Posts

THE 8 CONDITIONS FOR THE PROCESSING OF PERSONAL INFORMATION: PART III

Protection of Personal Information Act

Addressing compliance with the Protection of Personal Information Act, 2013 (“POPI“) may seem like a daunting task. The good news is that it is not too late; the better news is that you may be further along than you think.

Over the next few weeks, we will be briefly unpacking POPI’s minimum requirements for the processing of personal information. These requirements are set out in Part A of Chapter 3 of POPI, and incorporate the following conditions:

1) Accountability of the Responsible Party

2) Processing Limitation

3) Purpose Specification

4) Further Processing Limitation

5) Information Quality

6) Openness

7) Security Safeguards

8) Data Subject Participation

Our previous two articles looked at conditions 1 through 4. This article addresses the 5th and 6th conditions, namely, information quality, and openness.

Condition 5: Information Quality

In terms of POPI, a responsible party must take reasonably practicable steps to ensure that the personal information it processes is complete, accurate, not misleading and updated where necessary. This is applicable to information collected both electronically and manually.

In doing so, the responsible party must have regard to the purpose for which personal information is collected or further processed. In other words, the purpose for collecting personal information must be considered in deciding on the mechanisms to keep information updated. In this regard, compliance with condition 3 (purpose specification) is essential to compliance with condition 5 (information quality).

POPI does not specify what constitutes “reasonably practicable steps”. Accordingly, each business must consider its own operations to ensure that personal information is correct and updated as and when required.

Data subjects must be informed of and reminded of their duty to provide personal information that is up-to-date and to notify the responsible party where any such information requires correction.

Practically, in dealing with the processing of personal information belonging to your customers, for example, you may use your customer terms and conditions as the mechanism to draw attention to the customer’s duty to notify you of any changes to their personal information.

It has been stated, in the context of the European Union’s data protection laws, that personal information utilised merely as a historical record of a transaction does not require updating as its purpose is to record information at the time of the relevant transaction.

Condition 6: Openness

The condition of openness relates to transparency, and has two primary elements, namely maintaining documentation relating to processing operations, and notifying data subjects of the collection and processing of their personal information.

Documentation:

In terms of section 17 of POPI, a responsible party must maintain documentation of all processing activities. Furthermore, where applicable to the responsible party, a manual must be developed in terms of the Promotion of Access to Information Act, 2000 and made available to data subjects.

Notifying data subjects:

When personal information is collected from a data subject, the responsible party must take reasonably practical steps to ensure the data subject is kept notified of such collection each time personal information is collected from the data subject.

These steps include ensuring that the data subject is aware of:

  • The fact that the information is being collected.
  • The name and address of the responsible party.
  • The purpose for which the information is collected.
  • Whether is collection of the information is voluntary of mandatory.
  • The consequences of failing to provide the information.
  • Any laws that authorise the collection of the information.
  • Where applicable, that the responsible party intends transferring the information to another country.

Data subjects should be notified before their personal information has been collected (or as soon thereafter as possible). You may use a privacy notice displayed on your website to achieve compliance with the above, provided the privacy notice is easily accessible and sufficient attention is drawn to its existence.

There are certain exclusions to the general rule of having to notify data subjects. It is important to consider these exclusions carefully so that, if relying on any such exclusions, you don’t fall foul of POPI.

Read Part I here. Read Part II here

Contact us here.

The 8 Conditions for the Processing of Personal Information: Part I

Protection of Personal Information

The deadline for full compliance with the Protection of Personal Information Act, 2013 (“POPI“) is around the corner, and it certainly has caused a recent spike in emails from concerned clients wondering if it is too late. Although ensuring compliance may seem like a daunting task, the good news is that it is not too late; the better news is that you may be further along than you think.

Over the next few weeks, we will be briefly unpacking POPI’s minimum requirements for the processing of personal information. These requirements are set out in Part A of Chapter 3 of POPI, and incorporate the following conditions:

1) Accountability of the Responsible Party

2) Processing Limitation

3) Purpose Specification

4) Further Processing Limitation

5) Information Quality

6) Openness

7) Security Safeguards

8) Data Subject Participation

This article addresses the first two conditions, namely, the accountability of the responsible party, and the limitations placed on processing.

Condition 1: Accountability of the responsible party:

In terms of POPI, the responsible party must take necessary measures to ensure, amongst other things, the security, integrity and safety of information processed, including by adopting appropriate, reasonable technical and organisational measures to prevent loss, damage, or unlawful access to data in its possession or under its control. An organisation that collects the names, identity numbers and financial information of its clients will, of course, be held to a higher standard of care that an organisation that only collects email addresses. Practically speaking, you need to make sure that the personal information you collect is safe and secure. If it is stored digitally, you must ensure appropriate firewalls, antivirus software and anti-spyware packages are installed. If you are using a third-party sever, ensure that you are using a trusted provider that has its own security measures in place. You need to make sure that you use complex passwords. If you have personal information accessible in hard copy form, these need to be securely stored and not lying around on a desk in an open-plan office. Invest in a paper shredder. Your employees need to be educated about their responsibilities under POPI.

Another feature of accountability is the requirement for every organisation to have an ‘information officer’. This individual is responsible for:

  • encouraging compliance with the conditions for lawful processing of personal information;
  • attending to any POPI-related requests or queries;
  • ensuring that the organisation is POPI compliant; and
  • assisting the regulator with any investigation relating to the organisation’s POPI compliance.

Where the details of an alternative individual aren’t registered with the regulator, the default position is that this role is assigned to the head of the organisation.

Although the information officer is the custodian of activity relating to the processing of personal information (and may ultimately be held accountable), it is the responsibility of the organisation as a whole to ensure compliance with POPI. It is accordingly important that each member of an organisation that handles personal information is adequately educated in respect of the organisation’s data protection policies.

Condition 2: Processing limitations:

In addition to the condition relating to accountability, POPI imposes limits on the way personal information may be processed, by requiring that the processing of personal information be lawful and reasonable, meet the requirement of minimality, and that the consent of the data subject be obtained.

In processing personal information, you must ensure that the information is only processed to the extent that it is adequate, relevant and not excessive, given the purpose for which it is processed. Put simply, an organisation should never collect or keep more personal information than it needs.

In order to process personal information, the voluntary, specific and informed consent of the relevant data subject (or competent person, in the case of a minor) must be obtained. This can easily be achieved by providing data subjects with access to an accurate privacy notice which they must actively consent to by, for example, utilising a tick-box. This privacy notice must be clear and concise so that the data subject understands exactly what information is being processed and why. It is important to note that POPI provides that a data subject may withdraw its consent at any time and/or request that its personal information be deleted, so the personal information relating to each specific data subject should be easily accessible so requests can be complied with timeously.

Contact Brevity Law here.

Candice
Author: Candice Dayton