Navigating Consent and Digital Asset Management

When you consider consent you’ll typically think about contact information, your address and, perhaps medical records that you’d consider to be ‘sensitive’ or confidential.

However, laws to do with consent apply to anything where a person is identifiable, and this includes artwork, photos and videos.

Digital asset managers must make sure they have robust consent policies and procedures in place to avoid falling foul of these regulations, and protect the privacy of their organisation’s customers, employees, contractors and the subjects of digital works.

In this article, we explore consent and Digital Asset Management, breaking down the legal frameworks, principles and practices necessary for navigating this complex subect. We also take a look at the best practices for managing video and photo consent with actionable advice.

From understanding how we define ‘consent’, through to how DAM can support compliance, we’ve got every detail covered for all organisations prioritising their users’ privacy.

What is consent?

There are six legal bases that allow personal information to be processed - obtaining consent is one of them as set out in article 6 of the UK General Data Protection Regulation (GDPR). It refers to when an individual has given clear consent for an organisation or institution to process their personal data for a specific purpose.

The other five are:

1. Contract: processing the individual’s data is necessary for a contract, or because you’ve been asked to carry out specific steps before entering into a contract.

2. Legal obligations: processing is necessary in order for you to comply with the law.

3. Vital interests: processing is necessary to protect somebody’s life.

4. Public task: processing is necessary for a task in the public interest, or for an official function that has a clear basis in law.

5. Legitimate interests: processing is necessary for your organisation’s legitimate interest, or that of a third party, unless there is good reason to protect that individual’s personal data that takes precedence over your legitimate interest.

Consent is defined in Article 4(11) of the UK GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.  

For that consent to be ‘freely given’, the person must have had a genuine choice and control over how their data is used - but what does ‘genuine choice’ really mean?

What is ‘genuine choice’ when it comes to consent?

For a consent request to be considered a ‘genuine choice’, people must be able to refuse consent ‘without detriment’. The key here is whether the consent is required to carry out the task.

Example

Imagine you’re going through the checkout process for buying a digital collection of photos from a museum’s website. Before completing the purchase, you must consent to having your details shared with the museum’s ‘trusted third parties’.

The retailer has made the consent a condition of the sale, but sharing your details is not necessary for processing the order. This means consent is not ‘freely given’, even though customers could choose to abandon the purchase.

Example

As part of the checkout process, an art gallery requires you to consent to having your details shared with a third-party courier that handles all of the gallery’s orders. You can also choose to opt-in to the gallery’s monthly newsletter, but it’s not required to complete the purchase.

In this case, both consents can be considered freely given. It is necessary for your information to be shared with the courier for completion of the sale, while opting into the gallery’s newsletter is optional.

The implications of GDPR

We should start with a clarification: the General Data Protection Regulation (GDPR) is no longer applicable in UK law.

GDPR is a European Union regulation, so when the UK left the EU on 31st January 2020, it ceased to be in effect. However, the GDPR framework has been retained, with the ‘UK GDPR’ sitting alongside an amended version of the Data Protection Act (2018) which controls how personal information is used by organisations, businesses or the government. There are very few significant differences between the UK version of GDPR and the original EU regulations, with the UK essentially lifting the entire structure of the original framework and placing it into UK law.

The Data Protection Act provides individuals with a number of rights when it comes to how their data is used and stored, including:

• Being kept informed about how that data is used

• Allowing access to the personal data that is stored

• To have incorrect data updated

• To have that data erased

• Stop or restrict the processing of personal data, or object to how your data is being processed

When it comes to consent specifically, UK GDPR sets a high standard. It means offering individuals a genuine voice, and control over how their data is processed on an ongoing basis. 

Photography

If an individual can be identified by an image, data protection legislation applies. For example:

The two museum employees in this image are clearly identifiable. Therefore, consent would have to be obtained from both of these individuals before the museum could use the image for marketing..

By contrast, the people in this photo aren’t identifiable, so consent wouldn’t have to be obtained by the gallery before using this image. Note that for crowd shots that contain no identifiable individuals, again no legal basis is required for taking, displaying or publishing the image. If a crowd photo does include identifiable individuals, then the legal basis is ‘legitimate interest’.

It’s important to remember that, for taking photos of children, you must take extra care to ensure you have the correct consent. However, despite the need to take extra care, the law itself isn’t that different apart from requiring consent from the child’s parent or guardian. Below is an example case study of an organisation securing consent for using images of children:

A marketing team at a national children’s hospice produces illustrated ‘stories’. These raise awareness of how they’re helping families with terminally ill children. 

Each story has a set of photographs of a child, on their own and alongside hospice staff, and includes a written description. The story is used in promoted social media posts, and the images are treated as a set with different photos from the same collection being used across different platforms. There’s also a video of the child with a voiceover telling the story, which is used as part of a longer video. 

Before sharing anything, the hospice must agree with the family how and where the story will be used, how long to make it available for, and confirm how much they feel comfortable disclosing about their child’s prognosis. The legal guardian(s) have to sign a consent form that includes all of this information. A copy of the form is given to the family and the original is saved by the hospice. The form is set to expire after the agreed period. Before that date is reached, the hospice will need to decide if they intend to re-contact the family about renewing the consent if they want to continue sharing the story.

When it comes to consent for photography, there are three legal bases for photographs of individuals and posed groups: ‘legitimate interest’, ‘consent’ and ‘contractual obligation’.

How Digital Asset Management supports compliance

A dedicated DAM system includes a number of features that help to manage consent and ensure you stay within the law.

Store and manage consent records in one place

A DAM allows you to manage subject consent in a single location, making it easy to view and edit consent documents and link them directly to the assets they relate to.

ResourceSpace’s Consent Manager does exactly this, allowing you to add multiple consent records per resource and make changes centrally.

READ MORE: Five ways ResourceSpace can help streamline your consent process

Setting license expiry dates with metadata

Permission to use an image does not necessarily last forever. Licenses and consent will be time limited, and a DAM will make it easier to keep track of this using metadata.

In ResourceSpace, you can set license and consent expiry dates as a metadata field, and create workflows that automatically send alerts when that expiry date is approaching. This gives DAM managers the opportunity to renew the license or consent. If it isn’t renewed the system will automatically archive the material and take it out of general circulation.

Manage image releases

As well as setting expiry dates with metadata, you can also restrict assets from being accessed until a certain date. For example, you might have an image in your DAM system but you don’t yet have the usage license agreed. This can be automated too, with a workflow that triggers the release into general circulation.

Set access permissions

When a digital asset is used in a way that doesn’t comply with the license or consent, it’s often by accident, and typically it’s because the person or team using the asset isn’t aware of the restrictions.

Restricting access permissions to certain assets goes a long way to avoiding this, with DAM managers able to control who can view, download or edit an asset, while they can also review access requests to help identify whether a use case might be in breach of the license.

Discover how ResourceSpace manages consent and licenses

Want to find out more about how ResourceSpace makes managing consent and usage licenses easy?

Request your free 30-minute demo and we’ll show you how these features take the hassle out of consent management—and help you to comply with data protection law.