POPI defines consent to be “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information“. This is the measure or test that you must meet, if you need to get consent. The words specific and informed are of particular relevance. They are however open to some interpretation.
Some key points regarding consent and POPI
- A person must have a choice whether to consent or not (it must be voluntary).
- It must relate to a specific purpose (for example, to contact me about insurance products). You must specify your purpose.
- You must notify the data subject of various things as set out in section 18 of POPI.
- You must inform the person sufficiently to enable them to make a decision.
- There must be an expression of will. For example, tick a tick box, or click on a link. This is open to interpretation. Can a box be ticked by default for example. Is deemed or inferred consent OK?
- Another important point is that POPI does not require you to get the consent of the data subject in all instances. There are many other justifications in section 11 that you can rely on to process lawfully. It can be very useful, but it is not the only justification.
The overlapping of laws
You need to be aware of the overlap of different laws when it comes to consent to make sure you comply with them. POPI may require a degree of consent that is less or more than what is required by a particular industry (like health or financial sectors.).
In some cases, POPI will prevail if the degree of consent required by POPI is higher than what your sector requires. But, when it comes to the medical field you must be careful of how you obtain it. When it comes to privacy in healthcare there is a higher standard required. The healthcare industry processes large amounts of personal information and special personal information which needs extra protection.