Research Ops & Compliance
Recording and managing informed consent
Written by: Phil Hesketh
In the UK, the Information Commissioner’s Office (ICO) has published a helpful checklist, in line with the GDPR, for how you record and manage informed consent.
The ICO breaks down the requirements for obtaining and managing consent into the following three categories: Asking for Consent, Recording Consent and Managing Consent.
If you’re interested in how to ask for consent, specifically how to write your own best practice documents, take a look at our previous article: What is informed consent?.
The need to record how consent was obtained is something that is often overlooked in organisations. In order to comply with the GDPR, the ICO recommends the following records be kept:
- Keep a record of when and how we got consent from the individual.
- Keep a record of exactly what they were told at the time.
Consistently pulling all of this information together from emails, paper forms and online surveys takes time and is a significant amount of work.
We’ve designed this need into the heart of our product. Consent Kit automatically builds a time stamped activity log against each participant as you progress through your projects and research activities. From this log you can see when and how the participant was asked for consent and exactly what was asked of them; with links to all of the documents and emails they were sent.
Managing how you ask for consent within your organisation should be an ongoing process. Each time the parameters of your research change within a project, or you introduce a new method for obtaining consent should prompt a review of the process as a whole to understand how it will affect the participants involved.
The ICO recommends the following checks:
- Regularly review consents to check that the relationship, the processing and the purposes have not changed.
- Have processes in place to refresh consent at appropriate intervals, including any parental consents.
We’ve implemented a system of templates for you to use when creating consent documents. These templates cover the basics of what you need to cover, but also prompt for reflection on how you’re currently processing and for what purpose. In this sense, creating your consent documents through Consent Kit ensures that each time you create one, the document itself is refreshed and relevant to the specific context of the project you are currently working on.
- Consider using privacy dashboards or other preference-management tools as a matter of good practice.
We believe that informed consent represents a significant opportunity for organisations to engage and build trust with their customers who take part in their research. Giving participants greater transparency and autonomy over how you treat their personal information is essential in developing trust in a “post truth” world. Providing your researchers with the tools to manage this effectively and efficiently makes achieving this a lot simpler and less stressful.
- Make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
- Act on withdrawals of consent as soon as you can.
- Don’t penalise individuals who wish to withdraw consent.
While we include how to withdraw from the research within the consent document itself, we have plans to open access to the activity log to the participants themselves. This will allow for easy access to the information on them you currently hold and enable new opportunities for building trust through transparency with the people you’re learning from.
If a participant decided to withdraw from the process themselves, all they need to do is click on a link we send them in an email. This opens a dialogue with the researcher which gives them an opportunity to understand why, but also makes withdrawing participants - and ensuring that all of their information is actually deleted - a much simpler process than it currently is.
For more information from the ICO around consent and how to manage it, visit their section on Consent, within their guidelines for the lawful basis for processing personal information.