Obtain Consent

Last updated: September 26, 2024

Last updated on March 27, 2024

ON THIS PAGE:


Why obtaining consent is important

Consent promotes trusted relationships when collecting or using sensitive or special categories of personal data. It informs individuals about the purpose and use of personal data so they can decide if they want to provide the personal data or participate in a particular activity.

Your method for obtaining consent should:

  • Be described and displayed clearly and prominently;
  • Ask individuals to positively opt-in, in line with good practice;
  • Give individuals sufficient information to make a choice. If your consent mechanism consists solely of an “I agree” box with no supporting information, then users are unlikely to be fully informed and the consent cannot be considered valid;
  • Describe how individuals can revoke their consent;
  • Outline consequences, if any, of opting out; and
  • Communicate what UW will do to ensure the security of personal information.

When obtaining consent is required

Obtaining consent when collecting personal data is considered a “best practice” if there is pertinent information or there are rights, risks, or benefits that need to be clearly communicated to individuals in order for them to decide if they want to provide the personal data, or participate in an activity. Certain laws may require the UW to obtain consent before collecting personal data or asking individuals to participate in an activity.

European Union’s General Data Protection Regulation

Under EU GDPR, the UW (when acting as controller) is required to obtain valid consent from the individual if consent is the lawful basis being relied upon for processing personal data, or if the data is identified as “special category” data, sensitive in nature that:

  • Reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
  • Are genetic data or biometric data for the purpose of uniquely identifying a natural person.
  • Are concerning a natural person’s sex life or sexual orientation.

Legitimate uses of special category personal data under EU GDPR that do not require consent:

  1. To carry out specific obligations or rights of UW or data subject in employment;
  2. To protect the vital interests of the individual or another person when the individual is physically or legally incapable of providing consent;
  3. For legal defense;
  4. For various healthcare-related reasons, including assessing working capacity of employee, when the individuals involved in processing have duties of confidentiality;
  5. For various specified public health related reasons;
  6. For archiving, scientific or historical research or statistical purposes; or
  7. If processing relates to personal data which the individual manifestly makes public

Note that other laws that relate to protection of personal data at the UW may still require obtaining consent even if EU GDPR does not require consent.

Review the Standard Consent Language (compliant with EU GDPR requirements).

Notification or Consent Workflow for EU GDPR

Consult the workflow below to determine whether to provide privacy notice or obtain consent when collecting or processing personal data about people located/living in the European Union:

EU GDPR consent workflow

EU GDPR consent workflow

Download UW Notification or Consent Workflow [pdf]

Please contact UW Privacy for Workflow accessibility support.

Example UW Consent Forms

Office of Research: Consent Form Template, Standard (#P-555)

Elements of Consent

Basic elements:

Basic Consent should include the following elements in understandable language:

  1. Name and contact information for the individual overseeing data collection
  2. The primary and any supplemental purpose and use of personal data; and
  3. A clear and simple way for individuals to indicate they agree to the collection and use of their personal data.

The consent should not be bundled with other items that do not require consent. It should not force individuals to agree to several different purposes and uses of personal data, or activities.

EU-GDPR elements:

When obtaining consent from people residing in the European Union, review the Privacy Policy for EU GDPR.

All Basic elements above PLUS the elements below are required:

  1. Name and contact information for UW’s Privacy Officer.
  2. At least one lawful basis (from the six bases below) and purpose(s) of collecting/processing personal data:
    • Necessary for the performance of a contract to which the individual is part of or to take steps at the data subject’s request prior to entering into a contract;
    • Necessary for compliance with a legal obligation;
    • Necessary to protect the vital interests of the individual or another natural person;
    • Necessary for the performance of a task carried out in the public interest or as required by an official authority;
    • Necessary for the purposes of the legitimate interests pursued by the controller or by a third party as long as the purpose does not negate the interests or fundamental rights and freedoms related to the protection of personal data; or
    • The individual data subject has given consent for specific purpose.
  3. Recipients or types of recipients of the data and their reliance on this consent.
  4. Reference to the UW retention schedule for length of time data will be retained or an explanation of how that time period will be determined.
  5. Individuals’ rights to:
    • Access, rectify, or request erasure of their data
    • Restrict processing of their data
    • Object to processing
    • Withdraw their consent without detriment
    • Take their data with them to another entity
    • Complain
  6. Notice that subsequent withdrawal of consent does not impact the lawfulness of prior data processing.

Valid and Invalid Consent under EU GDPR

Refer to the Privacy Policy for EU GDPR for specific information about valid and invalid consent.

Standard Consent Language

Note: This language is for the collection of personal data that requires consent. If controllers use alternative consent language they are responsible for confirming it includes the required elements of consent.

University of Washington
[insert UW Unit Name]
Consent for Collection and Use of Personal Data

By continuing through this process, you are consenting to the University of Washington’s (UW) use of data about you for the purpose of [brief description of the lawful basis and purpose of processing].

Data records will be maintained for at least their minimum required retention according to the applicable UW Records Retention Schedule(s):

The UW may share your data with other units around the UW that have a business reason to use or access the data. [UW may also share your data with name(s) of any sub-processor, and a brief description of why.]

Even after you give your consent, you may ask to see your data or request to have your data corrected or erased. You may also object to or request restrictions on how your data will be processed. You may ask that your data be forwarded or transferred to another organization. Finally, you may withdraw your consent without penalty. If you do decide to withdraw consent at a later date, your withdrawal will not change the fact that your data has been processed legally up to that point.

For more information or to file a complaint, now or later, please contact [Name of UW Controller’s (or representative’s) identity and contact information.] If your data protection related questions or concern are not addressed after contacting Controller to which you provided data, then you may also contact Jane Yung, Vice President and Chief Compliance and Risk Officer, University Privacy Officer, uwprivacy@uw.edu.