Ongoing consent

Overview of the consent workflow
Adding your privacy notice
Customising the My Consent form
Customising the consent request email
Bulk-sending consent requests to multiple people
Sending individual consent requests
Managing ongoing consent for those without an email address
Managing/reporting ongoing consent received and consent outstanding

ChurchSuite's Ongoing Consent feature can help simplify the process of obtaining consent for those in the Address Book and Children modules, helping you comply with the UK Data Protection Act 2018 and EU General Data Protection Regulation 2018 (GDPR).

Question: Before proceeding, is consent the correct lawful basis for us?

Please take time to read this support article carefully before sending consent requests. Consent is one of eight lawful bases for processing personal information under the GDPR. Consent is only appropriate if you can offer people real choice and control over how you will use their data, and if you want to build their trust and engagement. Where you are unable to offer a genuine choice, consent may not be appropriate. For example, if you would still process personal data because you have a legitimate interest or legal obligation, asking for consent is considered misleading and inherently unfair, and therefore not compliant with the GDPR. For UK organisations, additional ICO guidance can be found here.

Important! Make sure you have an approved, compliant privacy notice suitable for your purposes before you send consent requests. If there's no privacy notice, people cannot fairly give consent.

GDPR consent is not necessarily the same as parental consent in the context of children and young people - while there is often overlap in the information you are requesting from parents/carers. While some customisation of the consent request email and My Consent form is possible, the Ongoing Consent functionality may not best suit your full parental consent processes. The functionality described in this article is primarily intended for data protection consent under the GDPR. See our related support article for further information on Creating customisable Forms, which may be better suited for parental consent scenarios.

Overview of the consent workflow

The use of the My Consent functionality in this article is independent of using the member-facing My ChurchSuite and does not require your organisation or members to be using My ChurchSuite to send consent requests. The best compliance with the GDPR is when data subjects can manage their data, which is what My ChurchSuite is primarily designed for. Without access to My ChurchSuite data subjects will only be able to manage their data when they receive a consent request (explained in this article) or when submitting their personal information as a newcomer using the My Details form running at your Information Point through Connect, or when using the Address Book Embed. Therefore we encourage you to make My ChurchSuite available to those in your ChurchSuite database for best compliance - and to reduce some of the office administration when data subjects can manage their personal information.

You can send consent requests to individuals, groupings of people (perhaps in a Tag) or all contacts and children if you wish. This can be done from a contact's profile in the Address Book, a child's profile in the Children module, or the Communication section of the respective module.

Embedded in the consent request email is a personal link to the recipient's own My Consent form. The My Consent form lists all the personal data you hold for that person displayed in a partially-obfuscated (starred out) format. Internal-use 'legitimate interest' data like notes, key dates, tags and flows are not shown in the form although you will likely need to explain this type of processing in your organisation's privacy notice.

Contacts and their children can then easily review their personal information on the My Consent form - making corrections, adding missing information, or removing data they no longer wish you to process. They can also review their Privacy Settings (if My ChurchSuite access is enabled) and their Communication Options, before finally ticking the checkbox to confirm they accept your privacy notice and submit the completed form; or, they can request that their account be deleted from your ChurchSuite account. Your privacy notice should make the process clear for those invoking their right to be forgotten, but remember that the right to be forgotten is not the same as a request for their data to be deleted from ChurchSuite (this is further explained in the related support article).

Where the consent form response is submitted (and consent is given) any changes made on the form by the data subject are updated on their profile in ChurchSuite, with a change log added. A helpful 'Ongoing Consent' Key Date is added against the person's profile, and as a double consent confirmation, the data subject receives a Success email that includes a snapshot of the My Consent form they submitted. The sent success email is added to the person's Communication log and serves as further evidence of consent.

If a consent request recipient selects Delete account, an email is sent to your organisation's designated Data Protection contact (set in Administrator > Profile) so that you can follow your preferred internal pastoral and administrative workflows for removing data held on ChurchSuite - unless you have an overriding lawful basis for continuing to process some or all of their personal information. The 'delete account' request will never auto-delete a person - this can only be actioned by a User after review and due consideration of the request.

The process for requesting consent from adult contacts and children is identical. Each data subject will receive a separate personalised consent request email and each individual has their own My Consent form. As part of the ChurchSuite consent form submission workflow the data subject is required to type their name (like a digital signature); meaning that you will know whether the My Consent form was completed by the data subject or by a spouse/partner or a parent/carer on behalf of their child. Do remember that children over the age of consent (13+ years under the EU GDPR) may be able to provide their consent or a parent/carer with parental responsibility may consent on the child's behalf. The name of the My Consent form's submitter is included in the 'consent' Key Date that is added, along with the date/time of consent, the IP address of the submitter and the consent method (i.e. the "My Consent" form, as opposed to a paper-based consent perhaps recorded by one of your Users). Where your organisation has multiple consent-gathering admin workflows - perhaps a paper-based system for those who don't have an email address - you may wish to make use of the Ongoing Consent key date for those processes too - in this way a single 'Ongoing Consent' key date instance will help you determine those that have or have not yet provided you with ongoing consent.

Where consent is your lawful basis for processing, for best compliance, and certainly when your organisation's processing purposes change, you can send an ongoing consent request form again at any time.

Under the GDPR, there are eight lawful bases for processing personal data - consent is one basis - but this may not be the best or most appropriate basis depending on how you process information. As Data Controller your organisation's privacy notice will outline 1) the lawful basis/bases for processing the different types of personal data you hold, and 2) the purposes for processing. If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with the initial purpose, unless your original lawful basis was consent. You will always need to gain new consent if your purposes change.

The GDPR imposes extensive accountability and transparency requirements for Data Controllers. You should therefore make sure you document your lawful basis/bases for processing so that you can demonstrate compliance (known as a Data Protection Impact Assessment). You must also inform data subjects upfront about your lawful bases for processing their data by including it in your Privacy Notice. Your privacy notice should be easily accessible every time people are asked to provide or submit personal information to your organisation. All ChurchSuite public-facing forms always make available your privacy notice and do not allow data submission through a form unless the data subject ticks to confirm they have read, understood and accept your privacy notice.

Adding your privacy notice

Before sending consent requests, make sure your organisation's privacy notice is up to date and added to ChurchSuite. Your privacy notice is made available on all public-facing forms where people will submit personal data including the My Consent form. Remember, a data subject cannot be deemed to have fairly consented if your privacy notice was not available at the time they responded to your consent request for the ongoing processing of their personal information.

Your privacy notice is added in the Administrator section of your ChurchSuite account, within the Profile area - see the related support article How to customise the appearance of your ChurchSuite account, which includes step-by-step instructions.

Customising the My Consent form

Before sending consent requests, take time to work through and review the settings to customise the form your data subjects will access.

First, be aware that the My Consent form uses the same field settings as My ChurchSuite - fields editable in My ChurchSuite are also editable on the My Consent form; similarly, fields that are not editable in My ChurchSuite will not be editable on the My Consent form. Since best compliance with the GDPR is when a data subject can manage all their personal data, you should review the My ChurchSuite Options for the Address Book and Children modules so that any optional Fields that you use to collect personal data are editable in My ChurchSuite and on the My Consent form too.

Of course, any internal-use custom fields can be set as not visible in My ChurchSuite, or you may wish to set them as visible, but not editable. A good example may be an internal-use "membership status" custom field that you set visible in My ChurchSuite, but you probably don't want this editable! Best compliance is to be as transparent as possible about the personal data you hold, perhaps by setting custom fields visible, even though the data subject cannot change the data - in this way mistakes or incorrect data can more easily be identified and rectified (the "right to rectify" is also a data subject's right under the GDPR). See the related support on Adding custom fields for people for further information about custom field visibility and editability in My ChurchSuite and My Consent.

Next, head to the Profile section of the Administrator area, and click on the My ChurchSuite settings section...

Scroll down the page to the Communication and Privacy sections and review the information that will be displayed in these respective sections on the My Consent form - click Edit to make changes. The same messages are shown for contacts, parents/carers and children, so you should use language and terminology that is clear and easy for your audience to understand what their communication and privacy settings mean.

Top Tip! Child consent

Do make sure that the language you use for these messages is clear and concise. Where you are relying on a child's consent, the GDPR expects the language to be easy for children to understand - they have the same rights as adults in respect of their personal data. This includes the right to access their personal data, the right to request rectification, the right to object to processing, and the right to have their personal data erased if they wish, so it's important that they clearly understand how their personal data is used and their rights. Their consent could be considered unfair or unlawfully obtained if the language you use is deemed too complex for them to understand.

Still in the Administrator Profile, click on the My Consent tab. This tab contains the remaining settings that control the appearance of the My Consent that data subjects will complete.

Working through each section in turn click Edit to add your own content. Begin by customising the consent form Title and the [Welcome] Message that shows in the form's Header.

Optionally customise the consent form's Footer message and the Success message people will see on the screen when they submit their completed form. You can also choose a Success Email by first creating a Preset email (in Administrator > Presets). ChurchSuite will append a snapshot of the submitted My Consent form to the selected preset success email. If no preset success email is created, ChurchSuite will send the form snapshot as a standalone confirmation email. The 'From' address in the ChurchSuite-generated email will be your organisation's designated Data Protection contact (set in Administrator > Profile) but if you choose a Preset success email, you can specify the 'From' address in the preset's settings.

The Footer Message is shown like this on the My Consent form.

The Success Message displays on the screen when people submit the completed form.

Customising the consent request email

The ongoing consent process begins by sending people a Consent Request email. There are two Preset emails - one for Address Book contacts and one for children in the Children module that will be sent to a parent/carer and/or child. You can customise both preset emails to ensure the language and terminology best suit your context. Make sure that the language used within the child consent request email is clear and easy for them to understand, otherwise, your consent request may not be deemed compliant!

Head into the Administrator area of ChurchSuite and click the Presets section. For each consent request preset - Consent Request and Consent Request (Child) - select Edit from the preset Actions.

You can further customise the content of the Preset email. The Review & grant consent link must be present in the email body. The link wording itself can be customised, but the underlying ::my_consent_link:: merge field must be left intact and present - it's this merge field that becomes each recipient's My Consent form link when the preset is sent to each data subject.

Bulk-sending consent requests to multiple people

The process of bulk-sending Consent Requests is the same for contacts and children. For children, you will have the option to send the request to the child's primary parent/carers, to all the child's parents/carers, or the child.

Head into the respective Address Book or Children module's Communication section and select the contacts or children you want to send the consent request email to. Note the option to Search by individual contacts/children or those grouped in Tags. Selected contacts or children move from the list on the left to the box on the right.

Next, locate the Consent box at the bottom of the page and click Send consent requests.

The Consent Request is previewed before sending, along with a list of recipients. Click Send email to complete the process.

Note: Consent requests are always sent, even if a recipient has opted out of receiving general emails in the communication options - consent isn't needed to send a consent request!

Sending individual consent requests

You can send individual Consent Requests directly from a contact or child's profile page in the respective Address Book or Children module. Select Send consent request option from the Communicate drop-down.

Note: Consent requests are sent even if a recipient's communication options are opted out of receiving general emails - you do not need consent to send a consent request!

Managing ongoing consent for those without an email address

The ::my_consent_link:: merge field present in the Consent Request preset email (explained above) can also be used in an SMS message, meaning that you can send consent requests by SMS, perhaps for those who don't have an email address but who do have a mobile number.

Sending SMS consent requests

It is not possible to send an SMS consent request through the Children module to parents/carers - child consent requests can only be sent to the child's mobile field. If you attempt to send an SMS child consent request to a parent/carer, the consent request merge field link will be for the parent/carer, not the child!

Sending an SMS through ChurchSuite requires the completion of an integration with one of the supported SMS providers appropriate for your region/country e.g. Textlocal, Twilio or BulkSMS - see our separate support articles for completing the appropriate integration.

The ::my_consent_link:: merge field, when added to an SMS, will translate into a clickable My Consent form URL of approximately 100+ characters, meaning that a consent request SMS may exceed the 160-character limit of a single SMS credit, particularly if you add a personal message.

And for contacts and children where neither an email address nor mobile is held, you might consider using the Full Details report to produce a printed summary of each person's personal data that can then be posted to the individual, perhaps in duplicate with a covering letter and your privacy notice, asking them to review and return one copy signed and dated and indicating any changes and their consent.

The Full Details report is located in the Data Cleansing section of the respective Address Book and Children module reports sections...

You can identify people without email addresses and mobile numbers using a Smart Tag, perhaps with conditions as follows (which matches people with a missing email address and a missing mobile telephone number)...

...and then use that Smart Tag to filter the Full Details report for just those without email addresses and mobiles.

You can use the same Smart Tag to produce address labels for envelopes (in Communication > Labels/Envelopes). Notice also the option to Log in Communication, enabling you to record the sending of a consent request by post in the Communication log of each person you produce a label for.

As each manually-sent consent form is returned you can add an 'Ongoing Consent' key date against the person...

You might also scan and upload paper consent forms to a secure online file storage solution like Dropbox, iCloud or GoogleDocs, and then add a link to the scanned consent form file as a Note against the person's profile.

And finally, in this section, you may find it helpful to set an Ongoing Consent key date to be added automatically when newcomers submit their details using the Address Book Embed and Connect My Details forms. Head into the Address Book and Children module settings via the cogwheels icon in the top-right corner of the respective module.

Scroll down the Connect Options tab to the Add contact/child section. Click Edit and select the Ongoing Consent key date to be assigned when a new contact or child's details are submitted into the module through the My Details form.

Scroll down the Embed Options tab to the Add contact/child section. Click Edit and select the Ongoing Consent key date to be assigned when a new contact or child's details are submitted into the module through the Address Book Embed form.

Managing ongoing consent received and outstanding

It's helpful to distinguish where there are outstanding consent requests; especially if your processing purposes change and you need to reach out to those in your database to request updated ongoing consent. For those who complete and submit the My Consent form, several things happen in ChurchSuite that will help you keep on top of 'granted' and 'outstanding' consents.

1. An 'Ongoing Consent' Key Date is added to the person's profile.

2. When a person completes and submits their My Consent form a record of the data subject's confirmation email is added to their Communication log. The confirmation includes a snapshot of the consent form at the date/time of submission and serves both as evidence of the consent given and also a double check for the data subject i.e. they too will have a record of the data they consented to.

3. Any changes to personal information made on the My Consent form are recorded in each person's Changes log.

With these things in mind and if you are using the workflows outlined in this article, you can use the presence or absence of the 'Ongoing Consent' Key Date to easily identify people whose consent is granted, outstanding, or due to update. For example, the following Smart Tag condition matches people who have consented in the last 3 years...

A variation of the above tag can be inverted to identify missing consent or those whose consent was given more than 3 years ago.

By having both of the above Smart Tags in place in your Address Book and Children modules, each contact or child profile page will clearly show their latest consent status.

The Key Dates report and Key Dates Missing report can be filtered for the 'Ongoing Consent' key date to quickly identify those who have consented and those whose consent is outstanding or missing. You can also communicate directly from the report's results, perhaps to send a reminder to those whose consent is outstanding.

Do we have to delete data if we don't hold consent?

If no lawful basis applies, your processing of people's personal data may be unlawful and in contravention of the first GDPR principle. Individuals (data subjects) have the right to have personal data erased which has been processed unlawfully. There are also potential fines for non-compliance!

Your privacy notice should make clear the purpose for processing each type of data you hold and the lawful basis you rely on for processing. Remember, processing includes the storage of personal data, not just the things your organisation does with it. e.g. marketing communications, running rotas, managing small groups and children groups.

While consent is one basis for processing, there are seven others, including legitimate interest, which may be more appropriate and easier to administer. However, it will be difficult to retrospectively change the basis for processing in the absence of consent - even if another basis could have been used from the start, retrospectively switching the basis is likely to be deemed inherently unfair to the individual and lead to breaches of the accountability and transparency principles of GDPR. Therefore, organisations need to get their lawful basis for processing right from the start!

For churches particularly, it's important to consider to what extent the legitimate interest basis applies to some or all of the types of data you hold - it's not helpful (and is confusing to the data subject) to ask for consent where legitimate interest or legal obligation might be more appropriate. Your privacy notice should explain the different bases and types of processing for each basis. For example, you may prefer to consider legitimate interest as your lawful basis if you wish to keep control over data processing and take responsibility for demonstrating that it is in line with people’s reasonable expectations and wouldn’t have an unexpected impact on their rights and freedoms. On the other hand, if you prefer to give individuals full control and responsibility for their data (including the ability to change their minds as to whether it can continue to be processed), consent will be more appropriate.

For each category of personal data you process, make sure that your privacy notice clearly states the lawful basis for processing. For example, you may not need to ask consent to send rota reminder communications if you consider there's a "team serving legitimate interest" that warrants sending reminders - especially since rota members can easily opt out of receiving rota reminders if they become an annoyance or are unwanted. On the other hand, if you plan to use their rota reminder email address for church marketing, you may need consent for that purpose. Without a legal basis for processing, the GDPR is clear that you should immediately cease processing their data, which includes storing that data.