newport, Wales, to make better use of data and develop the statistical information it provides.

whitehall numbers, statistics, data Bridging digital skills gap could cost government £244m a year, says NAO
27 March 2017

The UK’s spending watchdog has said that there is a need for “greater urgency” in the government’s plans to tackle skills shortages in the civil service.

Houses of Parliament, Westminster, London Interview: Conservative peer Chris Holmes calls for a considered but can-do attitude from government on blockchain
27 March 2017

Two sides to the BitCoin? Conservative peer Chris Holmes talks to Rebecca Hill about being positive about blockchain’s potential for public services without seeing it as a ‘wonder drug’.

Scottish flag Scottish digital strategy set out plans for assurance, training and common platforms
22 March 2017

The Scottish government will implement a “tough” assurance process for digital projects, mandate the use of common technologies and offer training to make sure civil servants “get digital”.