search
GovStack Website

Ask for consent

Consent allows users to control how their personal data is accessed, used, stored, or shared within a service.

You do not need to ask for consent when:

  • data processing is required by law for a government task or statutory function

  • processing is necessary to deliver a service under authority or contract

  • individuals cannot reasonably be identified from the data

In these cases, clearly inform users instead of requesting consent.

hashtag
Steps

spinner

Consent may be requested at the start of the journey or at specific points where a new purpose is introduced and user approval is required to proceed.

hashtag
1. Understand why consent is needed

Users' consent should be requested for a specific purpose. If you use the data for more than one reason, get separate consent for each.

Ask for users consent when you need to:

  • access a user’s personal data including from another authority or provider

  • store, manage, or retain personal data

  • share personal data with another system or organisation

  • allow users to view, manage, or withdraw previously given consent

Users need to understand:

  • what data will be accessed or shared

  • why it is needed

  • who will receive it

  • how long it will be used or stored

hashtag
2. Decision to give or refuse consent

Give users a clear choice to accept or refuse consent without being misled, coerced or pressured.

Where multiple datasets or purposes are involved, users can:

  • give consent for all

  • Give consent for some and refuse others

Use the ask questions patternarrow-up-right with appropriate questions fields such as checkbox or radio button to suit the purpose.

Outcomes for consent decisions include:

  • Partial consent that must be respected.

  • Accepting consent that allows the service to proceed for that purpose.

  • Refusing consent that stops the related processing. The service must explain what will happen if consent is refused.

Use outcome patternarrow-up-right where partial or no consent is given to communicate what happens next.

Inclusive design considerations:

  • If users may need time to understand what they are agreeing to, the journey should enable save and return.

hashtag
3. Proceed to service using the given consent

Before accessing or sharing data, the service checks that valid consent exists. The service uses consent only for the agreed purpose. Consent is recorded with purpose, scope, and timestamp.

hashtag
4. Amend or revoke consent

Users can review, change, or withdraw consent after it has been given. Withdrawing consent stops any future processing for that purpose. The service explains the impact of changing consent.

Consent management may happen within the service or through a dedicated consent management interface.

hashtag
Considerations

hashtag
Technical considerations

Consent rules must be explicit and purpose-based.

Each consent decision should be:

  • linked to a specific purpose

  • associated with the data involved

  • time-bound where applicable

  • recorded with date, version, and context

Systems must be able to:

  • check whether valid consent exists before accessing data

  • prevent processing when consent is refused or withdrawn

  • support auditing and compliance reviews

Integrations should rely on authoritative data sources and trusted consent records, in line with the Consent Building Block.

Last updated

Was this helpful?