Written and recorded by Robert Edwards, Law Hound
welcome to this data protection training session from Data Law. My name is Robert Edwards. I'm a consultant at Luhan. Previously, I was a counterintelligence and I t security specialist with Her Majesty's government. I then moved on to lecturing Andi providing legal training. Judy Peel Consent. The General Data Protection Regulation GDP are is designed to update the data Protection Act 1998 d p a. To provide greater transparency, enhanced rights for citizens and increased accountability. And in this session, we're going to examine the changes which GDP are makes in relation to lawful handling of data on the question of consent. In this presentation, I should be using the following terms individual meaning the data subject the individual whose data is held by an organization or data controller organization, meaning the data controller, which may be the organization holding the data, or the organization on whose behalf. The data is being processed on data to mean personal data as applicable within the meaning of the Data Protection Act or GDP, are the I. C. 02 mean the Information Commissioner's office, the background lawful processing personal data under Article four of GDP. Our personal data means any information relating to an identified or identifiable natural person, the data subject. If anyone can identify a natural person directly or indirectly, according to Recital 26 using all means reasonably likely to be used, then the information is personal data. It means that the data, maybe personal data, even if the organization holding it cannot itself identify a natural person. It also means that there's Bean an attempt by using the expression all means reasonably likely to be used to future proof the legislation against it being over taken by technological advances by way of an example. The indoor positioning system sector is extremely fragmented at present, and there's no standard approach to system design. However, it is envisaged that the ability to identify and locate an individual within a building precisely including which floor they're on will become widely available as protocols for contextual awareness. Where in applications are developed for specific purposes within specific environment types is improved. Contextual awareness is currently a high priority for developers. While this may seem somewhat off topic I use, it only is an indicator of why the regulation contains some expressions which may appear less than specific. What might be reasonably used today will not include the technologies that are expected to be in place in the near future. Special categories. Article nine of GDP are refers to special categories of data which is similar to the sensitive personal data under the D. P. A. With two additions relating to genetic data. Andi Biometric Data Lawful Processing Article 42 of the GDP are defines processing as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use disclosure by transmission, dissemination or otherwise making available alignment or combination restriction. Ihr Asia or destruction. That's about everything. The definition is wide and as we know from the DP, A captures almost anything which business may wish to do with an individual's data. Under GDP are processing data will only be lawful if it complies with one of the processing conditions. Under Article 61 of which consent is one. I'll include the other conditions in the notes for the sake of completeness. When it comes to processing special categories of data, GDP are Article nine means processing data will only be lawful if it complies with one of the processing conditions off which, again consent is one on again. I'll include the other conditions in notes, things to consider before relying on consent as a lawful basis for processing. First question is consent appropriate? The concept of lawful processing and reliance on and individuals consent to the use of their personal data is certainly not new, but consent is only one lawful basis for processing. As the ICE CEO advises, relying on consent as a lawful basis is appropriate if you can offer people real choice and control over how you use their data and want to build their trust and engagement. If you would still process the personal data without consent, asking for consent is misleading on din hair Intl E unfair. Usually providing consent is not a precondition of service unless it really is necessary to provide the service. Andi, where your organization is not in a position of power over individuals, consent is appropriate. The impact of consent on an individual's rights under GDP are your lawful basis for processing data impacts on the individual's rights in respect of their data. So, for example, a few process data on the basis of the individual's consent under GDP are they will have the additional rights, such as to have their data deleted the right to erase Asia, also known as the right to be for gotten the right to data portability. And it's an ongoing obligation as the I C e o clearly states your obligations don't end when you obtain consent because it's not a one off compliance box to take and file away, but rather it's part of your ongoing relationship of trust with individuals. So what changes does the GDP are make to consent? Well, the concept of consent is still a potential lawful basis to process Data under GDP are, however, as the I c e. O. Points out. What GDP are has done is to build on the standard of consent containing more detail, codifying existing European guidance and incorporating best practice. So under the data protection directive, consent is any freely given specific and informed indication, often individuals wishes by which the data subject signifies his agreement to personal data relating to him. Being processed under GDP are Article for 11 The data subject's consent is defined as any freely given specific, informed Onda unambiguous indication of the data subjects wishes by which he or she by a statement or by a clear affirmative action signifies agreement to the processing of personal data relating to him or her. So, under GDP, our consent must be freely given a specific informed on unambiguous indication of the individuals. Wishes must be given by either a statement or a clear affirmative action on be as easy to withdraw as it is to give. Let's look a freely given briefly. Individuals must have genuine choice and control over how you use their data. Consent will not be deemed to be freely given if there is imbalance in the relationship between the individual and the organization. This means public authorities and employers need to be careful on may need to look for on alternative, lawful basis to ensure that consent is given freely. Individuals must be able to refuse. So unless it really is necessary, for example, to provide a particular service, then consent should not be a precondition of signing up. Article 74 and Recital 43 cover this. Andi has to be unbundled, completely separate to other terms and conditions a specific, informed and unambiguous indication of the individuals wishes okay. Clear and easy to understand in plain language, as the I C E. O advises language likely to confuse. For example, the use of double negatives or inconsistent language will invalidate consent. You must provide the name of your organization and any third parties who will be relying on consent. You can't, for example, provide even precisely defined categories of third party organisations you have to use the names explain the purpose is off processing how separate consent with different processing operations wherever appropriate. The I C e O. Advises that an organization should give granular options to consent separately. Two different types of processing wherever appropriate unless this would be unduly disruptive or confusing. Recital 43 As a minimum, consent must specifically cover all purposes. Onda Remember, you must regularly review consents and ensure that you get fresh consent if your purpose or activities evolve beyond what you originally specified. As the ICE CEO advises, consent will not be specific enough if details change. There is no such thing as evolving consent. Consent must be given either by a statement being written Elektronik or Orel or a clear affirmative action. It has to be a deliberate or positive opt in, not inferred from silence, a pre ticked box or in activity. It can still include checking a box when visiting on Internet website, choosing technical settings for information society services or another statement or conduct, which clearly indicates in this context the data subjects acceptance of the proposed processing of his or her personal data Under Recital 32. Implied consent may still be viable in what the i C E O describes as more informal offline situations, but there must be a positive action that makes it clear someone is agreeing to the use of their information for a specific on obvious purpose. However, this type of implied consent would not extend beyond what was obvious on necessary. So the I c e O. Gives the following as examples of active opt in signing a consent statement on a paper form, taking an opt in box on paper or electronically clicking on opt in button or link online, selecting from equally prominent yes and no options. Choosing technical settings or preference dashboard settings. Responding to an email requesting consent, answering yes to a clear Orel consent request volunteering optional information for a specific purpose. For example, filling optional fields in a form combined with just in time notices dropping a business card into a box. The last example is a traditional method of gathering marketing data at networking meetings and is usually attached to a drawer which may result in a modest prize being one. This implied consent is outdated. Andi falls outside the regulation, since consent must be specific on the giving of consent has to be recorded by the data controller. Entering a prize draw in this way is not a specific consent to being sent. Marketing information consent has to be as easy to withdraw as it is to give, and this means clearly telling an individual of their right to withdraw at any time and explaining how they do this. Having a straightforward mechanism in place for withdrawing consent so that it is easy to do as giving consent on the individual cannot doubted any time on their own initiative. It also means it's good practice to have both online and offline methods, including by telephone Andi that it must be possible to withdraw consent without suffering any detriment otherwise, the consent cannot really be considered to have been freely given. Maintaining records. Proof of consent to comply with article sudden warm. You must keep proof. You must keep evidence that someone has consented on Be able to demonstrate who consented their name or other identifying such a zone online user name or a session i d. What they were told at the time of consent. Now the I c e o advises that this should include as applicable a master copy of the document or data capture form containing the consent statement in use at that time, along with any separate privacy policy, including version numbers and dates matching the date consent was given if consent was given orally, your records should include a copy of the script used at that time. Demonstrate how they consented in writing by data capture orally, whichever the I C E o advises. If consent was given on wine, your records should include the data submitted, as well as a time stamp to link it to the relevant version of the data capture form. If consent was given orally, you should keep a note of this made at the time of the conversation. It doesn't need to be a full record of the conversation on and demonstrate when they consented. So a copy of a dated document or online records, which include a time stamp or in noted the time and date of an aural consent on whether consent has been withdrawn and, if so, when it was withdrawn. Childrens Consent but services requested and delivered over the Internet. Article eight Deals with Children's Service Children's consent for services delivered over the Internet at the user's request or information society services If an organization offers any services requested and delivered over the Internet. Other than preventive or counseling services rely on consent is a lawful basis for processing, then they must obtain parental consent for Children. At the moment, Children are those under 16 although this may alter too under 13 they will need to implement age verification measures on to make reasonable efforts to verify parrot parental responsibility for those under the relevant age, other times and processing. If an organization is relying on Children's consent for any other services, then they will need to consider whether the child is competent to both understand Andi provide consent on his own behalf using the Gillick competence. Test practical steps. Review your existing consent protocol check. Do you have a mechanism in place for withdrawing consent? Does your current system relating to consent meet the GDP? Our requirements Under recycle 171 you don't need to obtain a new consent and can rely on existing consent provided that it meets all the GDP. Our requirements. Andi. It's properly documented. In reality, the systems used by most businesses under DP A will not meet the GDP. Our requirements ask. Is there another lawful basis for your processing? If your current consent system does not meet all of the GDP, our requirements before you obtain fresh consent, ask yourself whether there is a different lawful basis for your processing. Otherwise, you must cease the processing. There is no specific time limit for consent, but you do need to consider that consent is likely to degrade over time. Consider the scope off the original consent on the individuals expectations and remember that parental consent expires when a child reaches the age at which they can consent for themselves. So your system needs to have a built in process to deal with this, and that concludes this session for data Law. Thank you for joining me. Robert Edwards, on this session
00:20:03