Contact

POPI and consent - don’t get caught in your own net

Back to top

POPI and consent - don’t get caught in your own net

2020 has given rise to many challenges for employers. The Protection of Personal Information Act 4 of 2013 (POPI) poses yet another challenge. Employers have a grace period of one year as of 1 July 2020 within which to ensure their compliance with POPI. 

2 Nov 2020 4 min read Employment Alert Article

POPI distinguishes between the collection, storage and processing of personal information and special person information. Special personal information includes e.g. an employee’s race or ethnic origin, health or sex life, religious or philosophical beliefs and trade union membership. Securing an employee’s consent is one of the basis on which an employer can lawfully process both general and special personal information of its employees.

It is crucial for employers to understand the meaning and interpretation of consent within the context of POPI. While employers may hope for a “quick fix” to ensure compliance and trust that including a broad, “catch all” consent in employees’ contracts of employment will be suffice – this may not prove to be adequate in every instance. A general consent may be sufficient to cover some of the personal information that will be processed during the course of an employee’s employment, however employers should be aware of the risks associated with relying on blanket consents in every instance. 

Section 1 of POPI defines consent as “any voluntary, specific and informed expression of will in terms of which permission if given for the processing of personal information”. Written consent is not expressly required. However, it will be for the employer in its capacity as responsible party to show that it has secured an employee’s consent where it is relying on consent. In the circumstances it is advisable for employees’ written consent to be secured. 

The requirement that consent be voluntary, specific and informed means that there should not be any pressure or force placed on an employee to consent. The employee should also be sufficiently aware of the content of the processing given the requirement that the consent is informed.

The Information Regulator has yet to give guidance on the interpretation of consent in terms of POP. In all likelihood it will have regard to the General Data Protection Regulation 2016/679 (GDPR) which requires that the consent is unambiguous and must be given by a clear affirmative act. It may well be that the Information Regulator interprets consent restrictively in keeping with the GDPR.

In the circumstances clauses relating to the processing of personal information in employees’ contracts of employment which are aimed at securing employees’ consent to the processing, should at minimum set out the nature and scope of the personal information that is to be processed, the reason for the processing, consent to further processing, consent to collection from a source other than the employee and consent to the transfer of the information. The employees must be able to understand in clear language what they are consenting and the extent of the consent. Where necessary provisions should also be made specifically for the processing of special personal information.

Employers should bear in mind that POPI does not demand consent in every instance and that processing may take place without consent where e.g. the processing is required in terms of law, or for the purposes of protecting a legitimate interest of the employee.

Employers will need to determine on a case by case basis whether the processing which they wish to conduct falls within the scope of the consent which they may have secured from an employee in his or her contract of employment or whether they will need to rely on one of the other basis set out in POPI. 

Both special and general personal information may be processed lawfully if the processing is necessary for the “establishment, exercise or defence of a right or obligation in law”. This would cover instances where e.g. an employer processes employees’ personal information to comply with its obligations under the Employment Equity Act.

An employer can process general personal information without an employee’s consent where such processing either protects a legitimate interest of the employee, or is “necessary for pursuing the legitimate interest of the responsible party or of a third party to whom it is supplied”. While the term “legitimate interest” is not defined in POPI, it is likely that the Information Regulator will seek guidance from the GDPR in this regard. The GDPR has established a three-pronged test in interpreting “legitimate interest” which considers purpose, necessity, and balance. It first asks, “Is there a legitimate reason or purpose for the processions?”, secondly “Is processing the information necessary for that purpose” and thirdly “Is the legitimate interest overridden by the interests of the data subject?

A determination is made as to whether there is a “legitimate interest” for the purposes of processing personal information based on the answers to these three questions.

So as not to fall foul of the provisions of POPI it is recommended that employers develop internal policies that will assist them in determining whether in each instance, personal information to be processed is covered by the general consent clause in an employee’s contract of employment alternatively, by one of the other basis for lawful processing. In the absence thereof, the employer will need to prepare and secure a further consent from the employee.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

20 Mar 2024

by Emma Kingdon and Tayyibah Suliman

The impact of AI and the power of streaming platforms in the South African context

Technology & Communications

14:21 Minutes

8 Jun 2023

by Puleng Mothabeng and Louis Botha

The rights of access to information and freedom of expression vs the right to privacy: The minority’s view made major

In last week’s Tax and Exchange Control Alert we discussed the Constitutional Court’s (CC) majority judgment in Arena Holdings (Pty) Ltd t/a Financial Mail and Others v South African Revenue Service and Others ZACC 13 which was handed down on 30 May 2023. This week we take a closer look at the minority judgment. The minority held that the High Court’s order to declare sections 35 and 46 of the Promotion of Access to Information Act 2 of 2000 (PAIA) and sections 67 and 69 the Tax Administration Act 28 of 2011 (TAA) unconstitutional to the extent that they preclude access to tax records by a person other than the taxpayer, evenwhere the requirements of, the “ public interest override ” are met, should not be confirmed.

Tax & Exchange Control

12 min read

8 Mar 2024

by Brigitta Mangale and Elgene Roos

Beyond 16 Days Episode 2: The importance of Human Rights Day and exploring constitutional damages as an effective remedy

In episode two of our Beyond 16 Days Series, Director Brigitta Mangale and Senior Associate Elgene Roos in the Pro Bono & Humans Rights practice unpack the importance of Human Rights Day and exploring constitutional damages as an effective remedy.

Pro Bono & Human Rights

23:01 Minutes

23 Oct 2023

by Jean Ewang and Thato Makoaba

Automatically unfair dismissal for refusing to take the COVID-19 vaccine? The Labour Court’s first decision

The law regarding automatically unfair dismissals is trite and has been tested by our courts on various occasions. Recently, however, in the case of Burton Maasdorp v University of Free State JS647/2022 , the Labour Court handed down the first decision regarding an automatically unfair dismissal claim resulting from an employee’s refusal to adhere to a workplace COVID-19 vaccination policy. 

Employment Law

3 min read

4 Jul 2023

Achieving equitable workforce representation: The settlement agreement on employment equity and affirmative action between the Government and Solidarity

On 14 April 2023, President Cyril Ramaphosa assented to the Employment Equity Amendment Act 4 of 2022 (EEA Amendment). The EEA Amendment introduces various changes, including the identification and establishment of equity numerical targets for different sectors.

Employment Law

5 min read

18 Oct 2023

by Deepesh Desai, Jamie Oliver, Tessa Brewis and Alecia Pienaar

Eskom’s grid allocation rules: On your marks, ready, set, halt!

The national grid, which facilitates the conveyance of electricity between points of generation and offtake, is a pivotal piece of South Africa’s energy infrastructure. Owing to the country’s historical reliance on coal as a main energy generation resource, the development and upkeep of the national grid was primarily centred around Eskom’s coal fleet in Mpumalanga, with little attention paid to implementing the same level of upkeep in other areas of the country where renewable energy resources are most concentrated.

Corporate & Commercial Law

5 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline