he GDPR rules set a high standard for consent, but the biggest challenge is what this means in practice for the way you gain any consent needed.
See our consent template at the bottom of this page
Consent means offering people genuine choice and control over how you use their data. You can build trust and enhance your Scout Group by using consent properly. Consent is different though, this should be used sparingly as consent can be removed as quickly as given and requires a significant amount of transparency on what you are requiring and why, as well as an ability to provide evidence that consent has been given in the first place.
For local Scouting most of the reasons you have for data ownership are already justified based on the obligations you undertake as part of your role, for example:
- The collection of Young People’s medical records is necessary for the protection of that Young Person whilst in the care of the Scout Group.
- The collection of Young People’s religion is necessary to respect their beliefs with regards to activities, food and holidays.
And for these reasons explicit consent is not required
Situations where consent may be required could be as follows, these are purely examples to highlight the point:
Example – Advertising for new members could include: events, email campaigns, canvassing.
What does this mean for GDPR?
It needs to be clear who you are marketing to and the lawful processing you are using as grounds to contact them. This needs to be evidenced as either:
- consent – they opted-in
- non-digital – physical event/canvassing
- legitimate interest – your use of the data is necessary and is not overridden by their interests or fundamental rights. On balance, it’s more positive for them than negative.
Example – A requirement of being an adult volunteer in Scouting is to keep young people, parents/guardians and other adult volunteers updated. These are updates about weekly meetings, upcoming events and general Scout Group, District, County/Area/Region or Country news.
What does this mean for GDPR?
Communication to the young people, parents/guardians or adult volunteers is essential for the effective operation of a Scout Group, District, County/Area/Region or Country. The GDPR recognises these types of communications and categorises them as necessary to fulfil your role. However, this communication should only be for the purposes of the Scout Group, District, County/Area/Region or Country and not for further advertising, unless the person receiving the communication has specifically opted-in.
In these cases, if you feel the activity warrants consent then this should be clearly presented to the person consenting at the point at which you gather their personal data, or as a separate form for completion, in both cases you need to consider the following, this is known as a privacy notice:
- Is the reason I want the consent, justified?
- Is the consent notice (privacy notice) clear and transparent as to the justification above?
- Do I give clear opt-in check boxes for ticking?
- Can I store the evidence of consent once I have gained it?
- Can I easily remove the consent if requested to do so?
In most cases consent is being asked for from the parent responsible for the Young Person. This is also true when gaining consent for nights away from the parents however this is consent for the attendance of the Young Person and not the on-going use of their data, this is very different.
Where consent is required by a data subject under the age of 18, parental consent must be obtained and cannot be provided by the young person.
As part of local Scouting, photography is common place to record events and publicise activities. As a photograph is considered Personal Data and isn’t really justified via another lawful basis, consent should be used, especially if the photograph is publicised with the individuals name. This consent should be captured at the time the data is collected, such as the attendance form for the event.
The GDPR builds on the 1998 Data Protection Act standard of consent in several areas and contains much more detail:
- keep your consent requests separate from other terms and conditions
- consent requires a positive opt-in. Use opt-in tick boxes or similar active opt-in methods.
- be specific and granular. Allow individuals to consent separately to different types of processing wherever appropriate
- Be clear and concise
- name your Scout Group and any specific third party organisations who will rely on this consent
- list why you want the data and what you will do with it
- keep records of what an individual has consented to, including what you told them, and when and how they consented
- tell individuals they can withdraw consent at any time and how to do this.
- Keep consent under review, and refresh it if anything changes.
You are not required to refresh all existing 1998 Data Protection Act consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
When is consent appropriate?
Consent is appropriate if you can offer people real choice and control over how you use their data and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.
Explicit consent must be expressly confirmed in words, rather than by any other positive action.
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.