In my experience, when most people think about POPIA, the first thing that pops to mind is that they have to consent to their data being processed. Sure, in some cases such as marketing, there needs to be consent. There are, however, other mechanisms that allow a company to legally process data without consent. Section 11(1)a of POPIA lists a number of legitimate justifications for processing data, only one of which is consent. Here’s a breakdown and some examples of what the section lays out.
“the data subject or a competent person where the data subject is a child consents to the processing”
Consent. This is the easy one that everyone is most familiar with. I give you explicit permission to use my information, or you aren’t allowed to use it. This is generally a good idea for direct marketing, where a member of the public is signing up to your database or list. This is, however, a bad idea in terms of processing once you’ve entered into a contract or agreement.
While POPIA isn’t as explicit about it, GDPR (Europe’s privacy law) basically says that by nature of being able to give consent, you are able to revoke consent. And if someone revokes consent for a contract that needs to be performed, suddenly you can’t perform what you were hired to do! And then you end up with a horrible, sticky, catch-22 situation. This is why there is the next approach, which is:
“processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party”
Contract. If there’s a business agreement, the folks entering into it can agree to what is going to be processed (and why) as part of the delivery and conclusion of the contract. If you take an employment agreement into consideration – in order to pay a person’s salary, fulfil tax obligations and so on – you need to process certain information. If this relied on consent and the employee withdrew it, how could you pay them? Contracting means that this stickiness described is removed.
“processing complies with an obligation imposed by law on the responsible party”
Legal obligation. This is where processing certain pieces of information is required by another law out there. A good example of this with regards to employment is Employment Equity (EE) regulations. Equity committees are required to process race information according to the Employment Equity Act.
“processing protects a legitimate interest of the data subject”
Legitimate interest (subject). This is where your processing is in the interest of the data subject, where consent or contract is not being used. Cliffe Dekker Hofmeyr mention an example that it may be in the legitimate interest of a customer to process their data in order to give them a tailored experience in their favour, but it is yet to be seen whether this would be the case. We’ll have to wait and see when we get guidelines from the regulator.
“processing is necessary for the proper performance of a public law duty by a public body”
Performance of law. A public body in terms of POPIA is a “department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government”. It also goes on to include other institutions that are performing a duty in terms of the constitution or performing a public function in terms of legislation. In most cases, this would exclude a private business.
“processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied”
Legitimate interest (business). Much like legitimate interest in terms of a subject, legitimate interest in terms of a business refers to processing where you need to justify why you’re processing someone’s information and not using consent or a contract. Examples here are likely to be collections of fees where someone has defaulted, or where you’re a software provider and you need to communicate an urgent system notice (though the latter may well fall under a Master Services Agreement).
A Note on Legitimate Interest
Legitimate interest is a method that may be used where you need to justify why you are unable or decide not to use any of the other justifications for processing (consent, contract etc). The general view from attorneys I’ve spoken to and articles I’ve read is to “proceed with caution” when using this approach. The GDPR has a 3-way test for legitimate interest that speaks to the purpose of the processing, the necessity of it, and whether the processing outweighs the rights of the data subject. The right to privacy is in the South African Bill of Rights, and therefore if we do look to Europe for guidance on this particular issue – you may find it harder to justify than you expect. Legitimate interest is one of the avenues where I would recommend getting an official legal opinion for continued processing.
To Sum Up
There are a number of ways in which you can process information, and only one of them is consent. They do, however, require a lot of thought and tie into numerous sections of POPIA. It is well worth drawing up a Record of Processing Activities (ROPA) that sets out your legal basis for processing different types of information in different scenarios, while also looking into your contracts and how you obtain consent. If this sounds daunting, don’t fret. You need to “eat the elephant one bite at a time”. If you’re looking for assistance in doing so, why not reach out and find out more about my services.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance and security maturity; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.