popi_compliance_monitoring

Overview

  • You are likely to be able to rely on the legitimate interest of the data subject as your lawful basis if you need to process the personal information to protect someone’s life (or the financial survival of a juristic person - business rescue).
  • The processing must be necessary. If you can reasonably protect the data subject’s legitimate interests in another less intrusive way, this basis will not apply.
  • You cannot rely on the legitimate interest of the data subject for health data or other special category information if the data subject is capable of giving consent, even if they refuse their consent.
  • You should consider whether you are likely to rely on this basis, and if so document the circumstances where it will be relevant and ensure you can justify your reasoning.

Briefly

What’s required?

The lawful basis for 'legitimate interest of the data subject' can only provide a basis for processing personal information of that data subject. 

You need to review your existing processing to identify if you have any ongoing processing for this reason, or are likely to need to process for this reason in future. You should then document where you rely on this basis and inform individuals if relevant.

What does POPIA say?

Section11(1)(d) provides a lawful basis for processing where:

“processing protects a legitimate interest of the data subject”.

The processing of personal information should be regarded as lawful where it is necessary to protect an interest which is essential for the life of the data subject (or survival of a juristic person). 

<h3>What is a ‘legitimate interest of the data subject’?

The legitimate interest of the data subject is intended to cover only interests that are essential for someone’s life or juristic person's survival. This lawful basis is very limited in its scope, and generally only applies to matters of life and death, or business rescue.

When is the legitimate interests basis likely to apply?

It is likely to be particularly relevant for emergency medical care, when you need to process personal information for medical purposes but the individual is incapable of giving consent to the processing. 

Example

An individual is admitted to the emergency department of a hospital with life-threatening injuries following a serious road accident. The disclosure to the hospital of the individual’s medical history is necessary in order to protect his/her legitimate (i.e. vital) interests.

It is less likely to be appropriate for medical care that is planned in advance. Another lawful basis such as public task or legitimate interests  is likely to be more appropriate in this case.

Legitimate interests is also less likely to be the appropriate basis for processing on a larger scale.  Legitimate interest of the data subject might apply where you are processing on humanitarian grounds such as monitoring epidemics, or where there is a natural or man-made disaster causing a humanitarian emergency.

If you are processing one person’s personal information to protect someone else’s life, you should generally try to use an alternative lawful basis, unless none is obviously available.

What else should we consider?

In most cases the protection of legitimate interests is likely to arise in the context of health data. This is one of the special categories of information, which means you will also need to identify a condition for processing special category information under Section 27.