In order for personal information to be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject, too often responsible parties are relying on consent of the data subject, which is only one of the six lawful justifications contemplated in POPIA.
It has become increasingly common to merely obtain the consent of the data subject, before processing personal information, in an effort to comply with the requirement in the Protection of Personal Information Act 4 of 2013 (“POPIA”) that there must be an established lawful justification for processing of personal information.
However, it is clear from the wording in POPIA that it was never intended that consent be relied upon as the primary lawful justification, but that it be considered as one of several grounds for the processing of personal information. As POPIA explicitly states that personal information may only be processed if there is a lawful justification for such processing, the responsible party, being the party who determines the purpose of and means for processing personal information, must be able to base the processing of personal information on at least one of the grounds of lawful justification set out in section 11(1) of POPIA. Failure to do so may result in non-compliance with the provisions of POPIA.
The other grounds of lawful justification contemplated in section 11(1)(b) to (f) of POPIA include instances where the processing of personal information is necessary for the conclusion or performance of a contract; to comply with an obligation imposed by law; to protect the legitimate interests of the data subject; for the proper performance of a public law duty by a public body; or to pursue the legitimate interests of the responsible party. These lawful justifications may be preferred over consent, under the specific purposes of the processing of personal information.
The order of appearance of these grounds of lawful justification in POPIA is not indicative of the existence of any hierarchy. Determining the most appropriate lawful justification will depend on the purpose for processing the personal information. Although consent is often at the heart of data privacy and protection compliance, is it not always the most appropriate ground of lawful justification.