Is your business ready for POPI?
The purpose of the Protection of Personal Information Act (POPI) is to give effect to the constitutional right to privacy by safeguarding personal information when processed by a responsible party. Such a right is subject to justifiable limitations and to provide people with rights and remedies to protect their personal information from processing that is not in accordance with POPI. POPI further aims to regulate the manner in which personal information may be processed by establishing certain standards.
A limited number of sections have commenced, but these sections are not of great significance.
However, companies will be well advised to start preparing for the commencement of the remaining POPI sections which will greatly impact their businesses. It is anticipated that the remaining sections of POPI will commence within the first half of 2017, after which a grace period of one year will be allowed to obtain complete compliance.
The rights that data subjects (consumers and clients) have are the following:
- The right to have personal information processed in accordance with the conditions contained in POPI;
- The right to be notified that personal information is collected and that it has been accessed by unauthorised persons;
- The right to establish if a responsible party holds personal information of a data subject and to request access to the information;
- The right to request correction, destruction or deletion of personal information;
- The right to object to the processing of personal information;
- The right not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing personal information intended to provide a profile of such person;
- The right to submit a complaint to the Information Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator; and
- The right to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information.
These rights are all subject to certain conditions and in most instances certain procedures must be followed in exercising these rights.
WHAT IS “PERSONAL INFORMATION”?
Personal Information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
It is important to take notice that both juristic persons (companies) and individuals are included under “Personal Information”.
WHAT IS A “DATA SUBJECT”?
A data subject is the person to whom the personal information relates.
THE 8 CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL INFORMATION
Your company must ensure that the conditions for lawful processing of personal information, and all the measures that give effect to such conditions are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.
2. Processing Limitation
When processing personal information you must ensure that such processing is done lawfully and in a reasonable manner so that the privacy of the data subject is not infringed upon.
3. Purpose Specification
Personal information must be collected for a purpose. This purpose must be explicitly defined and lawful in relation to a function or activity of your company. Steps must be taken to ensure that the data subject is aware of the purpose of the collection of the information.
4. Further Process Limitation
Should a company require further processing of personal information, such processing must be in accordance or compatible with the purpose for which it was collected.
In determining whether further processing is in line with the original purpose for which the information was collected, your company must take account the following:
- the relationship between the purpose of the intended further processing and the purpose for which the information has been collected;
- the nature of the information concerned;
- the consequences of the intended further processing for the data subject;
- the manner in which the information has been collected; and
- Any contractual rights and obligations between the parties.
5. Information Quality
Your company must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
Your company must document all processing operations under its responsibility and must take practicable steps to ensure that the data subject is aware of the fact that the information is being collected.
7. Security Safeguards
Your company must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent loss, damage or unauthorised destruction of personal information, as well as unlawful access to or processing of personal information.
8. Data Subject Participation
Upon adequate proof of identity by the data subject, he/she has the right to;
- request your company confirm, without charge, whether or not you hold personal information about the data subject; and
- request the record or a description of the data subject’s personal information that is held by you.
Companies will be well advised to get acquainted with the Information Regulator’s powers, duties and functions. What is most notable is the Regulator’s powers to institute civil actions against a Responsible Party and to levy administrative fines of up to R10 Million through issuing of an infringement notice.
Notwithstanding the fact that companies have a fair bit of time to get their house in order or to ready themselves for the implications of POPI, companies should get traversed with POPI to ensure that when the time comes they are ready and not susceptible to any non-compliance issues as far as POPI is concerned.
The Information Regulator has already been appointed in December 2016. POPI gives the Regulator teeth with extensive powers to investigate and impose administrative fines. Businesses must ensure that they are not be caught off guard once POPI is in full swing and operational.
Author: Arno Bosch