“In my business I receive and store personal information of my clientele. I have a sign-up form for my new clients and was wondering whether I would be compliant with POPIA if I include a consent to process their information once-off in this form. Will this be sufficient for POPIA?”
The Protection of Personal Information Act 4 of 2013 (POPIA) is aimed at ensuring confidentiality by regulating the way in which personal information is processed by persons or organisations that obtain such information.
Obtaining consent is one of the stipulated grounds for the lawful processing of personal information in terms of POPIA. By obtaining consent, data subjects agree to the processing of their personal information and by understanding what they are consenting to, it helps avoid disputes when their data is processed or transferred to third parties in accordance with the consent provided.
But what if customers don’t understand what they are signing, or don’t really grasp the extent of the consent granted to businesses? Will a blanket consent be sufficient and valid and not merely an administrative exercise used by businesses to tick off the consent box as part of being POPIA compliant?
A blanket consent form signed by a data subject may seem like an easy way to prove your compliance with the provisions of POPIA, but it must be noted that not just any consent will be good enough. POPIA defines “consent” to be “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”.
“Voluntary” implies a choice as whether to consent or not. Where consent is made conditional on using a product or service, such consent, will probably not be deemed to have been given voluntary. In some cases, however, it may be practically impossible to provide the product or service without such consent, for example if you order a product online but refuse to consent to the supplier providing your contact details to the shipping agent for delivery purposes. In such cases, consent may be implied, but it is a grey area that must be carefully considered.
The consent must relate to a “specific purpose”, such as to contact a business about vehicle insurance or printing services for example, and cannot be vague, undetermined or ambiguous. The objectives for processing must accordingly be stated upfront and be agreed to by the client. Section 13 of POPIA supports this by stating that “personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party”.
Consent must be “informed”. This means you must provide your clients with sufficient information to enable them to make an informed decision as to whether or not they want to consent to your business processing their personal information. This obligation is accompanied by the requirement that you notify your clients of specific information as required by section 18 of POPIA. These include, but are not limited to the following:
- The information being collected and where the information is not collected from the data subject, the source from which it is collected;
- The name and address of the responsible party;
- The purpose for which the information is being collected;
- Whether or not the supply of the information by that data subject is voluntary or mandatory;
- The consequences of a failure to provide the information;
- Any particular law authorising or requiring the collection of the information; and
- The fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation.
Our advice is to consult your attorney for assistance in drafting your consent forms to ensure that the consents you obtain from your clients don’t fall foul of POPIA when the Information Regulator comes knocking.