Consent is not a new concept and has been a core part of data protection & privacy laws for decades. However the GDPR raises the bar considerably on 'conditions for processing' personal data.
Simply put, 'consent' means obtaining clear permission to hold and process a person's data for a specific use. Although it is already required, practices such as 'opt out' have become common-place, e.g. pre-ticked checkboxes to receive marketing material, making it more of an assumption of consent rather than explicit permission. The GDPR is far more explicit about what constitutes consent and aims to entirely remove this kind of deception.
Article 7 GDPR Conditions for consent
It's important to understand that you need a lawful basis with which to process data and 'consent' is an option with which to do that but it might not be the most appropriate. You should choose the lawful basis that most closely reflects your relationship with your data subjects and the use of their data. Since you cannot operate as a school unless you process student data, asking (i.e. giving an option) for consent would be meaningless. In this case, school/parent agreements or employment contracts provide a lawful basis (contractual necessity) with which to hold and process their personal data.
However, you cannot automatically use this as a lawful basis to then piggyback other activities, like sharing data with 3rd parties. As an example, a school event organised by another company that requires the use of your student, parent or staff data may require specific consent.
Aside from consent, lawful basis for processing personal data include:
It's important to understand that processing data based on consent alone is relatively weak. The Data subject can withdraw it at anytime and unless you have another legal basis with which to process that data, you will have to delete it.
In terms of sensitive data, consent must be explicit. For example, if you wish to use a data subject's medical data you will need to seek specific consent for its use.
Again, consent is not the only lawful or necessarily appropriate way to process sensitive data. Employment law, Vital Interests, Legal claims, Data already made public by the data subject themselves are all legally acceptable reasons for processing sensitive data, as long as that processing is necessary.
ARTICLE 6 GDPR: Lawfulness of processing
Stating a use for processing data in an agreement or contract is not enough without proving that the processing of that data is 'necessary'. For instance, this includes outsourcing a HR function that can reasonably be done internally. This will require formal 'consent' from the employee as a lawful basis, since outsourcing this processing was not strictly necessary.
In practice, you will still need to need to be clear and concise about your use of personal data and seek consent for any use outside the standard school agreements with students, parents or staff.
Guardians have a legal obligation called Parental Responsibility for the child up to the age of 18 (in most cases). Under the GDPR, although parental consent will be required for children under 16 (or 13 for countries like the UK), 'Parental Responsibility gives parents the right and duty to manage consent for the child while at school.
This means telling parents:
ARTICLE 8 GDPR: Conditions applicable to child's consent in relation to information society services.
If you already collect consent you should conduct a review of your data collection process to ensure it complies with the GDPR. You may find you do not need to do anything significant to get in line.
Your school management software can play a significant role in simplifying this process. MySchool will be working on new features to help manage consent and GDPR compliance in 2018.
If for any reason you have used consent as a lawful basis with which to process personal data, you need to: