Of the 6 possible legal bases to process personal data, informed consent is currently the one most often used in research. With the term consent, we mean the process of data subjects deciding whether or not to agree to specific statements, such as a statement to participate in a research project.
Determine if consent if the legal basis you need
Determine if consent is the legal basis you need for your research: there are other legal bases besides consent which can sometimes be more suitable in a research context.
In some situations, consent is likely the only way to process data, for example, if you want to process special categories of personal data, or if you process personal data from people who are incapable of giving consent or from children under 16 years old. In the latter case, the GDPR requires to obtain additional obtain consent from a legal representative (e.g., parent), and there are additional requirements when your research falls under the Dutch Medical Research Involving Human Subjects Act.
Consider if you meet all requirements for consentIf you need to use consent as a legal basis, consider if you meet all requirements listed below. If you do not, consent is not a valid legal basis, and you should consider another one.
Determine what you will ask consent forDetermine what specifically you are asking consent for. If you cannot determine a specific purpose, for instance because your research question is not yet entirely clear, contact your privacy officer to consider obtaining broad consent.
Prepare information for data subjectsPrepare a privacy notice or information letter for data subjects to inform them before asking for their consent.
Obtain demonstrable consentDifferent forms of consent are valid. Note that often a signature is not required.
Keep the consent forms availableTreat the consent declarations as personal data: store them separately and securely from the research data, and for as long as your research data contain personal data.
Note that the term “consent” is used both in the GDPR as well as in an ethical context. As a legal basis, data subjects give consent to process their personal data (e.g., “I consent to my data a, b, c be used for purpose x, y, z”). In an ethical context, consent is a safeguard to give data subjects more control over their personal data, and makes sure they participate voluntarily in the research project (e.g., “I have read the information and agree to participate under the conditions described”). Thus, it can happen that consent is not be the best legal basis to use, but should still be used as an ethical requirement.
Requirements for valid consent
Under the GDPR, consent is only valid when it is all of the below (art. 4, art. 7, rec. 32, rec. 42, rec. 43; click to expand):
Freely givenData subjects should have an actual voluntary choice and should not experience negative consequences if they don’t consent or withdraw their consent. Moreover, they should not be pressured to provide consent, and so there cannot be a power imbalance between the controller (e.g., researcher) and data subjects (rec. 43).
- Consent is not a valid legal basis when the researcher is also a teacher and asks their students to participate, who depend on the teacher for a good grade.
- Consent in a clinical trial is not a valid legal basis when patients are asked to participate in the trial, but the choice to participate affects their treatment plan or treatment outcome.
- Consent can still be used for children and persons legally incapable to provide consent when their legal representative(s) provide the consent.
SpecificData subjects should know as specifically as possible what they are asked to consent to. Separate processing purposes therefore require explicitly separate consent (rec. 32, rec. 43), and accompanying specific information that will allow the data subjects to decide if they consent or not. If consents for multiple purposes are necessary for your research, you can combine those.
- Combined consent may be possible to collect, store, analyse, and share personal data with your collaborators – all actions are needed to answer your research question.
- Separate consent is needed for conducting a survey vs. for conducting a subsequent interview, if participation in that interview is not required for your research project.
- Separate consent is needed for the current research project vs. for contacting data subjects for future research projects.
- Separate consent is needed to use personal data to answer a research question vs. to link different sources of data together to do so (Gedragscode Gezondheidsonderzoek, 2022.
- Separate consent is recommended to make the personal data available for reuse (describe the conditions under which this will be allowed).
InformedData subjects need to be clearly and accessibly informed about which personal data are processed and why, and about their rights (see Information to data subjects). Data subjects should be able to access this information easily (also after they have provided consent).
Unambiguous and affirmativeIt should be clear what data subjects are providing consent for, using a clear, affirmative statement. Importantly, “silence, pre-ticked boxes or inactivity” do not constitute valid consent (rec. 32): consent should be active.
RetractableData subjects have the right to withdraw their consent, meaning their personal data cannot be used for the research purpose anymore and have to be removed where possible. Withdrawing consent should be as easy as providing consent. It is important to make the distinction with the right to stop participating at any time (usually an ethical obligation), because the latter implies that the data collected up until that point can still be used for the research project.
What forms of consent are valid?
The way you obtain consent may differ per research project and can depend on how you interact with your data subjects. The only requirement is that it should be demonstrable and registered in a reliable manner. Some examples:
- Ticking a box (not pre-ticked!)
- Writing or replying to an email (“I agree to be interviewed”)
- Filling in an electronic form
- Audio- or video-recorded consent (separate it from the research data!)
- Signing a paper document (not usually necessary)
To sign or not to sign?
Signatures in consent forms are rarely needed. In fact, if you are only processing pseudonymised research data, you will only collect unnecessary personal data by obtaining a signature (art. 11), and a checkbox should be sufficient. In order to link the consent form with the data subject, you should include the pseudonym on the consent form (the identifier you will use for the participant, e.g., “part-001”). Inform your participants of this pseudonym; they can use it to exercise their rights under the GDPR, such as for withdrawing their consent.
Only when the identity of the data subjects will be used in the process (e.g., clinical trials), a signature may make sense or be required. For example, if your research is subject to the Dutch Medical Research Involving Human Subjects Act (WMO), different requirements may apply.
Demonstrating (valid) consent
As long as you process personal data, you should be able to demonstrate that the data subjects consented to that processing (rec. 42). So as long as you analyse, use, store, archive, etc. the personal data, the proof of consent needs to be retained. It is preferable to store the proofs separately from the research data. If you collected consent on paper, it is best practice to scan the consent forms and securely delete the paper version after having made sure the scanning went well. Only after there is no personal data anymore (e.g., after fully anonymising the dataset), you can remove the proof of consent.
Broad consent in research
In research, it can sometimes be difficult to formulate very specific research questions in advance. In this case, you may be able to formulate the research purposes on a more general level and obtain consent for these more general purposes (EDPS, 2020; Deutsche Datenschutzkonferenz, 2019). However, you can do this only as long as:
- data subjects can give consent to only part of the research and easily withdraw consent (rec. 33).
- data subjects are kept informed as specifically as possible about what will happen to their personal data. As soon as you know more, you should also inform data subjects in more detail. Your use of the personal data should fall within the line of expectation from data subjects.
- you use additional protection measures, for example:
- obtain ethical approval for using the data for new research questions.
- offer a consent withdrawal possibility before using the data for new research questions. This is especially relevant when it is still possible to reliably identify data subjects in the dataset.
- make sure the data are not transferred to countries outside of the EEA, unless one of the derogations from GDPR Chapter V applies (e.g., adequacy decision, standard contractual clauses, explicit consent for transfer).
- enforce specific requirements for access the data, e.g., “research in general” is not a sufficiently specific purpose for reuse of the personal data.
- you document your considerations and ask for help from a privacy officer.
Broad consent under the GDPR needs to be distinguished from “General consent” as defined by the Dutch Code of Conduct for health researchers, that is: for medical research, different requirements may (additionally) apply.
Examples and templates
Note that all examples below assume that they are preceded by sufficiently specified information.
- “I consent to the collection and use of my personal data to answer the research question described in the information letter.”
- “I consent to linking the new research data to data previously collected about me in this research project.”
- “I agree that research data gathered for the study may be published or made available provided my name or other identifying information is not used.”
- “I understand that the research data, without any personal information that could identify me (not linked to me) may be shared with other researchers.”
- “Any information I give will be used for this research project only and will not be used for any other purpose”: this restricts all future uses of the data, including sharing the data with your collaborators, performing analyses for new research questions, and sharing the data for reuse. It’s preferred to tell data subjects how their data can be safely used in different ways.
- “I do not give consent to share my data”: this sentence is ambiguous and may confuse data subjects.
- “I acknowledge that the personal data collected by the researcher belongs to the university and that I have no rights in the research performed on it”: it is not allowed to deny data subjects their data subjects’ rights.