The POPI Act is a new all-inclusive piece of legislation that safeguards the integrity and sensitivity of private information. Companies are required to carefully manage the data capture and storage process of Personal Information within the lawful framework as set out in the Act.
Below is the definition of Personal Information as stated in the POPI Act:
“personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;”
The Act provides 8 conditions under which Personal Information may legally be gathered and processed. This document must be read in conjunction with the POPI Act be found at http://www.justice.gov.za/legislation/acts/2013-004.pdf
The questions below will assist you in establishing how lawful your current personal information practices are and what still needs to be put in place to be compliant.
A POPIA policies and procedures manual will be required. It is the duty of the Responsible Person to ensure that these policies and procedures are followed.
One of the key aspects of any privacy law, and POPIA in particular, is that it describes the conditions for lawful processing. In other words, the conditions that need to be met iy you are to manage personal information correctly. Meetings these conditions is mandatory if the organisation is seeking compliance to POPIA.
The 8 POPIA Conditions:
The responsible party must ensure that the conditions and all the measures set out in the Act that give effect to such conditions, are complied with at the time of the determining the purpose and means of the processing.
Questions to ask:
- Who will be tasked with the responsibility of compliance in your organisation? This individual will be held liable for non-compliance in certain situations.
- How will this individual ensure the organisation is POPI compliant? Policies and procedures must be in place.
2. Processing Limitation
Personal information may only be processed in a fair and lawful manner and only with the consent of the data subject.
Questions to ask:
- Was the personal information obtained directly from the Data Subject? One of the requirements of the Act is that any personal information must be obtained directly from the Data Subject.
- Is the Data Subject aware that you have gathered his/her information and consented to the information being used? Consent from the Data Subject is essential before gathering or processing any personal information.
- If the personal information has been gathered from a third party, has the Data Subject consented to this information being shared and used by you? This is a requirement.
- Is the amount of information being gathered excessive? Only information that is required for the specific purpose for which it is gathered may be stored. You may collect more information than required for the intended purpose for future use if you obtain the necessary consent from the Data Subject (this is regarded as “Further Processing” in the Act.
3. Purpose Specific
Personal information may only be processed for specific, explicitly defined and legitimate reasons.
Questions to ask:
- For what specific, explicit and lawful purpose is the personal information being collected? This purpose must be documented and adhered to.
- Is the Data Subject aware of the purpose for which the data has been collected? Data Subject has the right to know what information you have and for what purpose it was gathered.
- Can you link all personal information collected to legitimate reasons for collecting? Personal information only to be gathered for specific, explicit and lawful purposes.
- For what time period may you retain specific personal information? Personal information may only be used for the specific purpose for which it was gathered and thereafter it must be destroyed. This procedure should be covered in the POPIA policies and procedures manual.
- How will you keep track of when personal information must be destroyed? You will be required to account for what information you hold, for what purpose it was gathered and a date that that information must be destroyed.
- What process will be used to destroy Personal Information, in a manner that prevents its reconstruction, after you are no longer authorized to retain such records? This is an essential step in the process. This procedure should be covered in the POPIA policies and procedures manual.
4. Further Processing Limitation
Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose.
Questions to ask:
- If you intend to reuse personal information is it in accordance and compatible with the purpose for which it was collected? Should you want to use existing personal information for any other purpose other than what the information was gathered for, confirmation will be required from the Data Subject again.
- Is the Data Subject aware of the continued use of their personal information? When gathering information, you have to advise the Data Subject what the information will be used for and for what period you will hold that information.
5. Information Quality
The responsible party must take reasonably steps to ensure that the personal information collected is complete, accurate, not misleading and updated where necessary.
Questions to ask:
- How do you ensure that personal information is reliable and accurate at all times? By obtaining information directly from the data source, accuracy is more probable. It is always advisable to validate the personal information as it is being captured. If it is not possible for the data subject to input their own information, or if the information is captured from one formalt to another (i.e. from a paper form to an IT system, then the information should be sent to the data subject for validation.
- What process do you have in place to allow Data Subjects to update their information or withdraw consent? When advising Data Subjects of the information you hold and for what purpose you hold it, they must be given details of how to update their information or withdraw consent. This procedure should be covered in the POPIA policies and procedures manual. It is advisable to develop procedures for automatically checking the accuracy of information on a regular basis, but sending a validation request to the data subjects.
The data subject whose information you are collecting must be aware that you are collecting such personal information and for what purpose the information will be used.
Questions to ask:
- How do you gather personal information from Data Subjects and what process do you have in place to get consent for collecting and using personal information? This is an important step and proof of consent is essential.
- How do you inform the Data Subject of the purpose for which the information is being gathered? The Data Subject must be informed of how the data will be used at the time of gathering the information.
- What evidence do you have that Data Subjects have consented to the collection of their personal information? Proof of consent must be retained to safeguard you against claims of misuse made by the Data Subject.
- Does the Data Subject know who the responsible party is in your organization? When gathering information, Data Subjects must be given the details of the responsible person in your organization including contact details.
- How do you inform the Data Subjects of their right to lodge a complaint with the Information Regulator? At the time that the personal information is gathered, the Data Subject must be advised of his/her rights to complain to the Information Regulator if misuse is suspected. The Information Regulator’s information and contact details must be provided to the Data Subject.
- Have you advised the Data Subject of his/her rights to access his/her information and to object to the processing of said information? This is a requirement.
7. Security Safeguards
Personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorized destruction and disclosure.
Questions to ask:
- What procedure do you have in place to identify any foreseeable internal and external risks to personal information? A safety and security risk assessment is required.
- What processes do you have in place to prevent personal information from falling into unauthorized hands? Strict adherence to safety and security policies must be enforced. This procedure should be covered in the POPIA policies and procedures manual.
- What procedure do you have in place to establish and maintain appropriate safeguards against the identified risks? The responsible person must enforce strict policies and procedures to safeguard personal information in your possession. This procedure should be covered in the POPIA policies and procedures manual.
- How do you determine which employees are permitted access personal information and what information they are permitted to access? Strict policies and procedures are required regarding who has access, and how they gain access, to the personal information in your possession. This procedure should be covered in the POPIA policies and procedures manual.
- What processes do you have in place to alert you when personal information is accessed or modified without authorization? This procedure should be covered in the POPIA policies and procedures manual.
- What processes do you have in place to identify the source of a data breach and the procedure to follow to neutralize such breach? This procedure should be covered in the POPIA policies and procedures manual.
- What process do you have in place to ensure that safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards? This procedure should be covered in the POPIA policies and procedures manual. It is the duty of the Responsible Person to ensure this process is followed.
- What processes do you have in place to prevent the reoccurrence of a data breach? This procedure should be covered in the POPIA policies and procedures manual. It is the duty of the Responsible Person to ensure this process is followed.
- What procedure is to be followed when sharing personal information with an external operator? A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator establishes and maintains the required security measures. The operator must advise immediately if there is the possibility that personal data has been accessed or acquired by any unauthorized person.
- What procedure is in place to inform the Data Subject that their personal information has been compromised? The Data Subject must be advised via e-mail or in writing immediately if it is suspected that their personal information has been access by unauthorized persons. Sufficient information must be provided to allow the Data Subject to put measures in place to safeguard themselves against potential consequences of the security compromise. This procedure should be covered in the POPIA policies and procedures manual.
- What procedure is in place to inform the Information Regulator of any security breach? The Information Regulator must be informed in the event of a security breach where personal information could be compromised. This procedure should be covered in the POPIA policies and procedures manual. It is the duty of the Responsible Person to ensure this process is followed.
8. Data Subject Participation
Data subjects may request whether their personal information is held, as well as the correction and/or deletion of any personal information held about them.
Questions to ask:
- What are the Data Subject’s rights regarding access to information being held by you? Data Subjects may request information from you on whether you are holding their personal information. This request may not be declined and may not be charged for. The full nature and details of the information being held must also be provided on request but a charge may be levied for this information.
- What processes do you have in place to ensure such a request from a Data Subject is adhered to? This procedure should be covered in the POPIA policies and procedures manual. It is the duty of the Responsible Person to ensure this process is followed.
- What processes do you have in place to allow Data Subjects to correct personal information that you hold or withdraw consent to use such information? The Data Subject has the right to correct the personal information that you hold. They also have the right to withdraw consent at any time. This procedure should be covered in the POPIA policies and procedures manual.