Too often Consent is seen as a one-time thing. It is far more than this. Here is an infographic.
My point with this is that there many big steps:
Act of Consent from the Patient
Notification of Use
This graphic tends to imply these are four clean steps that are done in sequence. When actually they might happen in various sequences.
For example: Imagine a Research project that wants to use specific kinds of data. They do need to have their policies defined. They might have scouting authorization to find potential cohort participants. This scouting, only returns potential pseudonymous identifiers, no data. This access to find the potential cohort results in a notification to the patient that a specific Research project is interested. This notification encourages the patient to review the terms of the Research project and agree to participate. Thus now the Research project can access the data.