The POPI Act is a new all-inclusive piece of legislation that safeguards the integrity and sensitivity of private information. Companies are required to carefully manage the data capture and storage process of Personal Information within the lawful framework as set out in the Act.
Below is the definition of Personal Information as stated in the POPI Act:
“personal information means information relating to an identifiable, living, natural person, and where it is applicable and identifiable, existing juristic person, including, but not limited to:
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, color, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of the person;
- information relating to the education or the medical, financial, criminal, or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or another particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views, or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;”
The Act provides 8 conditions under which Personal Information may legally be gathered and processed. This document must be read in conjunction with the POPI Act be found at http://www.justice.gov.za/legislation/acts/2013-004.pdf
The questions below will assist you in establishing how lawful your current personal information practices are and what still needs to be put in place to be compliant.
POPIA policies and procedures manual will be required. It is the duty of the Responsible Person to ensure that these policies and procedures are followed.
One of the key aspects of any privacy law, and POPIA in particular, is that it describes the conditions for lawful processing. In other words, the conditions that need to be met iy you are to manage personal information correctly. Meetings these conditions are mandatory if the organization is seeking compliance to POPIA.
The responsible party must ensure that the conditions and all the measures set out in the Act that give effect to such conditions are complied with at the time of determining the purpose and means of the processing.
Questions to ask:
- Who will be tasked with the responsibility of compliance in your organization? This individual will be held liable for non-compliance in certain situations.
- How will this individual ensure the organization is POPI compliant? Policies and procedures must be in place.
2. Processing Limitation
Personal information may only be processed in a fair and lawful manner and only with the consent of the data subject.
Questions to ask:
- Was the personal information obtained directly from the Data Subject? One of the requirements of the Act is that any personal information must be obtained directly from the Data Subject.
- Is the Data Subject aware that you have gathered his/her information and consented to the information being used? Consent from the Data Subject is essential before gathering or processing any personal information.
- If the personal information has been gathered from a third party, has the Data Subject consented to this information being shared and used by you? This is a requirement.
- Is the amount of information being gathered excessive? Only information that is required for the specific purpose for which it is gathered may be stored. You may collect more information than required for the intended purpose for future use if you obtain the necessary consent from the Data Subject (this is regarded as “Further Processing” in the Act.
3. Purpose Specific
Personal information may only be processed for specific, explicitly defined and legitimate reasons.
Questions to ask:
- For what specific, explicit and lawful purpose is the personal information being collected? This purpose must be documented and adhered to.
- Is the Data Subject aware of the purpose for which the data has been collected? Data Subject has the right to know what information you have and for what purpose it was gathered.
- Can you link all personal information collected to legitimate reasons for collecting? Personal information only to be gathered for specific, explicit and lawful purposes.
- For what time period may you retain specific personal information? Personal information may only be used for the specific purpose for which it was gathered and thereafter it must be destroyed. This procedure should be covered in the POPIA policies and procedures manual.
- How will you keep track of when personal information must be destroyed? You will be required to account for what information you hold, for what purpose it was gathered and a date that that information must be destroyed.
- What process will be used to destroy Personal Information, in a manner that prevents its reconstruction, after you are no longer authorized to retain such records? This is an essential step in the process. This procedure should be covered in the POPIA policies and procedures manual.
4. Further Processing Limitation
Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose.
Questions to ask:
- If you intend to reuse personal information is it in accordance and compatible with the purpose for which it was collected? Should you want to use existing personal information for any other purpose other than what the information was gathered for, confirmation will be required from the Data Subject again.
- Is the Data Subject aware of the continued use of their personal information? When gathering information, you have to advise the Data Subject what the information will be used for and for what period you will hold that information.
5. Information Quality
The responsible party must take reasonable steps to ensure that the personal information collected is complete, accurate, not misleading and updated where necessary.
Questions to ask:
- How do you ensure that personal information is reliable and accurate at all times? By obtaining information directly from the data source, accuracy is more probable. It is always advisable to validate the personal information as it is being captured. If it is not possible for the data subject to input their own information, or if the information is captured from one format to another (i.e. from a paper form to an IT system, then the information should be sent to the data subject for validation.
- What process do you have in place to allow Data Subjects to update their information or withdraw consent? When advising Data Subjects of the information you hold and for what purpose you hold it, they must be given details of how to update their information or withdraw consent. This procedure should be covered in the POPIA policies and procedures manual. It is advisable to develop procedures for automatically checking the accuracy of information on a regular basis, but sending a validation request to the data subjects.