Skip to main content

Is consent always required under POPIA?

Consent is a central feature when processing personal information in terms of the Protection of Personal Information Act (POPIA). It is however not an absolute requirement to process such information. POPIA defines consent as ‘any voluntary, specific and informed expression of will in terms of which permission isgiven for the processing of personal information’.

Consent also comes up under section 11 of POPIA which deals with Condition 2. This section is entitled: Consent, justification and objection. Sub-section 11(2) lists six instances where personal information can lawfully be processed. The first instance is if the data subject (or a competent person where the data subject is a child) consents to the processing. No express reference is made to consent in the additional five instances. This means that a responsible party may in certain instances process the personal information of data subjects without their consent. 

The above judgment offers an example where the Western Cape High Court (the Court) sanctioned the processing of personal information without the data subject’s consent. The applicants in this matter sought a court order directing two medical practitioners (a general practitioner and a psychiatrist) to provide them with all medical records held by them in relation to the first respondent (K Gordon). This is after K Gordon instituted a claim against the applicants for damages after she sustained injuries when visiting their premises during October 2015. K Gordon argued, amongst other, that the disclosure of the medical records would infringe on her rights under POPIA. The two medical practitioners, at some stage, argued that they are bound by the Ethical Rules for Conduct for Practitioners Registered under the Health Professions Act 56 of 1974 (that HPA) and that K Gordon did not give consent to disclose the medical information. 

The applicants argued that two of the five justifications under section 11(1) made the disclosure of personal information permissible, i.e.: (c)where processing complies with an obligation imposed by law on the responsible party and (f) the processing is necessary for pursuing the legitimate interests of the responsible party. K Gordon argued those justifications did not apply to the matter at hand as (1) the medical practitioners were not the responsible parties and (2) the medical records are not relevant to the K Gordon’s claim for loss of earning capacity, and they are not necessary to pursue the applicants’ defence in the main action. 

The Court confirmed, amongst other, that section 11 makes provision for the processing of personal information – without consent-in certain instances. K Gordon, as data subject, can under section 11(1)(c) – where a duty has been imposed by law (in the form of a subpoena) upon the responsible party - not object against the processing of such personal information. The Court concluded that, in this context, a duty to process such personal information has been imposed by law on the medical practitioners to process such information. K Gordon could not object to the processing thereof – by implication - consent was not required to process such further information.

Important Note: The information contained in this newsletter is general in nature and should not be interpreted or relied upon as legal advice. The information may not be applicable to specific circumstances. Professional assistance should be obtained before acting on any of the information provided in this newsletter.

Source:  NPO Legal Issues, Vol 60,  1 Sept 2022 

Ricardo Wyngaard | The NPO Lawyer

The NPO Lawyer | Ricardo Wyngaard Attorneys

Ricardo Wyngaard is passionate about the non-profit sector and has been focusing on non-profit law since 1999. He is a lawyer by profession who has obtained his LLB degree at the University of the Western Cape in South Africa and his LLM degree at the University of Illinois in the USA. He has authored a number of articles and booklets on non-profit law and governance.

Related articles

Notifying the Information Regulator
Ricardo Wyngaard | The NPO Lawyer
The Protection of Personal Information Act (POPIA) imposes important obligations on Organisations in the event of a data breach involving personal information of a data subject. Section 22 of POPI...
[Watch] Should the Executive Director have a vote on the Board?
Ricardo Wyngaard | The NPO Lawyer
Should the Executive Director have a vote on the Governing Board? In this video we discuss some issues to consider.
Can PBOs buy shares in companies to get dividends?
Nicole Copley
We are often approached by organisations which are approved by SARS as public benefit organisations (PBOs) which have been invited to participate in, or have themselves put together share ownership...