Since The Protection of Personal Information Act (POPIA) came fully into force on 1 July 2020, businesses are coming to grasp the many requirements of being POPIA compliant.
One question that seems to predominantly be on everyone’s mind when personal information is used is: “Did a person/business have consent to use personal information?”, or, “Where did you get consent to use my personal information?” Although important, this question seems to be the default point of reference when dealing with someone who does not want their information to be used or where a business is trying to become compliant and wants to ensure consent from a client.
When answering this question, one can sometimes second guess whether you have consent to use a person’s information. It can even be difficult to show that consent was given to use a person’s information as required in Section 11(2)(a) of POPIA. The best starting point in these scenarios would be to ask, do I even need consent in the first place?
To answer this, we have to look at Section 11(1) of POPIA. Which deals with consent, justification and objection and is part of 1 of the 8 conditions for the lawful processing of personal information. Section 11(1) briefly states that:
- Personal information may only be processed (used) if-
- The data subject (person) has given consent to use the information;
- Using the information is needed to carry out actions for the conclusion or performance of a contract to which the person is a party;
- Using the information to comply with an obligation imposed by law on the responsible party;
- Using the information to protect a legitimate interest of the data subject (person);
- Using the information is necessary for the proper performance of a public law duty by a public body; or
- Using the information as it is needed to pursue a legitimate interest of the responsible party or a third party to whom the information is supplied.
From this Section, the primary rule from Section 11(1)(a) is to ensure that you have consent from the data subject to use their personal information. However, consent is only one of the justification grounds for processing personal information. It is clear from Section 11(1)(b) to (f) that there may be many other scenarios where a data subject’s information may be used without his/her/its consent.
To conclude, one can rely on various justification grounds for processing personal information, and consent is not the so-called “be-all-end-all” requirement. It might be preferable to rely on these other justification grounds in many day-to-day scenarios where consent is not operationally possible or even needed.
Therefore, it is important to familiarise oneself with all the requirements and conditions needed for the lawful processing of personal information to comply with POPIA.
Want to know more about being POPIA compliant? Contact your nearest SEESA Consumer Protection & POPI Legal Advisor for expert advice. Alternatively, leave your contact details on our website, and a SEESA representative will contact you.
About the Author
Hanro Gerber started his career at SEESA in October 2013. He is currently Labour and Consumer Protection & POPI Legal Advisor at the SEESA George branch. Hanro is an admitted attorney.
Resources:
- The Protection of Personal Information Act 4 of 2013;
- Proclamation NO. R.21 of 2020.