UW Privacy Office

Obtain Consent

Why obtaining consent is important
When obtaining consent is required
Example UW Consent Forms
Elements of Consent
Standard Consent Language

Why obtaining consent is important

Consent promotes trusted relationships when collecting or using sensitive or special categories of personal data. It informs individuals about the purpose and use of personal data so they can decide if they want to provide the personal data or participate in a particular activity.

Your method for obtaining consent should:

  • Be described and displayed clearly and prominently;
  • Ask individuals to positively opt-in, in line with good practice;
  • Give individuals sufficient information to make a choice. If your consent mechanism consists solely of an “I agree” box with no supporting information, then users are unlikely to be fully informed and the consent cannot be considered valid;
  • Describe how individuals can revoke their consent;
  • Outline consequences, if any, of opting out; and
  • Communicate what UW will do to ensure the security of personal information.

When obtaining consent is required

Obtaining consent when collecting personal data is considered a “best practice” if there is pertinent information or there are rights, risks, or benefits that need to be clearly communicated to individuals in order for them to decide if they want to provide the personal data, or participate in an activity.  Certain laws may require the UW to obtain consent before collecting personal data or asking individuals to participate in an activity.

European Union’s General Data Protection Regulation

Under EU GDPR, the UW (when acting as controller) is required to obtain valid consent from the individual if consent is the lawful basis being relied upon for processing personal data, or if the data is identified as “special category” data, sensitive in nature that:

  • Reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
  • Are genetic data or biometric data for the purpose of uniquely identifying a natural person.
  • Are concerning a natural person’s sex life or sexual orientation.

Legitimate uses of special category personal data under EU GDPR that do not require consent:

  1. To carry out specific obligations or rights of UW or data subject in employment;
  2. To protect the vital interests of the individual or another person when the individual is physically or legally incapable of providing consent;
  3. For legal defense;
  4. For various healthcare-related reasons, including assessing working capacity of employee, when the individuals involved in processing have duties of confidentiality;
  5. For various specified public health related reasons;
  6. For archiving, scientific or historical research or statistical purposes; or
  7. If processing relates to personal data which the individual manifestly makes public

Note that other laws that relate to protection of personal data at the UW may still require obtaining consent even if EU GDPR does not require consent.

See below for Standard Consent Language (compliant with EU GDPR requirements).

Notification or Consent Workflow for EU GDPR

Consult the workflow below to determine whether to provide privacy notice or obtain consent when collecting or processing personal data about people located/living in the European Union:

Notice or Consent Workflow

  • UW Notification or Consent Workflow (pdf version) (Please contact UW Privacy for Workflow accessibility support)
  • Example UW Consent Forms

    Elements of Consent

    Basic elements:

    Basic Consent should include the following elements in understandable language:

    1. Name and contact information for the individual overseeing data collection
    2. The primary and any supplemental purpose and use of personal data; and
    3. A clear and simple way for individuals to indicate they agree to the collection and use of their personal data.

    The consent should not be bundled with other items that do not require consent. It should not force individuals to agree to several different purposes and uses of personal data, or activities.

    EU-GDPR elements:

    When obtaining consent from people residing in the European Union, see the UW Standard for European Union General Data Protection Regulation.

    All Basic elements above PLUS the elements below are required:

    1. Name and contact information for UW’s Data Protection Officer.
    2. At least one lawful basis (from the six bases below) and purpose(s) of collecting/processing personal data:
      • Necessary for the performance of a contract to which the individual is part of or to take steps at the data subject’s request prior to entering into a contract;
      • Necessary for compliance with a legal obligation;
      • Necessary to protect the vital interests of the individual or another natural person;
      • Necessary for the performance of a task carried out in the public interest or as required by an official authority;
      • Necessary for the purposes of the legitimate interests pursued by the controller or by a third party as long as the purpose does not negate the interests or fundamental rights and freedoms related to the protection of personal data; or
      • The individual data subject has given consent for specific purpose.
    1. Recipients or types of recipients of the data and their reliance on this consent.
    2. Reference to the UW retention schedule for length of time data will be retained or an explanation of how that time period will be determined.
    3. Individuals’ rights to:
      • Access, rectify, or request erasure of their data
      • Restrict processing of their data
      • Object to processing
      • Withdraw their consent without detriment
      • Take their data with them to another entity
      • Complain
    4. Notice that subsequent withdrawal of consent does not impact the lawfulness of prior data processing.

    Valid and Invalid Consent under EU GDPR

    Refer to the UW Standard for European Union General Data Protection Regulation for specific information about valid and invalid consent.

    Standard Consent Language

    Note: This language is for the collection of personal data that requires consent. If controllers use alternative consent language they are responsible for confirming it includes the required elements of consent.

    University of Washington
    [insert UW Unit Name]
    Consent for Collection and Use of Personal Data

    By continuing through this process, you are consenting to University of Washington’s (UW) use of data about you for the purpose of [brief description of the lawful basis and purpose of processing].

    Data records will be maintained for at least their minimum required retention according to the applicable UW Records Retention Schedule(s):

    The UW may share your data with other units around the UW that have a business reason to use or access the data. [UW may also share your data with name(s) of any sub-processor, and a brief description of why].

    Even after you give your consent, you may ask to see your data or request to have your data corrected or erased. You may also object to or request restrictions on how your data will be processed. You may ask that your data be forwarded or transferred to another organization. Finally, you may withdraw your consent without penalty. If you do decide to withdraw consent at a later date, your withdrawal will not change the fact that your data has been processed legally up to that point.

    For more information or to file a complaint, now or later, please contact [Name of UW Controller’s (or representative’s) identity and contact information]. If your data protection related questions or concern are not addressed after contacting Controller to which you provided data, then you may also contact UW’s designated data protection officer, Ann Nagel, Institutional Privacy Official and Associate Vice Provost for Privacy, uwprivacy@uw.edu.