Consent, as one of the justification grounds for lawful processing of information, can frequently be interpreted as meaning that one simply needs to obtain a “yes” from a data subject. This is not the case.
The Responsible Party will always bear the burden of proof in that consent has been properly obtained from the data subject. The business must keep proper records in order to prove that the consent was obtained.
The concept of consent can be complex and found in a variety of sections of the Protection of Personal Information (POPI) Act – it is herein defined as:
“Any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.”
This definition can be better explained by looking at each element separately:
1) Voluntary
The data subject must be seen to have had a genuine and free choice in granting his consent. The data subject should be given the opportunity to refuse or withdraw consent without impairment, this action of withdrawing consent should be as simple as giving consent.
2) Specific
The Responsible Party must clearly explain the scope and the consequences of the data processing to the data subject.
3) Informed
The Responsible Party should take reasonable steps to ensure that the data subject is aware of, among other things, the purpose for which the information is being collected.
4) Expression of will
There needs to be an active or positive step on the part of the data subject to indicate his agreement to what is proposed by the Responsible Party.
If a business is going to rely on consent, it should be kept in mind that it is a complex concept and the POPI Act requires more than just a simple “yes” or a “tick box” exercise. The business should be satisfied that it fulfils all the elements within the definition of consent, keeping in mind that consent can be retracted at any time by a data subject, therefore other justification grounds should also be considered. The business should also keep a proper record of consent given by a data subject, which should contain not only the fact that consent was given but also information about the manner in which the consent was given.