Skip to main content
Creating a new NHS England: NHS England and NHS Digital merged on 1 February 2023. More about the merger.

Data sharing standard 8 - GDPR Consent

This standard is part of a series of guidance documents to support the various stages of a DARS application.



Standard description

Requirements of standard:

If consent is the data protection lawful basis relied on, the applicant will need to show that the consent collected meets the requirements of the General Data Protection Regulation (GDPR) Data Protection Act and Data Protection Act (DPA) 2018. In showing this, the applicant should refer to the Information Commissioner's Office (ICO) guidance on consent. It should provide a supporting document as part of the application that lists the GDPR requirements and confirms how its consent document meets these requirements.

It should be noted that GDPR consent addresses data protection and is distinct and separate from the obligations as owed to the duty of confidentiality (See standard 7b - Duty of confidentiality).

At a glance

The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.

Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.

Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard.

Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.

Explicit consent requires a very clear and specific statement of consent.

Keep your consent requests separate from other terms and conditions.

Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.

Be clear and concise.

Name any third party controllers who will rely on the consent.

Make it easy for people to withdraw consent and tell them how.

Keep evidence of consent – who, when, how, and what you told people.

Keep consent under review, and refresh it if anything changes.

Avoid making consent to processing a precondition of a service.

Public authorities and employers will need to take extra care to show that consent is freely given, and should avoid over-reliance on consent.


Asking for consent

☐ We have checked that consent is the most appropriate lawful basis for processing.

☐ We have made the request for consent prominent and separate from our terms and conditions.

☐ We ask people to positively opt in.

☐ We don’t use pre-ticked boxes or any other type of default consent.

☐ We use clear, plain language that is easy to understand.

☐ We specify why we want the data and what we’re going to do with it.

☐ We give separate distinct (‘granular’) options to consent separately to different purposes and types of processing.

☐ We name our organisation and any third party controllers who will be relying on the consent.

☐ We tell individuals they can withdraw their consent.

☐ We ensure that individuals can refuse to consent without detriment.

☐ We avoid making consent a precondition of a service.

☐ If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.

Recording consent

☐ We keep a record of when and how we got consent from the individual.

☐ We keep a record of exactly what they were told at the time.

Managing consent

☐ We regularly review consents to check that the relationship, the processing and the purposes have not changed.

☐ We have processes in place to refresh consent at appropriate intervals, including any parental consents.

☐ We consider using privacy dashboards or other preference-management tools as a matter of good practice.

☐ We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.

☐ We act on withdrawals of consent as soon as we can.

☐ We don’t penalise individuals who wish to withdraw consent.

Below are the minimum content requirements for consent to be ‘informed’.

  1. The controller’s identity.
  2. The purpose of each of the processing operations for which consent is sought.
  3. What (type of) data will be collected and used.
  4. The existence of the right to withdraw consent.
  5. Information about the use of the data for decisions based solely on automated processing, including profiling.
  6. If the consent relates to transfers, the possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards.

In addition to the other requirements, consent has to be ‘explicit’, where processing involves:

  1. Special categories of data; and/or
  2. Profiling activities; and/or
  3. Cross-border data transfers.

Last edited: 24 September 2019 4:36 pm