The purpose of consent is to give data subjects as much control over their data as possible. It is, therefore, not a suitable legal basis for research studies where the individual’s ability to control the processing of their data is limited.
According to the GDPR, consent to participation in a study is deemed valid only if it has been actively expressed and clearly confirmed (for example, by writing the word “yes”, ticking a box, or signing). Therefore, the data subject must give voluntary, informed, specific and unambiguous consent to process their personal data (opt-in). The opposite situation, where consent for collecting personal data is implicitly presumed, and the participant has to do something to opt out, is prohibited and contrary to the GDPR. A selection of sample consent forms can be found on the University of Tartu intranet.
Read more:
|
2.3.1. Consent must be freely given
A person must not be influenced to give consent. Consent is not voluntary if the person has no real freedom of choice. Enticement with gifts, money or other benefits, persuasion or coercion is not allowed.
Consent is not deemed as freely given if
- there is an evident power or dependency relationship between the giver and the seeker of consent; for example, when a lecturer asks for consent from a student or an employer from an employee;
- giving consent is a precondition for providing a service or using a benefit or opportunity. For example, participation in professional conferences or seminars cannot be made conditional on consent to processing personal data (taking pictures or broadcasting), without which access to the event is denied. The same applies to open data repositories: for example, on a website giving access to open data, consent to cookies must not be required to access the data. In the case of a research study, however, it is rather difficult to imagine a situation where data collecting would be linked to an activity or service of interest to the data subject;
- the withdrawal of consent would have adverse consequences for the individual. It is, therefore, necessary to ensure that both the giving of consent and its withdrawal are voluntary.
2.3.2. Consent must be informed
Being informed means knowing and understanding what one agrees with. According to the GDPR, the information about consent must be given in clear and plain language. Complicated scientific or legal terms should be avoided.
On the consent form, the individual must be given information about the processing of their data. Otherwise, the consent given by the data subject cannot be considered informed consent and is invalid. The consent form must explain the entire data processing process from the beginning to the end (data collecting, analysis, transfer, and storage). This inevitably implies that all the information required by the GDPR must be presented to the individual when seeking consent:
- the name and contact details of the controller and the controller’s representative;
- the contact details of the specialist for data protection;
- the purpose and the legal basis of processing personal data;
- the recipients of personal data, i.e. those to whom the data are transferred;
- the retention period of personal data;
- the right to withdraw consent and other rights related to data;
- information on the transfer of data to third countries;
- information on automated decisions and profiling of natural persons.
Being informed therefore requires a compromise between two conflicting interests. On the one hand, there must be enough information to give the reader an overview of personal data processing. On the other hand, the information must be simple and clear to ensure it is understood.
The information may be provided in any form. It may be written text or, for example, video, audio, animation, images or icons. Giving several versions of the information may be useful – one shorter and simple, the other more extensive, detailed and text-based.
2.3.3. Consent must be specific and unambiguous
Specificity means that the purpose of processing personal data has been clearly stated. Formulating a precise purpose can be difficult in research as it is often unclear at the beginning what data will be processed, how they will be processed, and what are their future uses. Therefore, a certain concession has been made: the purpose of the research should be as specific as possible at the time. Although the purpose is less specific, it can be remedied by greater transparency throughout the research (for example, by keeping data subjects informed of the progress of the project) or repeatedly asking for consent (for example, by asking for new consent after certain stages of research).
The requirement that consent must be unambiguous is closely connected to the principle of transparency – it means that consent must be unambiguous and clearly formulated, without any misleading or confusing statements. For example, if there are multiple purposes, the consent form must be drafted so that data subjects can choose which purposes they do or do not agree to (see also 2.12).
2.3.4. Consent to data processing must be clearly distinguished from other requirements and consents
The consent to processing personal data used in research is sometimes very similar to consent to participating in a survey. The giver of consent must understand that, for example, the consent to participate in a clinical study does not automatically mean giving consent to processing personal data. Instead, the person must give double consent: one for processing personal data and the other for participating in the study. However, they are closely connected and if, for example, the person does not agree to data processing, they cannot participate in the study.
In addition, it is worth remembering that the consent to participate in a research study must also include information not required in the consent to data processing. The consent to participate must describe the purpose and organisation of research, the researchers, research institutions and funders involved, the expected societal benefits and potential harms of the study, and a description of how these are weighed against each other, the possible uses of the results, the risks to people and the measures envisaged to mitigate them.
2.3.5. It must be possible to prove consent
There are no specific requirements for the consent form other than that it must be verifiable, i.e. documented. Therefore, it should be in writing. Verbal consent is also suitable as long as the researcher has recorded it and it can be reproduced.
Consent does not necessarily need to be signed; therefore, an email is also acceptable. However, it must be possible to prove that the data subject has given consent. If problems arise with the processing of personal data and the research institution cannot verify that the consent exists, the Data Protection Inspectorate may consider the processing unlawful.
Documented consents are also personal data. In addition, they are official working documents of the university, and their retention time, manner and place have been agreed upon in the documentary procedure rules. Generally, they must be retained until the end of the data processing.
2.3.6. Processing must be limited to what is described in the consent
Consent is valid only under the conditions described in it. If the consent form does not inform an individual of certain processing activity, there is no legal basis for such processing. If the nature or extent of processing significantly changes during the study, new consent must be obtained to continue processing the personal data.
In the case of a follow-up study, it is necessary to obtain new consent at the time of the new data collection, even if the person was informed of the follow-up study at the time of the initial consent request.
2.3.7. Consent must be easy to withdraw
A person must be able to withdraw consent, and this should not be unduly complicated. Otherwise, the consent is void, and the personal data processing is unlawful.
If a participant in a study wants to withdraw their consent, they should file the respective request in the form of a digitally signed statement or using other methods of identification. The data processor must ensure that the person withdrawing consent is the same person who gave it.
The withdrawal-related communication should not be limited to withdrawing the consent; it is also good practice to explain to the data subject what will happen to their data after the consent is withdrawn. For example, it should be reiterated that the processing of data during the validity period of the consent was lawful, and cannot be withdrawn. The data processing ends of the moment the person gives notice of withdrawing the consent.