Geo data – support for researchers

Assessing Consent

Consent is a commonly used legal basis for data processing. As the use of consent is often misunderstood, we will discuss here in more detail what needs to be done to ensure consent is legitimately used. Keep in mind that all projects at the Geosciences Faculty that process personal data must demonstrate compliance with the GDPR by performing a Privacy Scan, where the proper compliance with consent requirements will be thoroughly documented.

What needs to be done to ensure consent is legitimate?

To get a better understanding of consent under the GDPR, let’s first look at the definition laid out in Article 4(11):

‘Consent’ of the data subject (user) means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The bolded words above are key to ensuring that consent is lawfully obtained, but what exactly do they mean?

Let’s break down these terms into something more understandable:

  • Freely given: Individuals must be presented with an actual choice and not coerced by negative consequences.
  • Specific: The requirement that consent be ‘specific’ aims to ensure a degree of user control and transparency for the individual. Consent thus should only be given to specific actions instead of a broad consent to the use of data – although Recital 33 recognizes that broad consent may be appropriate for some scientific research purposes, as discussed below
  • Informed: Individuals must understand the full scope of data collection and its use before making the decision to consent. It should be made clear that consent is being requested, and for what specific purposes.
  • Unambiguous: It needs to be made obvious that the user is giving their consent.
  • Affirmative action: Users must take an action to demonstrate their consent to the processing of their data. In practical terms, if an unchecked box is presented to participants, ticking the box would then be considered an affirmative action.

If your project complies with all of the above, you have correctly applied informed consent. We will now discuss in detail the requirements listed above.

Assessing if consent is freely given

The element “free” implies real choice and control for data subjects. To be truly freely given, individuals must have real choice, should not feel compelled to give consent and should endure no negative consequences if they do not give (or withdraw) their consent. In general terms, any element of inappropriate pressure or influence upon individuals (which may be manifested in many ways) which prevents a data subject from exercising their free will, shall render the consent invalid.

A game app ask its users to agree to share their game data with researchers before they can start playing the game. Sharing the data with researchers is not necessary for the game to work properly, as the game can still be played even if researchers do not receive the data. If users cannot use the app unless they consent to data sharing, the consent cannot be considered as being freely given. In this case, relying on another legal basis like Public Task would likely be better suited for the project than relying on consent.

Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. substantial extra costs) if they do not consent. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will, either real or perceived. When there is a potential imbalance of power between controllers and data subjects (for example, when data subjects are students, or are employees of the same institution as controllers), they may experience pressure to accepting the request of the controller. Given the dependency that results from the employer/employee relationship, it is unlikely that all data subjects would be able to deny their employer consent to data processing without experiencing some  fear or perceived risk of detrimental effects as a consequence of their refusal.

Inappropriate pressure may derive from an imbalance of power between the people conducting the project and data subjects (for example, if data subjects are students or employees of the people conducting the project). Given the dependency that results from the employer/employee relationship, it is unlikely that data subjects are truly free to deny their consent to data processing without potentially experiencing the fear (perceived or real) of detrimental effects stemming from their refusal – that is, unless appropriate measures are in place that address those risks, like the examples presented below:

  • A researcher working on sustainability wants to study how ‘green’ his coworkers’ habits are. She will use a survey to collect the data, that will be announced in the faculty newsletter. In this example, consent will not be freely given unless the researcher can demonstrate that data subjects will not experience any pressure to participate or experience fear of (social) detrimental effects if they refuse. One possible solution is to engage a third party (an external organization or a researcher/employee from another faculty) to conduct the survey who will only provide sufficiently anonymised data to the researcher. As she won’t know who did or who didn’t fill out the survey, data subjects can reasonably expect no negative effects from consent refusal, and any potentially identifying information from individual’s responses would not be passed to the researcher.
  • To increase the response rate, a researcher will give out gift cards directly to the emails of individuals who complete the survey. Non-responding individuals (or individuals who don’t provide their contact details to receive the gift) will not be able to claim the gift, but this does not amount to detriment as only the permissible incentive (the gift) was lost.
  • A researcher is using a survey panel run by a third-party company, where potential participants are recruited for the purpose of responding surveys for monetary (or similar) rewards. To be part of a panel, data subjects provide their personal information to the survey company to create their profiles, and based on those profiles, they receive targeted invitations to complete surveys, like the one designed by the researcher. The panel company terms and conditions stipulate participants must only complete one survey (out of several offered ones) every six months to remain active users. Because this minimum requirement is sufficiently low, data subjects will not feel particularly pressured to participate in the researcher’s specific survey out of fear of losing their ‘active’ status. There is also real choice, as in three months they will receive several different survey invitations to choose from. There is no undue adverse effect or consequence for individuals if they choose not to participate, stop, or pause the researcher’s survey. Data subjects are rewarded when they complete surveys, and individuals who do not complete the survey will not be able to claim their reward, but this does not amount to detriment as only the permissible incentive (the survey panel reward) would be lost.

In short, when there is a possible imbalance of power, you should consider relying on another lawful basis instead of consent.

Assessing if Consent is Specific

A project may involve multiple processing operations with several purposes. In such cases, data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes. In a given case, asking consent for each separate processing purpose may be warranted.

Your research project collects data from individuals using a survey and by conducting one-to-one interviews. Surveys and interviews are separate processing operations, so you need to ask for consent for each one of them in separate.

You should provide specific information with each separate consent request about the purpose of each data processing, in order to make data subjects aware of the impact of their different choices. Thus, specific information is necessary to enable data subjects to give specific consent.

Sometimes in research it is not possible to fully identify all possible future uses of collected data. In those cases, consent would remain valid if researchers can ensure data subjects are kept informed and are able to exercise their rights at a later stage. For example, by continuously updating the project information website so that individuals are kept informed of how their data is being used, long after they gave their consent. When research purposes cannot be fully specified, controllers would be expected to do more to ensure the essence of the data subject rights to valid consent are served, including through as much transparency as possible and other safeguards.

Assessing if Consent is Informed

Providing information prior to obtaining data subject’s consent is essential in order to enable them to make informed decisions, understand what they are agreeing to, and to enable the exercise of their right to withdraw their consent. If the controller does not provide accessible information, data subject control becomes illusory, and consent will be an invalid basis for processing.

How to provide information: The GDPR does not prescribe the form or shape in which information must be provided in order to fulfil the requirement of informed consent. Valid information may be presented in various ways, such as written or oral statements, or audio or video messages – as deemed appropriate given the context of the processing and data subject.

The provided information should enable data subjects to easily identify who is processing their data (the controller) and to understand what they are agreeing to. Therefore, the information must use clear and plain language in all cases. The information should be easily understandable for the average individual and not only for researchers or other specialists.

Providing information using a layered and granular approach can be an appropriate way to deal with the two-fold obligation of being precise and complete on the one hand and understandable on the other hand. This means you can provide clear and concise information upfront (the first layer, offering minimal, indispensable information), and provide additional information (second layer, offering more granular information) somewhere else – for example, using a “please click here to learn more about how we handle your data” link. This additional information can take the form of attached extra pages, a link to the project website, a collapsible paragraph within the main text, or any other source that will make the information easily available to participants.

What information needs to be provided?

Consult step 5 of the Privacy Scan guidance, where it is explained in more detail what and how to provide information to data subjects.

Assessing if Consent is Unambiguous and an Affirmative Action

The GDPR is clear that consent requires a statement from the data subject, or a clear affirmative act, which means that it must always be given through an active motion or declaration. It must be obvious that the data subject has consented to the particular processing.

Consent can be orally recorded: A “clear affirmative act” means that the data subject must have taken a deliberate action to consent to the particular processing. Consent can be collected through a written or (a recorded) oral statement, including by electronic means.

The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely proceeding with a service cannot be regarded as an active indication of choice. In the context of a survey, by actively ticking a box (for example, “I consent”), the individual is then sending a clear affirmative act to consent to the processing.

To sign or not to sign: Signatures in consent forms for research are rarely needed. If the identity of the individuals is meant to be recorded and used in the process (as it happens during clinical trials, where the identity of data subject is already known to controllers/auditors) then asking to provide a signature is a good practice, since it will not lead to having additional information – the identity of the data subject is already known to controllers – and the signature authenticity can readily be checked at any time, since controllers already know who is behind the signature.

On the other hand, if a process does not require the use of real names, or uses a pseudonym unconnected to individual’s real names, using a signature would be an unnecessary processing of personal data – in violation of GDPR Art 5(1)(c) and Art 11.

A signature is not necessary to remind individuals of their own choice – regardless of if they sign or not, they can change their mind as they please. Using a signature to demonstrate consent to a third party is also useless if there is no way to match the given signature to the person giving it – there is no way to prove it is authentic, because it is not known who is behind that signature. In addition, a signature can be highly identifiable, thus negating any promise of anonymity and confidentiality given to data subjects. A signature can also give the wrong impression to data subjects that the consent form is actually a binding agreement or contract – a promise to contribute that shall not be broken.

Therefore, requesting signed consent is usually unnecessary. A checkbox (and possibly a statement/signature of the person who collected the consent) is often enough. In addition, in order to be able to link a consent form with its respective data subject, you should include the data subject pseudonym in the consent form – the identifier that you will use to track the individual’s data within your research project (like Participant B-42).

Obtaining explicit consent. The GDPR prescribes that a “statement or clear affirmative action” is a prerequisite for ‘regular’ consent. The term explicit refers to the way consent is expressed by the data subject. It means that the data subject must give an explicit statement of consent. An obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. For example, individuals may be able to give explicit consent by filling in an electronic form, or by sending an email. Two stage verification of consent can also be a way to make sure explicit consent is valid. In surveys and interviews, explicit consent can be obtained right before sensitive data is requested. For example, a question dealing with sensitive data first acknowledges the sensitivity of the question, states that answering is completely optional and can be skipped if they wish to do so.

A participant receives an email notifying them of the researcher’s intent to process the individual’s medical data. Researchers explains in their email that they ask for consent for the use of a specific set of information for a specific purpose. If the individual agrees to the use of this data, researchers ask him or her to state their agreement in their email reply, for example by stating ‘I agree’.

As long as a data processing activity in question exists, the obligation to demonstrate consent remains. After the processing activity ends, proof of consent should be also deleted and should not be kept for longer than strictly necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims. In most cases for research projects, proof of consent (especially if it contains personal information like names and/or signatures) should be deleted once all personal data is deleted and/or anonymized. If the project intends to archive (deidentified) personal data, proof of consent would need to be archived too.

If your project lasts for a considerable amount of time and uses identified personal data, it is a best practice to periodically refresh consent at appropriate intervals. Providing all the information again helps to ensure the data subject remains well-informed about how their data is being used and how to exercise their rights.

Consent as a legal basis vs. Consent as an ethical safeguard

There is a clear overlap between informed consent of human participants in research projects involving humans and consent under data protection law. But to view them as a single and indivisible requirement would be simplistic and misleading. Consent serves not only as a GDPR legal basis for the activity, it is also considered as a safeguard – a means for giving individuals more control and choice and thereby for upholding society’s trust in science.

Informed consent responds primarily to core ethical requirements of research projects involving humans deriving from the Helsinki Declaration. For example, the obligation to obtain the informed consent of participants in a clinical trial is primarily a measure to ensure the protection of the right to human dignity and the right to integrity of individuals under Article 1 and 3 of the Charter of Fundamental Rights of the EU; it is not conceived as an instrument for data protection compliance.

There may be circumstances (for example, in clinical trials) in which consent is not the most suitable legal basis for data processing, and other lawful grounds (from GDPR Art 6) should be considered. In particular, where there is a clear imbalance of power that would imply consent was not ‘freely given‘ in the meaning of the GDPR.

However, even where consent is not appropriate as a legal basis under GDPR, informed consent as a human research participant can still serve as an ‘appropriate safeguard’ of the rights of the data subject, contributing to a positive balance regarding the proportionality of the processing. Therefore, even when consent is not used as a legal basis, participants can still be asked for their “informed consent” to participate in a project. Further guidance can be found in the Preliminary Opinion on data protection and scientific research.

The above guide has been adapted from the official documentation listed below. When in doubt, you should consult these guides to accurately assess if your consent is legitimate and appropriate.

Guidelines 05/2020 on consent under Regulation 2016/679. Version 1.0 Adopted on 4 May 2020

Guidelines on transparency under Regulation 2016/679. Adopted on 29 November 2017, As last Revised and Adopted on 11 April 2018.

When is consent appropriate? Consent Guidance from the UK ICO.

Preliminary Opinion on data protection and scientific research. 6 January 2020

Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR)(art. 70.1.b)). Adopted on 23 January 2019