Link Search Menu Expand Document
Responsible data management toolbox

5.3 Consent


This section is complementary to that on the legal basis for collection in the aid sector within the regulatory pillar, which addresses the legal aspect of the topic (Section 3.1 Decoding GDPR). It is the practical and hands-on dimension of consent that is presented here. You can find more information about what consent means in the Definitions section.

Keep in mind

Consent is a long-standing practice that is now being challenged, given that the conditions for obtaining it – drawing on a real informed choice, without imbalance in the relationship with populations – are rarely met in the contexts of NGO intervention.

It therefore seems more respectful of the populations concerned to maintain consent as a legal basis only for situations where particularly risky data are collected.

However, for all other collections, this means implementing more extensive responsible data management mechanisms than would have been considered with consent.

Consent is the practice in responsible data management that is most challenged today. Although seemingly obvious in principle to justify the collection of personal data, obtaining it (considering that it is informed and enlightened consent that is given) is in fact very difficult in the international solidarity sector (see section “Consent: an over-used legal basis?” to better understand the issue of the legal bases for collection and the often-inappropriate side of consent).

As so aptly put by the Engine Room, an NGO that supports a more responsible use of technology in the social justice sector and frequently addresses the issue through the responsible data community, “just because someone has signed a form, does that mean they truly understand everything they are agreeing to?” And beyond that, “How can we re-imagine informed consent in a way that upholds the dignity and rights of the communities we serve?” , “And, if we go beyond consent, what would a rights-respecting approach to collecting data look like?” (Source: Unpacking informed consent). The topic raises more questions than it answers, but we will try to help you put this into practice.

Just remember that it is appropriate if the person has a real choice and concrete control over how their data will be used.

5.3.1 Guiding questions

Here is a list of questions that you can ask yourself to guide you in your choice:

In order to answer this first question, you can refer to the subsection on tools to help you determine the most appropriate legal basis.

First, the conditions for obtaining informed consent, that is to say that it is explicit and unequivocal, must be met (reference to the definition in section 2) and show an “active approach” (Source: CNIL). This means that it must be free of any constraint to be valid. However, in the aid sector, data subjects are often in a vulnerable situation, which can place them in a dependent relationship with the organisations, and hence in a situation – real or imagined – of not being able to refuse the envisaged collection.

For example, this may be due to an external factor, as a result of a natural disaster or in an armed conflict; linked to personal circumstances: literacy level, foreign language, belonging to a minority.

Moreover, informed consent is a European concept, derived and adapted for societies where people have the capacity to decide for themselves, which is not necessarily the case for the communities with which organisations work.

The collection and validity of consent in these circumstances appears to be a challenging exercise. The risk is for the consent not to be sincere and for this to bias the relationship of trust.

Furthermore, when consent is used as a legal basis for data collection, organisations have an obligation to document and retain the consent collected, to ensure that it has been taken into account, to have traceability and to be able to respond to possible requests from individuals.

Additional insights into informed consent can be found in the webinar on informed consent “How can you truly manage informed consent in practise? » produced as part of GeOnG 2022.

To paraphrase the ICRC in a few lines (Section 3.2 of the ICRC Handbook on data protection in humanitarian action), the following should also be provided, consent must:

  • Be unambiguous,
  • Be collected as close as possible to the time of collection,
  • Take into account the degree of vulnerability of an individual in their decision-making,
  • Be informed (explanations are given in everyday language, jargon-free, allowing full appreciation and understanding of the circumstances, risks and benefits of data processing),
  • Be documented.

To this can be added a few resulting items (source: ACF/HI):

  • to identify all the field constraints related to the organisation, the operational context, the access to the affected population (geographical remoteness, inaccessible area, foreign language, possibility of translation, use of concepts, presence of a technology, etc.) to the personal situation (advanced age, child, disability, belonging to a minority, etc.) in order to determine whether consent can be obtained,
  • to describe how consent is collected (in writing, orally) and have a consent model,
  • to have procedures/guidelines for obtaining consent,
  • to train the teams in the concept of informed consent,
  • to translate the information necessary for consent into the local language.
    • the burden of proof of an individual’s consent, whose data is collected, rests on the person responsible for the dissemination: it is strongly suggested to document the collection of consent in order to inform people about their data (if for example, a secondary use purpose is added to the initial processing of their data) and to maintain traceability,
    • if the necessary conditions to ensure that consent is indeed a real choice of the data subject are not met, it is recommended not to collect and to select another legal basis.

iii. If not, what should you be doing anyway?

As mentioned in Section 3.2 of the ICRC Handbook on data protection in humanitarian action- the reference on the subject - “obtaining consent is not the same as providing information on data processing. In other words, even where no consent can be sought, information requirements still apply, “such as providing information on] the rights to oppose, erase, access and rectify.”

Oxfam developed a policy on the use of biometric data in 2021, in which it states that in the absence of consent, we must “clearly express our judgements and choices, contextualize how the data will be used, and take responsibility for our choices.”

Finally, it is important to distinguish between consent to the collection and use of people’s personal data and consent to intervention, which remains an imperative of humanitarian ethics.

The responsibility to inform data subjects about the context and reasons for collecting their personal data can be a complex exercise when dealing with children. First of all, the understanding of the message can vary according to age, level of maturity, physical and psychological state of health.

For this reason , those responsible (or guardians) for the children must give their consent in addition to that of the child. When dealing with unaccompanied children, it is essential to accurately analyse if it is in their interest to trust the adults around them. Unaccompanied minors are indeed particularly vulnerable to sexual exploitation, human trafficking, forced labour or other forms of abuse.

Here is an example of best practices for obtaining the consent of a child, from The Tdh Data protection Starter Guide:

image info