POPIA - South Africa - Managing Consent

Meanwhile, family members and close friends hold their dampened handkerchiefs to their tear-soaked cheeks as they await the most anticipated words of the fairy tale wedding...
“And do you give your voluntary, specific, and informed expression of will to this woman?” “I do”
“You may now kiss the bride!”

Beautiful, isn’t it? However, take the romance out of a wedding and you’re really left with a legal procedure about consent. A consent event if you will. Or is it, really? Maybe it’s a contract? Perhaps consent features at the engagement? Some might find their marriage was based on the legitimate interest of their parents. Oh, boy – all these lawful bases!

Thankfully, we have section 11 of the POPI Act to clarify when it comes to the processing of personal information. POPIA requires legal reasons for processing a data subject’s personal information, and provides a few options, any of which will suffice:

1. the data subject, or a competent person where the data subject is a child consents to the processing;
2. processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
3. processing complies with an obligation imposed by law on the responsible party;
4. processing protects a legitimate interest of the data subject;
5. processing is necessary for the proper performance of a public law duty by a public body; or
6. processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

Today we will take a deep dive into the widely chosen, the often misunderstood, the much- abused basis of ...CONSENT!

What is Consent, actually? The official definition:

Any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.

Let’s break down this trinity of consent into its key elements.

1. Voluntary

This decision should not resemble going to your friend’s spoken word exhibit...in other words, it shouldn't be forced. A data subject should not be pressured to consent. There should be a real choice and control for the individual. Consider an employer asking an employee for consent when putting up CCTV around the office. Unlikely right? A more appropriate processing purpose would be a legitimate interest of the responsible party. In this example one can see the aspect of choice and control when checking the box - Voluntary.

2. Specific

The consent must relate to a specific purpose and the objectives for processing must accordingly be stated upfront and be agreed to by the individual. An example would be for a car dealership to contact a business about vehicle insurance. This cannot be wrapped up in some lengthy terms and conditions that are mandatory to accept before moving forward. Where there are multiple-
than one purpose, the data subject should be free to choose which purpose they processing operations for more
accept, rather than having to consent to a bundle of processing purposes.

3. Informed

A data subject should always know what’s in the Kool-aid before drinking it. They should be provided with sufficient information to enable them to make an informed decision as to whether they want to consent to having their personal information processed. This obligation is accompanied by the requirement that data subjects are notified of specific information as required by section 18 of POPIA.

These include, but are not limited to the following:

• The information being collected and where the information is not collected from the data subject, the source from which it is collected;
• The name and address of the responsible party;
• The purpose for which the information is being collected;
• Whether or not the supply of the information by that data subject is voluntary or mandatory;
• The consequences of a failure to provide the information;
• Any particular law authorising or requiring the collection of the information; and
• The fact that, where applicable, the responsible party intends to transfer theinformation to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation.

Yes but, is consent the appropriate lawful basis?

Consent is likely to be the most appropriate lawful basis for processing if you want to offer individuals real choice and control over how you use their data. It may even be a great way to improve their level of engagement with an organisation and encourage them to trust this company with more useful data.

However, whether consent is appropriate and valid will always depend on the particular circumstances. An easier way to remember this is if you cannot offer people a genuine choice over how you use their data, consent will not be the appropriate basis for processing.

This may be the case if, for example:

• you would still process the data on a different lawful basis if consent were refused or withdrawn;
• you ask for ‘consent’ to the processing as a precondition of accessing your services; or
• you are in a position of power over the individual – for example, if you are a public authority or an employer processing employee data.

“Would you like a cookie? Well, we’re gonna leave them here anyway!”
What if she accepted the cookies but then changed her mind? (They had raisins in them). In other words, is she able to withdraw consent?

A data subject is entitled to withdraw consent at any time – provided that the withdrawal does not affect the other 5 lawful bases I mentioned earlier. Individuals need not be concerned that by granting consent for a particular purpose will mean that they can’t change their minds later and retract the consent. In fact, the law states that a data subject should be able to withdraw that consent equally as easily as when it was obtained. Click on, click off! Swipe yes, swipe no!

When will the responsible party need to use consent as a lawful basis?

You are likely to need to consider consent when no other lawful basis obviously applies. For example, this may be the case if you want to use or share someone’s data in a particularly unexpected or potentially intrusive way, or in a way that is incompatible with your original purpose.

Consent would most likely be needed for many types of marketing calls and marketing messages, website cookies or other online tracking methods, or to install apps or other software on people’s devices.

So, giving my consent is a lifelong commitment that I should definitely be worried about?

No, nervous Ned. POPIA requires that a responsible party does not keep the information collected for longer than strictly required to fulfil the purpose for which it was obtained in the first place. Someone, get Ned some water.

It may also be good to note that there is no specific time limit for how long consent will last. This will depend on the context, the scope of the original consent and the expectations of the data subject. If the processing operations change, then the original consent is no longer valid, and new consent needs to be obtained.

Consent should be constantly refreshed at appropriate intervals. Providing all the information again helps to ensure the data subject remains well informed about how their data is being used and how to exercise their rights.

How can my company demonstrate consent?

Quite simply, you must keep clear records to demonstrate consent. You must be able to show who, when, how, and what you told the data subjects. Responsible parties are free to develop methods to comply with this provision in a way that is fitting in their daily operations, however this process shouldn’t lead to an Everest of additional data processing. Just enough data to show a link to the processing and that consent was obtained will be fine.

What about the children?!

Who let Ned back in? Yes, the children. POPIA states that personal information may only be processed if the data subject or a competent person where the data subject is a child consents to the processing.

• A competent person is officially defined as any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.
• A child is officially defined as a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself.

In summary:

Consent should always be voluntary, specific and informed.

Consent is likely to be the most appropriate lawful basis for processing if you want to offer individuals real choice and control.

The responsible party must ensure that consent can be withdrawn by the data subject as easy as giving consent.

A responsible party does not retain the information collected for longer than strictly required If processing operations change, the original consent is no longer valid, and new consent needs to be obtained. Consent should be constantly refreshed at appropriate intervals. Always keep clear evidence to demonstrate consent.

Personal information may only be processed if the data subject or a competent person where the data subject is a child consents to the processing.

When choosing an appropriate lawful basis, always remember the 3 C’s: Consent = Choice + Control.

Crikey, Compliance is Crazy Cool!

If you are like our dear friend Ned, consider reaching out to us to learn more about consent, compliance, and all things POPIA