Posts

The 8 Conditions for the Processing of Personal Information: Part II

Protection of Personal Information

The deadline for full compliance with the Protection of Personal Information Act, 2013 (“POPI“) is around the corner, and it certainly has caused a recent spike in emails from concerned clients wondering if it is too late. Although ensuring compliance may seem like a daunting task, the good news is that it is not too late; the better news is that you may be further along than you think.

Over the next few weeks, we will be briefly unpacking POPI’s minimum requirements for the processing of personal information. These requirements are set out in Part A of Chapter 3 of POPI, and incorporate the following conditions:

1) Accountability of the Responsible Party

2) Processing Limitation

3) Purpose Specification

4) Further Processing Limitation

5) Information Quality

6) Openness

7) Security Safeguards

8) Data Subject Participation

Our first article looked at conditions 1 and 2, namely, the accountability of the responsible party, and the limitations placed on processing. Now that you know that you need to be accountable and impose limitations on processing of information, we will look at conditions 3 and 4: purpose specification and further processing limitation.

Condition 3: Purpose Specification:

When you collect personal information, it must be for a purpose. It cannot be collected on the basis that the information “might be useful” or is “nice to have”. For every piece of personal information that you collect, you need to specifically and explicitly define the purpose for collecting the information. For example, if you collect cookies from website users, you need to articulate why you do so and for what purpose.

Personal information, once collected, must not be kept longer than necessary. Once you have no further need for the personal information, it must be destroyed or permanently deleted. Unless the law requires you to keep certain records, these records should only be kept for so long as it is reasonably required. Records can also be retained for longer than necessary with the consent of the data subject. We recommend that you obtain the consent of data subjects to (securely) retain their personal information for an indeterminate amount of time, unless the data subject requests its deletion sooner. With consent, you do not have to worry about constantly staying on top of retention timelines.

Condition 4: Further Processing limitations:

You might have collected a client’s contact details for purposes of onboarding them as a potential client. Once they have been onboarded as a client, may you use those contact details for another purpose i.e., further processing? That depends. Further processing must be compatible with the original purpose for which it was collected. In the current example, using the contact details to invoice the client for work performed pursuant to the onboarding process would be acceptable. However, using those contact details to contact the client on a matter pertaining to a separate business division, or sharing those contact details with another service provider may not be acceptable. You need to weigh up:

  • the relationship between the original purpose of collecting the information and the purpose behind the further processing – how close is the relationship?
  • the nature of the information – a personal phone number or email address may need to be treated with more caution than a generic “info” address or telephone number.
  • the consequences of the intended further processing for the client – how severe are the consequences?
  • the manner in which the information has been collected – was it collected under the guise of a particular purpose, by a particular person, in such a way that an impression could be created that the information would not be used elsewhere?
  • any contractual rights and obligations between the parties. If you need to use a client’s contact details to send an invoice to them as per your contract with the client, it is acceptable to use the contact details for that purpose, despite the fact that the details may originally have been collected for a different purpose.

Read Part I here.

Contact Brevity Law here.

Juliette Thirsk
Author: Juliette Thirsk

The 8 Conditions for the Processing of Personal Information: Part I

Protection of Personal Information

The deadline for full compliance with the Protection of Personal Information Act, 2013 (“POPI“) is around the corner, and it certainly has caused a recent spike in emails from concerned clients wondering if it is too late. Although ensuring compliance may seem like a daunting task, the good news is that it is not too late; the better news is that you may be further along than you think.

Over the next few weeks, we will be briefly unpacking POPI’s minimum requirements for the processing of personal information. These requirements are set out in Part A of Chapter 3 of POPI, and incorporate the following conditions:

1) Accountability of the Responsible Party

2) Processing Limitation

3) Purpose Specification

4) Further Processing Limitation

5) Information Quality

6) Openness

7) Security Safeguards

8) Data Subject Participation

This article addresses the first two conditions, namely, the accountability of the responsible party, and the limitations placed on processing.

Condition 1: Accountability of the responsible party:

In terms of POPI, the responsible party must take necessary measures to ensure, amongst other things, the security, integrity and safety of information processed, including by adopting appropriate, reasonable technical and organisational measures to prevent loss, damage, or unlawful access to data in its possession or under its control. An organisation that collects the names, identity numbers and financial information of its clients will, of course, be held to a higher standard of care that an organisation that only collects email addresses. Practically speaking, you need to make sure that the personal information you collect is safe and secure. If it is stored digitally, you must ensure appropriate firewalls, antivirus software and anti-spyware packages are installed. If you are using a third-party sever, ensure that you are using a trusted provider that has its own security measures in place. You need to make sure that you use complex passwords. If you have personal information accessible in hard copy form, these need to be securely stored and not lying around on a desk in an open-plan office. Invest in a paper shredder. Your employees need to be educated about their responsibilities under POPI.

Another feature of accountability is the requirement for every organisation to have an ‘information officer’. This individual is responsible for:

  • encouraging compliance with the conditions for lawful processing of personal information;
  • attending to any POPI-related requests or queries;
  • ensuring that the organisation is POPI compliant; and
  • assisting the regulator with any investigation relating to the organisation’s POPI compliance.

Where the details of an alternative individual aren’t registered with the regulator, the default position is that this role is assigned to the head of the organisation.

Although the information officer is the custodian of activity relating to the processing of personal information (and may ultimately be held accountable), it is the responsibility of the organisation as a whole to ensure compliance with POPI. It is accordingly important that each member of an organisation that handles personal information is adequately educated in respect of the organisation’s data protection policies.

Condition 2: Processing limitations:

In addition to the condition relating to accountability, POPI imposes limits on the way personal information may be processed, by requiring that the processing of personal information be lawful and reasonable, meet the requirement of minimality, and that the consent of the data subject be obtained.

In processing personal information, you must ensure that the information is only processed to the extent that it is adequate, relevant and not excessive, given the purpose for which it is processed. Put simply, an organisation should never collect or keep more personal information than it needs.

In order to process personal information, the voluntary, specific and informed consent of the relevant data subject (or competent person, in the case of a minor) must be obtained. This can easily be achieved by providing data subjects with access to an accurate privacy notice which they must actively consent to by, for example, utilising a tick-box. This privacy notice must be clear and concise so that the data subject understands exactly what information is being processed and why. It is important to note that POPI provides that a data subject may withdraw its consent at any time and/or request that its personal information be deleted, so the personal information relating to each specific data subject should be easily accessible so requests can be complied with timeously.

Contact Brevity Law here.

Candice
Author: Candice Dayton