Collecting personal information - how to ask for consent

What is consent?

Sometimes we need to ask individuals to give their permission, or consent, for their personal information to be collected or used. Consent is one of the legal grounds for processing personal information. The advice on this page applies wherever you are collecting information about individuals: on web pages, in surveys, online or printed forms, or mailing lists. 

When we ask for consent is is important that it is:

  • informed - you need to explain why you need the information and how you will use it
  • freely given - you mustn't pressurise people into giving their consent
  • unambiguous - if you are doing different things with the personal data you need to ask for consent separately for each use
  • opt-in - consent should be given through someone doing something (like ticking a box) and not through failing to do something (like unticking a box or replying to an email)

Always use straightforward language that is appropriate to your audience. 

Collecting information

Only collect information you really need.

Think about whether it's possible to collect general information instead of very specific information. If age is relevant, for example, think about whether you really need a full date of birth, or whether an age range, or a statement about age ("I am over over 18") is enough.

Avoid asking everyone the same questions if they aren't all relevant to everyone. If you are using an online form think about having extra boxes for questions that only appear for certain groups. Or collect further information separately only form the specific group it is relevant to. 

Make it clear what information is mandatory and what is optional.  

Designing your form

Start with an opening statement

It's always useful to open with a simple statement to reassure people about how their personal information will be used. There are no specific words you need to use and you should use the same "voice" for this statement as you do for the rest of your information to your participants.

Here are some examples of potential wording:

  • The personal information you share with us is handled responsibly in  line with our privacy policy
  • We value the personal data you share with us and manage it in line with our privacy policy

Don't forget to include a link to, or copy of, the relevant privacy policy.

Use opt-in checkboxes

An easy way to collect consent is to offer boxes for people to tick. Boxes must not be pre-ticked, and the tick should be to opt in, not to opt out.

It's important to present a separate tick box for each activity. So, for example, if you survey people who have participated in an event or activity and would like to get their permission to use quotes from their responses to advertise the event to others, to sign them up for your mailing list advertising further events, and to enter them into a prize draw then that should be three separate tick boxes.

Try to be specific about what you are asking people to sign up for. This is so that the consent is informed. So instead of having a tick box for "I'd like to be added to your mailing list" or "I'd like to hear more about events" you could say "I'd like to receive your monthly email newsletter". or "I'd like to hear more about other events on this topic".

If you are offering an incentive like entry into a prize draw then that should be open to everyone, not just those who agree to sign up for marketing.

Let people change their minds

You must allow people to withdraw consent if they change their mind. Let them know this at the time. The process should be simple and easy. If you are sending out marketing emails you should include a reminder about opting out with each email sent.

Don't assume that consent is valid forever. If the consent is for ongoing activity you may need to refresh consent from time to time, and keep records of what consent was given, by whom and when.

When there is no choice

Consent must be freely given, and that means it must also be possible to refuse consent.

So if there is some information you have to have in order to be able to provide a service to someone, and if they refuse to share that information that leaves you unable to provide the service, then you don't need to ask for consent.

For example, if you are running an event through Zoom you will be sending a link out to email. It's not possible for someone to attend without sharing their email, so you don't need to ask consent because the legal basis is contract (there isn't a written contract. The contract is an agreement that they will provide their email address and you will provide the event through Zoom).

Instead of asking for permission for information that is necessary for you to provide the service you can have a statement for the individual to agree to. For example "I understand that you will use my email address to send me the link to the Zoom event".

Don't forget that you might still need consent for part of your activity. In our Zoom example you don't need consent to email the link for the event but you will still need permission to add their email address to your marketing list, because it's perfectly possible to invite people and for people to attend without them joining your mailing list. Don't forget it has to be opt in! Example wording might be "Please add me to your mailing list to receive monthly updates on Zoom events". 

Consent checklist

  1. Use clear straightforward language
  2. Include links to relevant privacy policies
  3. Only ask for information you really need
  4. Get active opt in
  5. For marketing opt-ins let contacts choose content, channel and frequency as appropriate
  6. Keep consent separate from other messages
  7. Always explain how to withdraw consent or unsubscribe
  8. Keep a record of consent – who , when, how and what you communicated
  9. Keep consent under review and refresh wording if anything changes
  10. Don't ask for consent unless it's possible for people to refuse

 

Arrow symbol
Contact us
Information Assurance Manager
Telephone: 01206 874853