Exploring solutions to the privacy paradox in the context of e-assessment: informed consent revisited

Personal data use is increasingly permeating our everyday life. Informed consent for personal data use is a central instrument for ensuring the protection of personal data. However, current informed consent practices often fail to actually inform data subjects about the use of personal data. This article presents the results of a requirements analysis for informed consent from both a legal and usability perspective, considering the application context of educational assessment. The requirements analysis is based on European Union (EU) law and a review of current practices. As the main outcome, the article presents a blueprint which will be the basis for the development of an informed consent template that supports data controllers in establishing an effective and efficient informed consent form. Because the blueprint, and subsequently, the template, distinguishes between legal and usability requirements, it also provides the basis for the mapping of legal requirements in other (non-European) contexts.


Introduction
Technology is increasingly permeating our day-to-day experiences in education, work, and leisure activities.A recent report by the Rathenau Institute (Van Est et al. 2014) states that the "new technological wave" requires further study from legal and ethical perspectives.The report distinguishes four levels of human-technology interaction: technology in us (e.g., pills that, once inside a human body, can monitor the body's condition and/or support its proper functioning); technology between us (e.g., mobile phones and social networks that allow people to become connected and communicate with each other); technology about us (e.g., navigation systems that determine current location and lead along a programmed route or video surveillance for security purposes); and technology just like us (e.g., robots that are programmed to perform tasks delegated to them).Regardless of the precise level of interaction, human-technology interaction is challenging, particularly when (sensitive) personal data is involved, such as in health care or educational assessments (Kobsa et al. 2016;Wang and Kobsa 2013).This aspect brings legal and ethical challenges related to the acceptance of these technologies and the use of personal data: consenting to the use of personal data requires reading and understanding information provided to reach an informed decision.
A growing number of studies shows that obtaining informed consent is a complicated process (Bashir et al. 2015;Böhme and Köpsell 2010;Lin and Loui 1998).Even if people indicate that the protection of their personal data is important, this does not mean that they pay attention to This publication reflects the views of the authors only, and the European Commission cannot be held responsible for any use, which may be made of the information contained therein.
the details of requests for personal data before they give consent (Elsen et al. 2014).This contradiction between attitudes towards personal data protection and actual behaviour is referred to as the privacy paradox (Norberg et al. 2007).Schermer et al. (2014) speak of "consent desensitisation" and "a crisis of consent".However, the authors analyse this situation not in terms of a contradiction between people's attitude and actual behaviour but in terms of a tension between the intention of the law and current practice.In effect, the risks for both the data subject (a person requested to consent) and the data controller (a person or entity requesting consent) are the same.The data subject risks consenting to the use of personal data to which, in fact, he/she would rather not.For the data controller, inadequate consent carries the risk of not being able to fully rely on the consent obtained (Schermer et al. 2014).The authors propose to address the crisis of consent by adopting a differentiated system of consent, in which unambiguous or explicit consent is sought only "when it really matters", when the decision may involve serious risks or consequences.Although this system may certainly help counter consent desensitisation, the question of how to facilitate informed decision-making in situations where it is deemed necessary remains.
A study by Wilkowska and Zielfe (2011) on the acceptance of e-health technology illustrates that the privacy paradox exists in these situations as well.In fact, this study gives rise to further ethical concerns, as it revealed that the privacy paradox may even be reinforced when the use of personal data appears riskier: in this study, less healthy people indicated that they were less concerned about the secure storage of their personal data than healthy people.As a possible explanation of this effect, Burgess (2007) speaks of a potential trade-off between benefits and risks: even if people are aware of the risks involved, they may feel tempted or basically be forced to consent to gain access to a particular product or service.Similarly, Böhme and Köpsell (2010) mention a perceived lack of choice as a possible explanation for the privacy paradox: people do not see alternative options, and therefore, they see no reason to delve into the details of what they are consenting to.Other explanations they provide are inaptitude and habituation.Inaptitude refers to the fact that people may not have the appropriate knowledge and skills to understand the information provided; they may underestimate or be entirely unaware of the risks associated with the use of personal data.Relatedly, Jensen and Potts (2004) showed that highly educated people better understand what they are consenting to.Finally, habituation refers to the fact that people may have developed a habit to 'blindly' consent so that they can continue doing what they planned to do without spending time on matters that fall beyond their immediate interest.Habituation is of particular concern, as it appears to indicate that solutions designed to obtain consent have resulted in the completely opposite effect.Instead of being informed, people have grown accustomed to ignoring important information; of course, once developed, habits are difficult to unlearn (Greener 2016).
In the context of educational assessment, various stateof-the-art technologies using (sensitive) personal data are currently being explored to enable reliable e-assessments (Gaytan and McEwen 2007;Jones 2011;McCann 2010;Noguera et al. 2017;Underwood and Szabo 2003).e-Assessment potentially offers many advantages, for instance, a greater speed of marking, immediate feedback, and a more entertaining assessment experience (Jisc 1993).However, e-assessment also introduces challenges for an educational institution, concerning the quality of assessment and the prevention of fraud.In this regard, the TeSLA project consortium (https ://tesla -proje ct.eu/) developed technology for identity and authorship verification, including instruments for face and voice recognition, keystroke dynamics, plagiarism detection and writing style analysis (Muravyeva et al. 2019).In this context, obtaining informed consent poses the same challenge of ensuring that students read and understand how these instruments operate and how their (sensitive) personal data are used so that they can reach an informed decision (Drachsler and Greller 2016).Another challenge lies in the European General Data Protection Regulation (GDPR) that came into force as of May 2018.The adoption of the GDPR is a crucial step in the recognition of the value of personal data and the importance of personal data protection.The GDPR articulated requirements for the use of personal data that, among others, included an expansion of the data subject's rights and strengthening of the data controller's responsibilities.However, these expansions increased the complexity of informed consent (Feiler et al. 2018;O'Brien 2016;Jansen 2017).To ensure that informed consent is performed in accordance with the GDPR, the data controller should develop a set of legal, technical, and organisational measures prior to an informed consent procedure.
The privacy paradox and the new legislation underline the need for clear guidelines for data controllers regarding informed consent for the use of personal data.To that end, we aim to develop a blueprint for an informed consent template by following a design-based research approach (Edelson 2009;Plomp 2010).The blueprint will be developed in the application context of e-assessment but can be integrated and applied in any context in which people may be asked to consent to the use of personal data, for instance, for online services, participation in research, and the review of such research by a research ethics committee.The context of e-assessment constitutes the direct cause for the development of the blueprint.However, the results of the requirements analysis described in this paper are generic in the sense that they address the following questions: Q1 What are the definitions of informed consent?Q2 What are the GDPR requirements for the data controllers to be used in the development of informed consent?Q3 What are the usability requirements for the data subjects considering informed consent?
Q2 and Q3 are related to the concept of usability, i.e., the extent to which a product can be used to achieve specific goals in an effective, efficient, and satisfactory way (ISO 1998).An effective, efficient, and satisfactory informed consent procedure requires that the information provided in an information letter is complete (Q2) and presented in a way that facilitates uptake and comprehension (Q3).To address Q2, we analyse the GDPR, which is specific to the European context.However, as mentioned above, the GDPR requirements are quite extensive; thus, we expect that there will be considerable overlap with the legal requirements in other countries.Q3 is addressed by reviewing relevant practice and usability studies regarding informed consent.
Analysis of the requirements will result in a blueprint that provides the basis for an informed consent template to be evaluated in a usability study.Usability studies often refer to the "user" more generally, but in the context of informed consent, there are two user groups: data subjects and data controllers.As will be explained in more detail in section "Blueprint design", the primary user of the informed consent template is the data controller.Hence, the usability study results reported in this paper address the question: Q4 How do the data controllers experience working with an informed consent template derived from the blueprint developed in this study?

Requirements analysis
First of all, the GDPR was analysed to derive legal requirements and conditions for informed consent as well as definitions of "consent", "personal data", "processing", "data subject", and "data controller".Further, in order to develop an understanding of the state of the art regarding informed consent practices, a traditional (rather than a systematic) literature review was conducted (Jesson et al. 2011), using the following search terms: "informed consent" and "personal data"."Assessment", "technology" and "education" were added to indicate a field of application.The search was conducted using the advanced search option "keywords" in the databases of leading publishers in the fields of education, technology, and law.The search resulted in 672 articles, from which a further selection was made by applying additional criteria.The first results were quickly scanned and analysed to exclude duplicates; 212 duplicates were removed at this stage.Then, the abstract of each article was analysed to select only those articles that described informed consent practices, regardless of the context in which they are applied.In fact, many of them describe tools and approaches initially developed for regulating informed consent in the relations between patients and doctors or social workers, which appeared relevant for our specific purpose.A total of 257 articles did not meet the inclusion criteria.For the remaining 203 articles, the full text was scanned.This set contained 30 articles with a focus on our specific field of application.In addition to these articles, we included some articles from other sources, such as the references used in writing the research proposal or found through snowballing, i.e., the references made by authors in their texts.The manual search provided us with 17 additional articles relevant for the review; therefore, a total of 47 articles were included.Table 1

gives an overview
Table 1 Overview of the included articles Focus of the articles included in the literature review according to their relevance for the questions that we aimed to answer.

Blueprint design
Requirements for informed consent extracted from the GDPR and literature review were combined to create a blueprint, covering 'all possible' varieties of an informed consent form that enables the data controller to derive a template for an informed consent form to be further filled in for a specific context (Fig. 1).In information modelling terms: the blueprint constitutes the class from which objects can be derived (Parsons and Wand 2000;Xinogalos 2015).The blueprint indicates, for instance, that the template must contain a description of one or more purposes.Further instructions provided alongside prompt the data controller to consider presenting some purposes as optional to the data subject.In other words, the blueprint describes the total set of obligatory variables to be included in an informed consent form and possible options in connection with these variables for the data controller to decide upon in creating a template.So, sticking with the example of the variable 'purpose', the blueprint dictates that at least one 'purpose' must be filled in and indicates that the data controller may specify multiple purposes, in which case the data controller must decide whether or not to enable selective consent, i.e., consent for a subset of these purposes.Based on what was indicated, a template will be created with additional instructions, e.g., on how to describe a purpose(s).This should result in an informed consent form, which at least meets legal requirements (ensured by the blueprint) and hopefully, based on additional instructions provided in the template, usability requirements for the informed consent form as well.In information modelling terms, the resulting informed consent form, to be filled in by the data subject, is called an instance of the class (Fig. 1).
The blueprint presented in this paper constitutes a first-'rough'-draft rather than a detailed model elaborated in a formal language, such as the Unified Modelling Language (UML 1997).Section "Blueprint for an informed consent template" describes the stepwise approach taken in designing the blueprint.The blueprint is meant to inform future development of a wizard-like tool to support data controllers in creating an informed consent template through a series of choices.Whether or not these two steps of 'template creation' and 'filling in the template' might be combined and executed through a single wizard is an issue for future implementation.In this regard, the model presented in Fig. 1 represents a conceptual model.According to this model, usability is at stake, conceptually, at three subsequent moments in the process (Fig. 1): when the data controller uses the wizard (the blueprint) to create a template; when the data controller uses the template to create an informed consent form; when the data subject uses the informed consent form to reach a decision.In wait of future development of the blueprint into a wizard to support template creation, the first small scale usability study presented in this paper focusses on the experiences of data controllers using a mock-up of an informed consent template, as explained in more detail in the next section.

Design
In order to understand how data controllers experience working with an informed consent template derived from the blueprint developed in the current study, we adopted a mixed-methods design with concurrent collection of quantitative and qualitative data (Creswell 2013).Data were collected in an authentic (ecologically valid) context of data controllers: in this case, researchers needing to obtain informed consent from participants in their research.These researchers were presented with the template and requested to use the template to create an informed consent form for their own research.Quantitative data were collected using an adapted version of the System Usability Scale (SUS) (Blazica and Lewis 2015).Qualitative data consisted of questions raised and feedback provided during and after task performance.

Participants
Participants (n = 5) in this study involved a convenience sample of researchers from various faculties of the Open University of the Netherlands.Three participants were male; ages ranged between 24 and 36 years (M = 29.6,SD = 4.8).

Materials
The mock-up template used in the usability study was derived from the blueprint as described in section "Results".The SUS consists of ten statements (e.g., "I found the system unnecessarily complex", "I thought the system was easy to use") measured on a 5-point Likert scale ranging from 'Strongly disagree' (= 1) to 'Strongly agree' (= 5).The original SUS was adapted to better address the objectives of the current study.For instance, the statement "I think that I would like to use this system frequently" was transformed in "I think that I would like to use this template again next time".

Procedure
A total of nine researchers were invited via email to participate in the study; five of them agreed.Participants were presented with the template and asked to use it to create an informed consent form for the participants in their own research.Apart from instructions integrated into the template, participants were given additional instructions (e.g., applying plain language) before they started working on the task.On average, the entire procedure took 55 min.

Data analysis
Data were analysed at the item level (frequencies to identify main areas for improvement).The qualitative data were used for the interpretation of the quantitative data and presented in section "Results" alongside the quantitative data, to ensure an integrated picture of the results.

Definitions
There are different ways to look at the concept of consent.In normative theory, consent makes actions permitted that would otherwise be forbidden, creating rights and duties (Bix 2018).Similarly, Hurd (2018) describes consent as a right-and duty-constricting mechanism: for the party requesting consent, it implies a duty to inform and to request consent; for those requested to consent, it entails a right to be informed and to decide whether to consent.
With respect to the latter, consent is often linked to selfdetermination as "a practical application of respect for the [person's] autonomy" (Ach 2018, p. 291).In social theory, consent is viewed as a social construction that is in the interest of all parties involved.Usually, informed consent involves trust between two parties, but in some cases, more parties are involved, for instance, in the case of a researcher or practitioner working within an institutional context: "Informed consent is not a principle, but a social construction […] It has evolved from statements of professional ethics to a set of tripartite protections for human subjects, researchers/practitioners, and their institutional affiliates […]" (Dolan 2015, p. 119).Closely related to this aspect, consent is also considered a means to preserve social trust (Eyal 2018).
For the current study, the definition provided by the GDPR is the most relevant as it establishes a requirement for consent to be informed.According to art. 4 GDPR, consent is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".Although there is no definition of informed consent, the definition of consent makes clear that consent should be informed.In the contexts of research, health, and social care, the term 'informed consent' is commonly used where consent is typically described as a procedure for presenting information that must be given to the data subject to ensure a fair and transparent consent procedure (David et al. 2001;Grout 2004;Sheehan and Martin 2011;Schofield 2014).In line with this, Bix (2018) points out that consent is "to entail knowledge by the actor of all material circumstances, alternatives and consequences" (p.223).Others accentuate the role of consent as "an instrument to provide users with appropriate information to protect their privacy" (Noain-Sánchez 2016, p. 126) or emphasise the voluntariness of the agreement, e.g., consent is "[…] giving of information to the client in order to gain that client's voluntary agreement to a proposed […] interaction" (Burkemper 2004, p. 142).The voluntariness of consent is also reflected in the definition provided by the GDPR which speaks of consent being "freely given" (art.4 GDPR).
Of course, the GDPR is exclusively about consent to the processing of personal data.Personal data is "any information relating to an identified or identifiable natural person […]; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number […]" (art.4 GDPR).Processing of personal data is "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring […]" (art.4 GDPR).

Legal requirements
The preamble of the GDPR states that "personal data should be processed on the basis of the consent of the data subject".Therefore, consent is a legal requirement of its own (Oliver-Lalana 2004;Polcak 2009), and it includes an information letter and a consent statement.The information requirements are formulated in art.13 and art.14 GDPR and oblige the data controller to provide at least the following information: (a) Data processing: the categories of personal data, the purposes of and the legal basis for the processing; whether the provision of personal data is a statutory or contractual requirement; the period of storage or, if this is not possible, the criteria used to determine that period; (b) Data controller and data processor: the identity of the data controller and the data processor ("a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller" (art.4 GDPR)) in case the data controller and the data processor are separate entities; the contact details of the data controller and the data protection officer (DPO); (c) Data subjects' rights: the right to withdraw consent; the right to access and data portability; the right to rectification, erasure, and restriction of processing; the right to object and to lodge a complaint with a supervisory authority; (d) Consequences, where applicable: the fact that the controller intends to transfer personal data to a third country or international organisation; the existence of automated decision-making, including profiling.

Data processing
Art. 9 GDPR defines the special categories of sensitive personal data as: "…data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, […] genetic data, biometric data […], data concerning health or data concerning a natural person's sex life or sexual orientation […]".However, this definition of sensitive data is not unambiguous, leaving it unclear whether data can be defined as sensitive in some situations (Mäkinen 2015).For instance, smart devices for the daily monitoring of health conditions collect information not only on health, but also on habits and lifestyle.It is unclear whether the latter categories are included in this definition of sensitive data.Even if they are not included, such data may still be considered sensitive by the data subject.Cradock et al. (2016) emphasise the need to further categorise (sensitive) personal data to better estimate possible risks for each category and to subsequently determine appropriate data protection mechanisms for each category.In the context of e-assessment, for instance, a distinction can be made between data that are used for identity verification purposes (for instance, facial images and voice recordings) and for authorship verification purposes (for instance, writing style and keystroke dynamics).
In addition to a) data processing, a second purpose of use can be defined in advance when necessary or desirable (O'Kane et al. 2013).In practice, data are often used for purposes that are different from the initial purposes (Hand 2006).To avoid additional consent procedures later, all purposes can be included and described in the initial consent procedure.In the application context of e-assessment, for instance, if an educational institution plans to use the data collected for authorship verification for the purposes of a scientific study as well, then this information can be included in the same consent procedure, helping both students and their educational institution save time and effort in obtaining consent.

Data controller and data processor
Here, a point to consider is that both the data controller and the data processor should designate a DPO who will serve as a contact point for data subjects (art.24, 28, 37 GDPR).Data subjects may contact him/her with regard to any issues related to the processing of their personal data (art.39 GDPR).Importantly, a DPO has a neutral position while advising either the data subject or the data controller or the data processor, and he/she has a duty of secrecy and confidentiality while performing his/her tasks (art.38 GDPR).Art. 13 GDPR states that the data subject should be informed about "the contact details of the controller" as well as "the contact details of the data protection officer".However, as noted by Feiler et al. (2018), the term 'contact details' is not specified in detail in the GDPR.Rec.23 GDPR speaks of "an email address or any other contact details".

Data subjects' rights
The GDPR grants rights to the data subject that enable him/ her to have control over and manage personal data related to him/her.The data subject should be informed about the existence of these rights as well as when and how they can be practically exercised (art.12 GDPR).First, the right to access which is organised in two steps: the right to obtain information about data processing activities and the right to obtain a copy of personal data that are undergoing processing (art.15 GDPR).Closely related to this right, the data subject is also granted a right to data portability which means that the data subject can request personal data related to him/her in a format that supports use in a different setting (art.20 GDPR).The data subject might want to exercise this right, for example, in case the data controller does not provide the expected or desired level of service.Further, when processing activities involve incorrect or incomplete data, the data subject may exercise his/her right to rectification (art.16 GDPR).The erasure of personal data might be requested when, for instance, personal data processing is no longer needed or desired or personal data were unlawfully processed (art.17 GDPR).Finally, the right to restriction means that the data subject might temporarily stop or limit processing when, for instance, legal grounds for rectification or erasure are further investigated and verified (art.18 GDPR).
Establishing such an extensive list of the data subject's rights is justified by the fact that consent should be based on a sense of autonomy (Ach 2018).These rights are intended to affirm the data subject's autonomy in exercising certain rights.To facilitate this, rec.59 GDPR states that "the controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means".Although not immediately relevant in terms of requirements for the blueprint, it is highly relevant in terms of practical application.In this respect, it is noteworthy that an electronic request (e.g., via an email) may trigger reasonable doubts about the identity of a person making the request (Feiler et al. 2018).The GDPR does not elaborate on the identification of the data subject.

Consequences
Under (d) consequences, we mentioned automated decisionmaking, which means evaluating personal aspects based solely on automated processing.In automated processing, for instance, e-recruiting without human intervention or an online credit application (art.22 GDPR), the data subject should be provided with "meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject" (art.12 GDPR).In other words, algorithms should be explained "to ensure fair and transparent processing taking into account the specific circumstances and context" (rec.60 GDPR).This obligation raises the question of how to explain algorithms involved, and what exactly needs to be revealed to the data subject (Crutzen et al. 2019).Although explaining algorithms could make a decision-making process more clearly "visible", it may fail "to solve the problem of information complexity, as it only provides a general explanation […] and does not explain what are actual implications for an individual" (Van Ooijen and Vrabec 2019, p. 104).
For the purpose of this study, the focus in this section was on generic requirements following from the GDPR.In this respect, it is relevant to point out that the GDPR establishes minimum requirements for informed consent which are binding for all EU member states.However, on top of these requirements, additional requirements and conditions may be specified on a national or institutional level (art.23 GDPR), for instance, related to age, physical, and mental health issues (art.18 GDPR).Still, meeting these legal requirements provides no guarantee that the needs of the data subject are sufficiently met (Custers et al. 2014;Custers 2016;Mai 2016).Legal requirements establish guidelines mainly as to what information should be provided in a consent form.Regarding 'how' this information should be provided, the GDPR contains only a few generic guidelines.First, rec.39 GDPR introduces the principle of transparency which requires that any information "be easily accessible and easy to understand, and that clear and plain language be used".Second, art.12 GDPR adds that information "may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing".With respect to the latter, there is a risk in the use of icons as they only provide a partial description of the data processing and may lead readers to ignore relevant textual information (Van Ooijen and Vrabec 2019).
In conclusion, many questions remain unanswered regarding 'how' (Luger et al. 2014;Rosner 2014): how to accommodate legal requirements for informed consent.This issue of 'how' is further elaborated by drawing on insights gained through usability studies concerning informed consent.

Usability requirements
When it comes to the usability requirements for informed consent, two parties are involved: the data controller responsible for providing information, and the data subject who is asked to consent based on the information provided.From the point of view of the data controller, the blueprint for an informed consent template can prove more usable if it is both adaptive and adaptable (Park and Han 2012).For instance, in the context of e-assessment, the blueprint can automatically adapt according to a particular set of instruments for identity and authorship verification to be deployed.From the point of view of the data subject, adaptability and adaptivity can also be desirable while filling in an informed consent form.For instance, through an opportunity to consent only to the use of a particular type of personal data.The usability studies included in the literature review provided us with the leads for design and evaluation criteria following the three usability dimensions: effectiveness, efficiency, and satisfaction.

Effectiveness
Effectiveness is to be understood as the "accuracy and completeness with which users achieve specified goals" (ISO 1998).A study by Moran et al. (2014) showed that less educated people can hardly understand information provided in an informed consent procedure.The authors discuss the importance of using plain language to ensure that people, irrespective of their educational level, understand information provided to them.Similarly, the plain language movement attempts to reform traditional legal writing (Collins 2005;Garwood 2014).As defined by Redish, when people can find information they need, understand it from the first time they read it, and use this information to perform a task, it is plain language (as cited in Schriver et al. 2010).Over the past decades, plain language advocates have developed some techniques-a basis for a plain language standard-including word-level and sentence-level techniques.
Word-level techniques basically target word length, word difficulty, and word concreteness (Cheek 2008).Short words are easier to recognise and interpret because they are also high-frequency words (words that native speakers hear all the time and require little attention to understand).Regarding word difficulty, simple words (as defined by Stanovich and Bauer, words that are "easy to pronounce" or with "few syllables" (as cited in Cheek 2008, p. 24)) are almost always a better choice unless there are reasons to use more complex words.Finally, concrete words are preferred over abstract words: they are easier to learn because they evoke more visual imagery.Sentence-level techniques basically require to use simple sentences, to avoid long sentences, and to keep clauses short (Schriver et al. 2010).A simple sentence is not necessarily a short sentence.Apparently, it is not the length of sentences that matters, but syntax and structure: clear syntax and structure help to read the text and process the meaning more quickly.In summary, short sentences should be balanced with well-written longer sentences.Part of writing good longer sentences is to keep clauses short as long clauses complicate keeping track of what is going on in the sentence.
Taking into consideration that information provided in an informed consent procedure can be quite complex, plain language is a key requirement for making consent truly informed (Kay and Terry 2010;Sand et al. 2010;Steinfeld 2016).Some authors believe that having a dialogue is conditional for effective communication of informed consent (Coles-Kemp and Kani-Zabihi 2010; Lie and Witteveen 2017).Although this is an important consideration, this is an implementation issue, and as such, out of the scope of the current paper.The blueprint, template, and final informed consent form must be considered as a foundation on which a further dialogue can be built.

Efficiency
Efficiency is defined as "resources expended in relation to the accuracy and completeness with which users achieve goals" (ISO 1998).An efficient informed consent form enables the data subject to reach an informed decision with the least possible effort.Insights from the field of information design [as defined by the International Institute for Information Design, "the defining, planning, and shaping of the contents of a message and the environments in which it is presented, with the intention to satisfy the information needs of the intended recipients" (as cited in Coates and Ellison 2014)] are crucial in establishing efficiency.
When applied successfully, information design can help solve the problem of a large amount of information, for instance, through creating layers of information (Lentz et al. 2016;Jansen 2017).In this way, a first layer could be created for 'minimally required' information offered to all data subjects, while more detailed information could be made available in a second layer for those who seek additional information.Berger et al. (2014), in a medical context, propose to distinguish layers based on the importance of information from the data subject's point of view since their study showed that data subjects consider some information more important than other information.Information considered less important could be provided in a "silent mode" (through a 'Read more' button or a link to another webpage) or provided separately upon request.In any case, creating layers can help in obtaining an overview of information, navigating through it, and finding what is needed in the first instance (Burmeister 2000;Luger and Rodden 2014).
Information design also refers to typographic elements, graphic elements, imagery, and colour (Coates and Ellison 2014).Typographic elements (e.g., letter type, size, weight) can be effectively used to create visual rhythm and pace.Graphic elements (e.g., headers, bulleted lists, tables) can help communicate complex information, especially when readers have various educational or cultural backgrounds.Imagery (e.g., illustrations, photographs, icons) is a powerful tool that can be used in a variety of forms to attract readers' attention.Colour is important when designing a large amount of information: attaching a specific colour to a group of content makes it easy to distinguish from any different group of content.

Satisfaction
In a usability context, satisfaction means "freedom from discomfort, and positive attitudes towards the use of the product" (ISO 1998).Information should be presented without coercion or undue influence and in a manner that encourages the data subject to ask questions (Burmeister 2000).An attempt at increasing satisfaction with an informed consent procedure is dynamic consent (Coles-Kemp and Kani-Zabihi 2010; Kaye et al. 2015).Dynamic consent is a new approach characterised by an interactive personalised interface that allows the data subject "to engage as much or as little as they choose and to alter their consent choices in real time" (Kaye et al. 2015, p. 142).Dynamic consent, first of all, enables participants to modify their consent decision over time (e.g., to withdraw consent); second, it supports in decision-making through a variety of decision aids; third, it allows to maintain a better communication process (e.g., a chat window to directly ask questions and a notification system when new actions or ethical issues arise); finally, it provides a record of all interactions in 'one place'.In other words, dynamic consent places the data subject in the centre of decisionmaking and makes the whole informed consent procedure more actionable (Bustos-Jiménez 2014;Van Alsenoy et al. 2014).
In the context of e-assessment, for example, students might be enabled to select purposes (identity and/or authorship verification), and/or categories of personal data: to consent to identity verification only (not authorship verification) or to consent to identity verification through voice recognition only (and not, for instance, face recognition), i.e., 'selective consent' (Coles-Kemp and Kani-Zabihi 2010).If a student provides consent to identity verification through voice recognition only, then a consent form automatically requests consent for processing of this category of personal data only (adaptivity).
Another important requirement regarding satisfaction is timing: data subjects should have sufficient time to read information, ask questions and think about their decision, to arrive at what matches their preferences (Luger Noain-Sánchez 2016;Miller and Boulton 2007).This requirement is also an implementation issue, but only partly: information provided in connection with informed consent should also clarify when the decision is due.
In conclusion, the literature review shows that there are already many initiatives regarding how to improve informed consent procedures.However, not all of them have been systematically evaluated.In addition, none of these initiatives considered the option of developing a blueprint for an informed consent template.
Usability aspects described in this section apply to all three levels included in Fig. 1: blueprint, template, and informed consent form.However, for the template, usability is a coin with two sides: the template must be usable for the data controller and must be filled in, in compliance with usability criteria for the informed consent form.The next section describes the design (including the design process) of the blueprint and further explains the relation with the template.

Blueprint for an informed consent template
The blueprint aims at helping data controllers fulfil all the legal requirements in creating a template for an informed consent form, which in turn should help ensure that data subjects receive information in a way that enhances informed decision making.The blueprint and the template derived from it were designed through a number of subsequent steps.
First, an overview of legal requirements was created.The first column of Table 2 presents this overview with: (a) legally required (obligatory) information elements in bold capital letters in a logical order (e.g., purpose first); (b) choices for the data controller are indicated by radio buttons ○ (e.g., single or multiple purposes); (c) additional options are indicated by a checkbox □ (e.g., in case of multiple purposes, the data subject can opt in / out for each of these).
Second, as some of the usability requirements found in the literature review apply to the level of implementation rather than the design of an informed consent form, the next step entailed filtering out usability requirements not directly relevant for the design of an informed consent form (e.g., enabling withdrawal of consent in the same way consent was obtained (art.7 GDPR)).Remaining usability requirements target two levels: (a) usability requirements for the template (instructions to support the 'fill in' process presented in Table 2 as text in italics; functionalities (e.g., add purpose)-text in italics in squared brackets); (b) usability requirements for the informed consent form (e.g., plain language).These have been translated to additional instructions to be provided alongside the template.
As mentioned, Table 2 presents a first 'rough' draft of the blueprint.More intricate functionality, e.g., enabling a layered design as suggested by some authors, has not been included in this first draft.Besides, the presented 'translation' of the blueprint to a template is, necessarily due to the descriptive format, rudimentary.For instance, the template now contains rudimentary functionality, e.g., 'add' options, when depending on the choices described in the blueprint, the data controller may not simply 'add', e.g., a purpose, but may need to indicate for each added purpose whether or not the purpose should be presented as 'optional' to the data subject.Nevertheless, this first draft should sufficiently illustrate the range of complexity levels, e.g., from consenting to a single purpose requiring the use of only a limited set of personal data, to which the data subject can respond with 'Yes' or 'No', to more elaborate designs involving multiple purposes, requiring different (sets of) personal data, on which the data subject can decide separately (selective consent).The relative straightforward template presented in the right-hand column of Table 2 was used to evaluate data controllers'

Evaluation of the informed consent template
This section describes the results of the small scale usability study.Table 3 provides the frequencies of participants' responses to the items constituting the SUS.All participants agreed to item 5: "I find the various information requirements for informed consent are well integrated in this template".This can be considered a reassuring result as this may well be considered the main rationale behind the use of the template.However, there is room for improvement, as suggested by the less favourable scores (bold values) in Table 3. Participants also indicated that they need support to be able to use the template (item 4) and that they need to learn a lot of things before they can get going with this template (item 10).
Further feedback provided by participants during the interviews confirmed the appreciation of the integrative character of the template, for instance, through a reported sense of safety evoked by the template that it holds all the information requirements for informed consent established by the GDPR in 'one place': "The template provides all information needed to be included in an information letter", or "It gives me the feeling that I am surely complying with the GDPR".Furthermore, participants commented that the template being presented in "a condensed format" accompanied by "additional guidelines" makes "the fill in process easier".
Nevertheless, during the interviews, participants also reported a lack of support: "You need help for deciding what is particularly useful for your research".At the same time, they indicated not to be sure whether they lack support from the system or an appropriate level of knowledge about how to conduct research involving the collection of personal data.Another reported difficulty was related to understanding functionalities integrated in the template.It was not immediately clear, for instance, that the template was meant to support selective consent.When asked for recommendations, four participants came up with basically two recommendations.First, it was suggested to provide more explanatory information, for instance, to clarify the distinction between the data controller and the data processor, or the role of the DPO.Second, participants would like to have more examples of how to fill in the template, for instance, with respect to the consequences of consenting and/or not consenting, when collecting personal data in a specific context.

Conclusions and Discussion
Various studies have shown that meeting legal requirements related to obtaining consent to the use of personal data, i.e., providing necessary information and requesting consent, does not guarantee an obtained consent is an informed, ethically invalid, consent.In this regard, Luger et al. (2014) speak of the need to move beyond the current flawed consent practices to more embedded approaches that balance legal, ethical, and technological perspectives.The authors propose to place consent "under control of the user, casting the design of systems as a central mechanism by which this should be achieved" (p.615).Rosner (2014) adds to this discussion by stressing out the importance of shifting control over personal data to the data subject: "The growth of cloud computing […] implies an even greater need to frame informational control in more appropriate terms of rights […] Efforts to shift the value inequality between data sources and collectors are still in their infancy […] An emphasis away from the concept of data ownership towards actual control and rights regimes is essential to re-frame discussion of consent" (p.628).
In the current study, a blueprint for an informed consent template form was presented with the aim to support data controllers in establishing informed consent that is both compliant with the legal requirements and responds to the data subject's needs (usability).The blueprint should contribute to strengthening data subjects' control over personal data, for instance, by prompting data controllers-in line with the GDPR-to actively consider selective consent and by supporting the elaboration of selective consent designs in an informed consent template.The usability study results reported in this paper in relation with an informed consent template revealed the need to provide substantial explanatory information, including examples for data controllers on how to fill in the template.Still, overall results can be considered encouraging as the current study involved a mock-up template.The envisioned wizard-like approach seems particularly suitable to provide supportive information just in time and on demand.A challenge will be to 'translate' this (legal) information into plain language and practical terms, e.g., to explain consequences to data subjects.The Creative Commons solution achieved in the area of copyrights might be considered exemplary in this respect.Nevertheless, taking things further from here will still require considerable effort on various levels: to develop a formalised model of the blueprint to support software development for informed consent; further, usability studies with data controllers considering various contexts and various levels of complexity; and, last but not least, experts' evaluations and usability studies of the resulting informed consent forms.
Usability requirements (effectiveness, efficiency, and satisfaction) need to be translated into specific evaluation criteria, such as the time spent reading and the level of information uptake and comprehension.Future investigations should explore various functionalities, such as the use of icons, providing information in layers, and selective consent.Finally, to understand whether a decision is freely made, a close examination of the reasons behind a particular decision is needed.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material.If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.To view a copy of this licence, visit http://creat iveco mmons .org/licenses/by/4.0/.

Fig. 1
Fig. 1 Informed consent based on a blueprint

Table 2
Blueprint and template to create an informed consent form