popi_compliance_monitoring

Overview

  • You must have a valid lawful basis in order to process personal information.
  • There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the data subject.
  • Most lawful bases require that processing is ‘necessary’ for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
  • You must determine your lawful basis before you begin processing, and you should document it.
  • Take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason. In particular, you cannot usually swap from consent to a different basis.
  • Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
  • If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).
  • If you are processing special category information you need to identify both a lawful basis for general processing and an additional condition for processing this type of information.
  • If you are processing criminal conviction information or information about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of personal information.

Checklist

☐ We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity.

☐ We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable and less-intrusive way to achieve that purpose.

☐ We have documented our decision on which lawful basis applies to help us demonstrate compliance.

☐ We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy notice.

☐ Where we process special category information, we have also identified a condition for processing special category information, and have documented this.

☐ Where we process criminal offence information, we have also identified a condition for processing this information, and have documented this.

Briefly

What are the lawful bases for processing?

The lawful bases for processing are set out in Section 11(1) of POPIA. At least one of these must apply whenever you process personal information:

(a) Consent: the data subject has given clear consent for you to process their personal information for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the data subject, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Legitimate interest of data subject: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the data subject’s personal information which overrides those legitimate interests. (This cannot apply if you are a public authority processing information to perform your official tasks.)

 

When is processing 'necessary'?

Many of the lawful bases for processing depend on the processing being “necessary”. This does not mean that processing has to be absolutely essential. However, it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less information.
 
It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. The question is whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of your chosen methods.

Why is the lawful basis for processing important?

The second condition requires that you process all personal information lawfully, and in a manner that is adequate, relevant and not excessive. If no lawful basis applies to your processing, your processing will be unlawful and in breach of the second condition.
 
Data subjects also have the right to erase personal information which has been processed unlawfully.
 
The data subject’s right to be informed under Section 18 requires you to provide data subjects with information about your lawful basis for processing. This means you need to include these details in your privacy notice.

The lawful basis for your processing can also affect which rights are available to data subjects. For example, a data subject always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies. However, other data subject rights are not always absolute, and there are rights which may be affected in other ways. For example, your lawful basis may affect how provisions relating to automated decisions and profiling apply, and if you are relying on legitimate interests you need more detail in your privacy notice. 

How do we decide which lawful basis applies?

This depends on your specific purposes and the context of the processing. You should think about why you want to process the information, and consider which lawful basis best fits the circumstances. 

You might consider that more than one basis applies, in which case you should identify and document all of them from the start.

You must not adopt a one-size-fits-all approach. No one basis should be seen as always better, safer or more important than the others, and there is no hierarchy.

Several of the lawful bases relate to a particular specified purpose – a legal obligation, performing a contract with the data subject, protecting a data subject's legitimate interests, or performing your public tasks. If you are processing for these purposes then the appropriate lawful basis may well be obvious, so it is helpful to consider these first.

In other cases you are likely to have a choice between using legitimate interests or consent. You need to give some thought to the wider context, including:

  • Who does the processing benefit?
  • Would data subjects expect this processing to take place?
  • What is your relationship with the data subject?
  • Are you in a position of power over them?
  • What is the impact of the processing on the data subject?
  • Are they vulnerable?
  • Are some of the data subjects concerned likely to object?
  • Are you able to stop the processing at any time on request?

You may prefer to consider legitimate interests as your lawful basis if you wish to keep control over the processing and take responsibility for demonstrating that it is in line with data subjects’ reasonable expectations and wouldn’t have an unwarranted impact on them. On the other hand, if you prefer to give data subjects full control over and responsibility for their information (including the ability to change their mind as to whether it can continue to be processed), you may want to consider relying on data subjects’ consent.

 

Is this different for public authorities?

The basic approach is the same. You should think about your purposes, and choose whichever basis fits best.

The public task basis is more likely to be relevant to much of what you do. If you are a public authority and can demonstrate that the processing is to perform your tasks as set down in law, then you are able to use the public task basis. But if it is for another purpose, you can still consider another basis.

In particular, you may still be able to consider consent or legitimate interests in some cases, depending on the nature of the processing and your relationship with the data subject. There is no absolute ban on public authorities using consent or legitimate interests as their lawful basis, although there are some limitations. 

Example

A university that wants to process personal information may consider a variety of lawful bases depending on what it wants to do with the information.

Universities are classified as public authorities, so the public task basis is likely to apply to much of their processing, depending on the detail of their constitutions and legal powers. If the processing is separate from their tasks as a public authority, then the university may instead wish to consider whether consent or legitimate interests are appropriate in the particular circumstances. For example, a University might rely on public task for processing personal information for teaching and research purposes; but a mixture of legitimate interests and consent for alumni relations and fundraising purposes.

The university however needs to consider its basis carefully – it is the responsible party’s responsibility to be able to demonstrate which lawful basis applies to the particular processing purpose.

Can we change our lawful basis?

You must determine your lawful basis before starting to process personal information. It’s important to get this right first time. If you find at a later date that your chosen basis was actually inappropriate, it will be difficult to simply swap to a different one. Even if a different basis could have applied from the start, retrospectively switching lawful basis is likely to be inherently unfair to the data subject and lead to breaches of accountability and transparency requirements.

Example

A company decided to process on the basis of consent, and obtained consent from data subjects. A data subject subsequently decided to withdraw his. her or its consent to the processing of their information, as is their right. However, the company wanted to keep processing the information so decided to continue the processing on the basis of legitimate interests.

Even if it could have originally relied on legitimate interests, the company cannot do so at a later date – it cannot switch basis when it realised that the original chosen basis was inappropriate (in this case, because it did not want to offer the data subject genuine ongoing control). It should have made clear to the data subject from the start that it was processing on the basis of legitimate interests. Leading the data subject to believe they had a choice is inherently unfair if that choice will be irrelevant. The company must therefore stop processing when the data subject withdraws consent.

It is therefore important to thoroughly assess upfront which basis is appropriate and document this. It may be possible that more than one basis applies to the processing because you have more than one purpose, and if this is the case then you should make this clear from the start.

If there is a genuine change in circumstances or you have a new and unanticipated purpose which means there is a good reason to review your lawful basis and make a change, you need to inform the individual and document the change.

What happens if we have a new purpose?

If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose.

However, the POPIA specifically says this does not apply to processing based on consent. Consent must always be specific and informed. You need to either get fresh consent which specifically covers the new purpose, or find a different basis for the new purpose. If you do get specific consent for the new purpose, you do not need to show it is compatible.

In other cases, in order to assess whether the new purpose is compatible with the original purpose you should take into account:

  • any link between your initial purpose and the new purpose;
  • the context in which you collected the information – in particular, your relationship with the individual and what they would reasonably expect;
  • the nature of the personal information – e.g. is it special category information or criminal offence information;
  • the possible consequences for data subjects of the new processing; and
  • whether there are appropriate safeguards - e.g. encryption or pseudonymisation.

This list is not exhaustive and what you need to look at depends on the particular circumstances.

As a general rule, if the new purpose is very different from the original purpose, would be unexpected, or would have an unjustified impact on the data subject, it is unlikely to be compatible with your original purpose for collecting the information. You need to identify and document a new lawful basis to process the information for that new purpose.

POPIA specifically says that further processing for the following purposes should be considered to be compatible lawful processing operations:

  • archiving purposes in the public interest;
  • scientific research purposes; and
  • statistical purposes.

There is a link here to the ‘purpose limitation’ condition in Section 15, which states that “Further processing of personal information must be in accordance or compatible with the purpose for which it was collected”.

Even if the processing for a new purpose is lawful, you will also need to consider whether it is fair and transparent, and give individuals information about the new purpose.

How should we document our lawful basis?

The accountability condition requires you to be able to demonstrate that you are complying with POPIA, and have appropriate policies and processes. This means that you need to be able to show that you have properly considered which lawful basis applies to each processing purpose and can justify your decision.

You need therefore to keep a record of which basis you are relying on for each processing purpose, and a justification for why you believe it applies. There is no standard form for this, as long as you ensure that what you record is sufficient to demonstrate that a lawful basis applies. This will help you comply with accountability obligations, and will also help you when writing your privacy notices.

It is your responsibility to ensure that you can demonstrate which lawful basis applies to the particular processing purpose.

What do we need to tell data subjects?

You need to include information about your lawful basis (or bases, if more than one applies) in your privacy notice. Under the transparency provisions of POPIA, the information you need to give people includes:

  • your intended purposes for processing the personal information; and
  • the lawful basis for the processing.

This applies whether you collect the personal information directly from the data subject or you collect their information from another source.

What about special category information?

If you are processing special category information, you need to identify both a lawful basis for processing and a special category condition for processing. You should document both your lawful basis for processing and your special category condition so that you can demonstrate compliance and accountability.

What about criminal offence information?

If you are processing information about criminal convictions, criminal offences or related security measures, you need both a lawful basis for processing, and either ‘official authority’ or a separate condition for processing this information. You should document both your lawful basis for processing and your criminal offence information condition so that you can demonstrate compliance and accountability.