In our first podcast, we explored the topic of client contact books, what they are and if or how you can use them when POPIA becomes legally enforceable. In some cases, the answer was a matter of getting consent. Which is why, in this episode, we discuss the topic of consent under POPIA in a lot more depth – what it is, when you need it and how to get it.
- What is consent according to POPIA?
- Under POPIA, consent means that the data subject has given you permission to use their data for the purposes that you have outlined to them. According to POPIA, consent needs to be voluntary, specific and informed.
- Why is consent so important in POPIA?
- Consent is important for two key reasons : processing and marketing. In the first instance, a responsible party must have a legal ground for processing a person’s personal information. One of these legal grounds is that the person consented to the processing of their personal information. The second instance is related to direct marketing.
- What does POPIA mean by processing?
- POPIA sees the processing of personal information as doing anything with that data. And I do mean anything whether you collect it, store it, use it, delete it, share it or change it, anything you do with it is considered to be processing. Essentially, the term processing refers to the handling of data in any which way.
- You mentioned the term responsible party. Who does this refer to in POPIA?
- POPIA identifies 2 main role players when it comes to processing personal information. The main one is the responsible party. And by this they mean the party collecting the personal information from the data subject and/or deciding the purpose of that collection.
The second role player is the operator. This is any party processing the personal information on behalf of the responsible party. In the context we are discussing today, the Estate Agent would be the responsible party for all the seller’s personal information. And when the Estate Agent enters the seller’s details into Lightstone’s Toolkit to get a property report, Lightstone becomes the operator. This is because Lightstone would then process the details that you enter into the Toolkit. At the same time, Lightstone also becomes the responsible party for the personal information data it holds from the Deeds office.
- We’ll return to these roles in a future podcast episode and make further sense of the responsibilities for each. In the meantime, exactly is meant by voluntary, specific, and informed consent?
- Each of these words is very specific. For consent to be voluntary it can’t have been coerced in any way. The consent must have been given as the result of a genuine choice. This is probably less relevant to Estate Agents, but not so in the case of a business that only allows access to a service once you give consent to your details being used for direct marketing purposes. That is coercion as you had no real choice in the matter. That is what voluntary is all about.
Specific and informed means that the consent cannot be a general and far-reaching consent. It has to be a focused and particular consent, that the person’s personal information will be processed and used in a determined manner.
Specific consent means that you need to tell the Data Subject what you want to use their Personal Information for. You can’t just say ‘do you give me consent to use your contact details?’ and then go and use those details for whatever purposes you choose. You must make the data subject aware of any and all situations that you will use the data for and they must consent to the information being used in this manner.
- Does that include specifying what and why you will communicate with them in future?
- Yes it does. If a user signs up to receive newsletters from you and consents to the use of their email address for that particular purpose, you can’t then start emailing them to ask if they want to sell their house, or send them information on listings you might have. Remember, POPIA is very specific about how unsolicited direct marking may be sent to a person.
- What about informed consent?
- You need to inform the data subject why you need their personal information, and a few other things that are specified in Section 18 of POPIA. The most notable being that you need to inform them of the name and address of the responsible party (that is you, the Estate Agent). You need to inform them whether you need to share their information with another party. You also need to inform them of the fact that they have a right to access and rectify any personal information you hold on them. There are others, so I suggest all Estate Agents check out Section 18 of the Act before designing their consent process, whether it’s because you want to use a person’s personal information in your business, or whether you want to market your services to them. On the website page that hosts this series you will find a link to the Section 18 content for your quick reference.
- When do you need consent to gather and use personal information?
- In order to answer that, let’s first recap a couple of things from the last podcast. In that episode, we established that if someone is already a customer of yours, you are free to keep using their Personal Information if the purpose is similar to the service you now want to deal with them on. So, if you showed Mary a few houses last month and you get a new listing that you think she would be interested in, you are free to contact her about that listing because you have an existing relationship with her. However, if you were dealing with Mary because you were selling her house, and she hasn’t told you that she is also looking to buy a house, you are not permitted to use her details to market other properties to her, unless you get her consent to do so. And here again we must remember that the consent must be an "opt in" consent and it must be clear as to how and when the information will be used for direct marketing purposes.
- What if someone comes into a show day you’re hosting and you want their contact details so you can call them about similar houses they might be interested in?
- This is exactly when you should be gathering consent. Make sure you gather consent for all the purposes you will need to contact that person for.
- What does consent look like? Is there a particular manner in which you need to get that consent?
- That depends. If the purpose is for direct marketing, then the POPI Act contains an example of a consent in Form 4. You don’t have to use that form exactly, but you do have to ensure that the content contained in that form is part of your consent.
Here is an example of the consent form if you need it.
- What about consent for things other than direct marketing? Like the example above, when you want to set up viewings for a potential client?
- In that case you can gather consent in any form you wish. It is advisable though, to ensure you have a record of the consent, just in case there’s a dispute later on about the granting of consent. It could become a situation of ‘he said, she said’ if you can’t produce the record showing that they’ve given consent.
- Say I have a list of contact details that I purchased before POPIA became enforced and I want to call those people to see if they want to sell their house. I can’t seek consent from them without contacting them, so how do I proceed?
- POPIA is very clear on this. You are allowed to contact each person on that list once and once only, in order to establish whether they’re happy to be contacted in future or not. So make sure you use this call to gather consent for any further uses of their personal information. You only get one shot at it.
- So if they say they don’t want to be contacted by me, I can never call them again?
- That’s right, unless something changes and they indicate that they’re now open to the services you’re wanting to market. For example, they come to a show day to view a house and you can ask them if they would like to be contacted about similar properties, or whether they’re selling their own house and would like you to help them. You can now see why it’s so important to obtain the exact and correct nature of consent from your customers.
- So when in doubt, get consent. Is that the case?
- Yes and no. To answer that, we need to get to the core of POPIA, so bear with me for a sec. Firstly, if you are getting the contact details from the data subject and in deciding the purpose of that, you are considered the responsible party under POPIA. Being the responsible party means that you have to have legal grounds to process that information – although consent is one of the legal grounds, there are actually five other legal grounds on which to legally process a data subject’s personal information. And these are :
- When you have a contract with the person, and processing their data is necessary in the conclusion or performance of that contract. This means that if you have been appointed by a person as their Estate Agent , you may use their information in order to perform in terms of your mandate with them.
- When processing is required in order for you to comply with the law,
- When processing protects a legitimate interest of the data subject,
- When processing is necessary for a public body to perform its duty, and
- When processing is necessary to pursue the legitimate interests of the responsible party or of a third party they supply the data to.
- That’s a lot more options than just getting consent for everything?
- Yes, but the two that are most applicable to Estate Agents, other than consent, are 1) – where you can handle their personal information without consent if you have a contract with them and you need to process their data to fulfil that contract. And 3) if the handling of their data protects a legitimate interest of the data subject.
- What kind of example would cover that last one, as in protecting the legitimate interest of the data subject?
- I can’t actually think of one that is relevant to Estate Agents. Most legal grounds for Estate Agents will be because they have consent, have a contract with a customer, or because the law requires it. Perhaps our audience can think of an example, and if so could send it to us via the link on our website. That would be very helpful!
- That last one you mentioned, about processing being necessary to pursue the legitimate interests of the responsible party. As an Estate Agent, it is definitely in my legitimate interest to be able to canvas home owners to see if they want me to sell their homes. So does POPIA allow me to continue to do this on the basis of this being Legal Grounds?
- No it doesn’t. While it’s not very clear exactly what will and won’t be allowed under this Legal Ground, it is clear that the data subject’s right to have a say in the use of their data is still the important thing here, and thus the Regulator who is responsible for governing POPIA is unlikely to look favourably, or even kindly on people who say that they’re using personal information because their ability to make money as a business, depends on it.
- So some of this doesn’t seem 100% clear cut or absolutely certain as to what the requirements are?
- As with any new law, establishing that certainty comes about through case law. This means people challenging aspects of the law and a judge deciding on the case. The same will be true of POPIA, but the safest thing to do is to ask yourself, ‘does my action require the use of personal information and, if so, am I ensuring that the data subject has a say in the use of their own data? It is also important to make sure that when you have determined that you have a legitimate right to store the personal information of the Data Subject, that you always comply with the eight conditions for lawful processing of that personal information.
- That seems simple enough – making sure the Data Subject has a say in the use of their personal information?
- It might seem simple, but please be aware that the Act is 183 pages long and we’ve simply discussed one very small part of it. In future episodes we will cover other critical parts, such as when a responsible party has Legal Grounds for processing personal information, what else do they have to ensure is in place? As I mentioned there are eight conditions for the lawful processing of data, all of them are relevant to Estate Agents and all are important to understanding the full picture. For example, security safeguards. Some Estate Agents might be used to having a laptop in the car with them, and that laptop contains lots of personal information. So what do you need to do to ensure that the personal information contained on that computer is not at risk if your laptop gets stolen? What about the hand written notes you’ve made of someone else’s information and then left lying around at the office? Do you see how much more there is to discuss?
So that’s it for now. I would also like to remind everyone that, while we try to unpack these topics in as much detail as possible, we can’t possibly cover all angles on any one given topic in this format. And while the purpose of this series is not to give legal advice and the views we set out here are simply Lightstone’s interpretation of the key topics related to POPIA, we cannot stress enough that this information is not intended to be legal advice. If you are looking for formal legal advice on the specifics of managing consent in terms of POPIA and general POPIA compliance, please seek the advice of a registered lawyer or licensed practitioner.
That said, we hope this episode helped you understand consent under POPIA a little better and made your job just a little easier.
In the next episode, we’ll discuss the eight conditions for lawful processing of personal information.