“In my business I receive and store personal information of my clientele. I have a sign-up form for my new clients and was wondering whether I would be compliant with POPIA if I include a consent to process their information once-off in this form. Will this be sufficient for POPIA?”
The Protection of Personal Information Act 4 of 2013 (“POPIA”) is aimed at ensuring confidentiality by regulating the way in which personal information is processed by persons or organisations that obtain such information.
Obtaining consent is one of the stipulated grounds for the lawful processing of personal information in terms of POPIA. By obtaining consent, data subjects agree to the processing of their personal information and by understanding what they are consenting to it helps avoid disputes when their data is processed or transferred to third parties in accordance with the consent provided.
But what if customers don’t understand what they are signing, or don’t really grasp the extent of the consent granted to businesses? Will a blanket consent be sufficient and valid and not merely an administrative exercise used by businesses to tick off the consent box as part of being POPIA compliant?
A blanket consent form signed by a data subject may seem like an easy way to prove your compliance with the provisions of POPIA, but it must be noted that not just any consent will be good enough. A business must understand what is really required when it asks its clients for consent to process their personal information.
POPIA defines “consent” to be “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”. Take note of the words “voluntary”, “specific” and “informed”. Should you wish to rely on consent given by your clients for the lawful processing of their information, such consent will have to comply with these three requirements.
“Voluntary” implies a choice as whether to consent or not. Where consent is made conditional on using a product or service, such consent, will probably not be deemed to have been given voluntary. In some cases, however, it may be practically impossible to provide the product or service without such consent, for example if you order a product online but refuse to consent to the supplier providing your contact details to the shipping agent for delivery purposes. In such cases, consent may be implied, but it is a grey area that must be carefully considered.
The consent must relate to a specific purpose, such as to contact a business about vehicle insurance or printing services for example, and cannot be vague, undetermined or ambiguous. The objectives for processing must accordingly be stated upfront and be agreed to by the client. Section 13 of POPIA supports this by stating that “personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party”.
Consent must be “informed”. This means you must provide your clients with sufficient information to enable them to make an informed decision as to whether or not they want to consent to your business processing their personal information. This obligation is accompanied by the requirement that you notify your clients of specific information as required by section 18 of POPIA. These include, but are not limited to the following –
- The information being collected and where the information is not collected from the data subject, the source from which it is collected;
- The name and address of the responsible party;
- The purpose for which the information is being collected;
- Whether or not the supply of the information by that data subject is voluntary or mandatory;
- The consequences of a failure to provide the information;
- Any particular law authorising or requiring the collection of the information; and
- The fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation.
The data subject’s consent must be expressed in some form or another, although the specific format in which such expression is communicated may differ as required by the relevant circumstances. How this consent will be expressed, such as by a signature or the press of a button on a website etc. will have to be determined in each case.
It does stand to be remembered that obtaining consent is only one of the grounds for lawful processing and that POPIA also provides other grounds for lawful processing even where consent was not obtained.
In general, though, obtaining consent is a safe and effective route to ensuring that you are processing information lawfully. However, a general and blanket consent that requires a client to consent to all processing of information that your business may need to do, will probably not cut it. You will need to customize your consent to address the aspects of “voluntary”, “specific” and “informed”. Should any aspect of your processing change from the basis set out in your original consent, you may need to obtain consent again, unless your consent was worded wide enough to accommodate such further processing. This makes the formulation of your consent very important to cover all your current and potential future bases without becoming generic and unspecific.
Our advice is to consult your attorney for assistance in drafting your consent forms to ensure that the consents you obtain from your clients don’t fall foul of POPIA when the Information Regulator comes knocking.