The basic concept of consent and its main role as a potential lawful basis for the processing of Personal Information is a concept that is widely misunderstood as a simple matter of getting a data subject to say “yes”.
It is important to note that the concept of consent is found throughout the Protection of Personal Information Act (the Act). The Act defines “consent” as:
“Any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.”
Upon inspection of the definition, we note that there are four main focus points. These focus points will help a business to understand exactly what is needed when valid, lawful consent is required as a justification ground. These focus points are:
- Voluntary
- Specific
- Informed
- Expression of will
Voluntary:
Consent will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment. Consent must, therefore, reflect the data subject’s genuine choice. If there is an element of compulsion or undue pressure put upon the data subject, consent will not be valid.
Specific:
The Act is clear in its wording that the responsible party must clearly define the purpose for which information is collected and processed in order for it to be lawful. This, in turn, has the effect that when the responsible party asks a data subject for his or her consent, the responsible party must clearly and precisely explain the scope and the consequences of the data processing.
Informed:
The requirement that the data subject must be informed links the definition with Section 18, where the Act requires that the data subject must be informed of the purpose of the information before collection thereof.
In order for consent to be “informed” the nature of the processing should be explained in an intelligible and easily accessible form, using clear and plain language which does not contain unfair terms.
Expression of will:
The definition of consent further stipulates the “expression of will” by the data subject. This implies that there needs to be an active or positive step on the side of the data subject to indicate their agreement to what is proposed by the Responsible Party.
Businesses cannot assume consent from a failure to opt-out of direct marketing for instance, unless this is part of a positive step such as signing up to a service. For example, they cannot assume consent from non-response to an email, as this would not be a positive indication of agreement.
Conclusion:
Because consent is such a complex matter it is clear that the Act requires more than just a simple statement of consent by a data subject and as such there will be definite practical implications for businesses.