There is a workflow called ‘Consent/Permission Request’, which is accessible from the GDPR shortcut icon or GDPR & Checks page on a person record:
This enables users to request consent from individuals and/or send privacy information.
- Choose the Permission Type of Consent Request
- Set a follow up date if required, which creates a task reminding users to check if consent has been received.
- Any documents saved in the Consent Request folder of the Office record will be automatically attached. Any document not required on this request can be removed. Select the document in the ‘Consent Request Documents’ window, and the delete icon will appear allowing you to remove it.
- Add any notes as required and Confirm.
Note: The Consent/Permission Request workflow can be run in Batch for multiple Candidates or Contacts from Contact or Candidate saved search results, and from the Consent Dashboard studio:
To keep track of consent, use the Record Consent/Permission workflow from the GDPR shortcut icon or GDPR & Checks page on a person record:
Update the relevant fields and attach the evidence of consent using the acquire function:
Click Confirm to update the person record.
By using this workflow, Agencies can:
- Track when consent was received
- Track when consent expires - This date field is calculated on load by using the value of the Consent retention period (as set in the GDPR Settings page of the Adapt Manager profile) and today's date (For example, today is 6/09/18 and the consent retention period is set to 2 years. 2 years from today is 06/09/20).
- Track how consent was obtained
- Track the level of consent received
- Track whether explicit consent has been obtained for a Candidate. (Note: Explicit consent can be requested using the workflow Consent/Permission Request above, and once received, recorded here).
- Attach evidence of the consent(s).
Use the new GDPR search function in a Candidate or Contact search to search on these consent fields or use the GDPR Consent/Permission report. New Studios are also available to help monitor consent and notifications. See the Monitoring GDPR section for more details.
Note: An Eshot Consent field is included in the GDPR Record Consent/Permission workflow allowing users to set the 'Can I Eshot this Candidate' flag to Yes when recording consent.
This process allows users of Adapt to log separate consent for special category and criminal offence data. GDPR guidelines suggests these types of data must have separate consent to that of personal data.
Special category data
“Special category data is personal data which the GDPR says is more sensitive, and so needs more protection.
In order to lawfully process special category data, the controller must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9. These do not have to be linked.”
Controllers must determine their condition for processing special category data before they begin processing it under GDPR, and document it. For example, information about an individual’s:
- ethnic origin;
- trade union membership;
- biometrics (where used for ID purposes);
- sex life; or
- sexual orientation.
In Adapt, users can attach their ‘Explicit Consent’ request documentation to the Office record and choose to attach this when using the Consent/Permission Request workflow described above.
When the explicit consent has been received, users can record this by selecting ‘Yes’ on the Record Consent/Permission workflow (detailed above) and attaching the evidence.
Once done, this field can be viewed on the GDPR & Checks page and searched or reported on, allowing users visibility of this permission when required.
See the Monitoring GDPR section for more details.
Note: When recording Equal Opps Data or Crim. Convictions data in the Compliance section of the GDPR & Checks page, the user will be asked to confirm whether they have received explicit consent for this (if the Explicit Consent flag is not set to ‘Yes’):
If the user selects ‘Yes’, the explicit consent flag will be set to ‘Yes’ and they will not be asked again for this Candidate.
Warning: If the user chooses ‘Yes’ they can still continue and add the data but should remember to attach evidence to verify this fact using the Record Consent/Permission workflow, or they would be in breach of the ICO guidelines. If they choose ‘No’, Adapt will not continue with the Equal Opps Data workflow.
Criminal Offence data
“The GDPR rules for sensitive (special category) data do not apply to information about criminal allegations, proceedings or convictions. Instead, there are separate safeguards for personal data relating to criminal convictions and offences, or related security measures, set out in Article 10. Article 10 also specifies that you can only keep a comprehensive register of criminal convictions if you are doing so under the control of official authority.”
As it is the Controller’s responsibility to ensure they are following the correct procedure and have authority to record Criminal Conviction data (and always have had), the only change users will see in Adapt is when running the Crim. Convictions workflow. The ‘Explicit Consent’ flag will be checked (as above), and if it is not set to ‘Yes’ the same warning message will be displayed to the user.
Warning: If the user chooses ‘Yes’ they can still add the data, but they should ensure they have evidence to corroborate this.
Keeping Records to Evidence Consent
All Adapt GDPR workflows run are tracked in the Adapt Journal of the user and the person record, so there is a full audit trail of permission tracking:
The information is also available on the GDPR & Checks page of the individual:
The new GDPR search function in a Candidate or Contact search can be used to search on specific fields or users can run the GDPR Consent/Permission report. New Studios are also available to help monitor consent and notifications. See the Monitoring GDPR section for more details.
Keeping Consents under Review and Refreshing Consent
If the Agency uses the consent approach, the ICO states that consent data needs to be refreshed periodically. There are no specific timescale guidelines on this, but the ICO have suggested consent should be refreshed at least every 2 years.
Users can run the Refresh Consent workflow from the GDPR shortcut icon or Compliance page on a person record. This workflow enables users to resend their consent request documentation.
Once consent is received, users should run the Record Consent/Permission workflow and re-set the consent expiry date.
Users can monitor consent expiry from the Consent Dashboard within ‘my Studios’. From this studio, users can run the ‘Refresh Consent’ workflow for multiple users from the Batch menu. See the Monitoring GDPR section for more details.
Running the GDPR Consent/Permission Report or using the GDPR section in searches can help users monitor consent, explicit consent, level of consent, consent expiry, legitimate interest and the method consent was obtained by. See the Monitoring GDPR section for more details.
Users should use the Right to Object workflow to process the withdrawal of consent. See the Right to Object section for more details.