The processing of personal information is an important compliance matter for all businesses these days. By now most people know that the Protection of Personal Information Act 4 of 2013 (the “PoPI Act”) is the law with effect 1 July 2020. Every public and private enterprise has to comply, and a grace period of 1 year applies. From 1 July 2021, the full might of the law will apply.
Lawful processing of personal information
Processing the personal information of a data subject must comply with eight inter-related conditions, to be lawful. Much has been written about the PoPI Act and search engines display numerous articles. Do not delay if you have not done anything. Two important definitions per Section 1 you need to take note of are:
- A data subject – “a person to whom personal information relates” (a “Person”).
- A responsible party – “a public or private body or any person who determines the purpose of and means for processing personal information of a Person (the “Company”).
We briefly deal with each of these below, showing the relevant sections of the Act next to each heading.
1. Accountability – Section 8
The Company shall ensure that the eight conditions are complied with at the time of data collection and when processing such data records. This Accountability condition is considered to be the core obligation of the Company. It clearly defines how it shall collect and use personal information, i.e. on an ongoing basis and without interruption.
2. Processing limitation – Sections 9 to 12
The processing of personal information by the Company must be done:
- reasonably, and
- with the consent of the Person.
The Company bears the burden of proof that it has obtained the Person’s consent. Also, such consent has not been withdrawn. Once withdrawn, the Company may not process such personal information anymore.
You should retain such consent as a permanent record, even after it was withdrawn. Ensure that such consent spells out the purpose for which the personal information would be used. You may obtain the Person’s consent as:
- a signed consent form,
- an email,
- completed fields on a webpage, or a
- signed attendance register at reception or gate entrance provided that the terms and conditions are highlighted or displayed or can easily be obtained by the Person.
3. Purpose specification – Sections 13 and 14
The personal information of a Person may only be collected if it relates to a lawful business function or activity of the Company. Records may not be retained any longer than is necessary to achieve the purpose for which it was collected, with a few exceptions.
Upon withdrawal of consent, the data record must be deleted such that it cannot be reconstructed again.
4. Further (ongoing) processing limitation – Section 15
Continued, ongoing use of the personal information of a Person must be in line with the purpose for which it was originally collected.
5. Information quality – Section 16
You need to ensure that the data records of all Persons are up to date, complete and accurate. This means that you must re-confirm the details directly with each Person from time to time.
6. Openness – Sections 17 and 18
You may collect personal information from sources other than directly from the Person. However, you must then take reasonable steps to inform him/her about the sources thereof.
Importantly, the Company must compile documentation showing all its personal information processing operations.
6.1 Processing operations life cycle
The processes during the typical lifecycle relating to personal information of all Persons would include:
- Types of records – description of different types of personal records used in the business, eg clients, suppliers, personnel, service providers and visitors
- Minimum details – specification of minimum details required for each type of record. Consider each data field of each type of record – do you really need it?
- Processes – outline of the processes followed in the ongoing use of personal records. Describe in some detail the processes followed in each Department. This includes third party processing services using offshore facilities such as ZohoCRM or SalesForce. For these platforms, you need to indicate the level of protection applicable to your data records.
- Privacy – the wording of your privacy and personal information notice. A most important notice. Consider its contents with some care.
- Consent – obtaining and recording consent and its withdrawal. Your existing systems will have to be amended to cater for these fields.
- Data collection – initial collection processes and how regular re-confirmation is done. Again your existing systems will have to be amended to cater for these fields.
- Data deletion – describe the processes followed to permanently remove personal information.
- Objections – how objections to the use of personal information are handled.
7. Security safeguards – Sections 19 to 22
Loss of records, damage to or unauthorised deletion thereof, as well as unauthorised access to personal records in your possession, must be prevented. This also applies to third party operators contracted by the Company. They must
- operate within the terms of a written agreement;
- be duly authorised to process personal records; and
- must treat such records as confidential.
The Company needs to implement a structured, comprehensive risk and compliance management solution. This is required to:
- track reasonably foreseeable risks,
- risk mitigation steps implemented,
- regular compliance reviews, and
- updating these mitigation processes.
7.1 Security compromises
Whenever you believe that unauthorised access to the personal records of a Person occurred, you must take the following steps:
Inform the Information Regulator (the “IR”) and the Person, unless his/her identity is unknown, subject to:
- law enforcement investigations were undertaken;
- determining the scope of the compromise; and
- restoring the integrity of the Company’s information systems.
Notification to the Person must be in writing and be communicated in one of the following ways:
- website disclosure
- local media publication, or
- as directed by the IR.
Such notification must cover sufficient detail regarding:
- possible consequences of the data breach;
- the steps the Company has or will take to address the security compromise;
- recommending possible steps the Parson should consider to mitigate his/her risks;
- if known, the identity of the Person(s) who committed the unauthorised access.
8. Data subject participation – Sections 23 to 25
A Person may require you to confirm, free of charge if the Company holds his/her personal details. Should the Person require additional information such as
- the personal information held and more importantly, and
- the third parties who have accessed the information, then
the Company may levy a fee.
You must, however, provide beforehand a written estimate of the amount of such fee, and may require that all or part thereof be paid in advance.
The Person may also require that personal information be corrected or deleted if inaccurate or out of date. The Company must inform the Person when done. Should this have an impact on decisions taken or to be taken by the Company, you have to inform all parties to whom such information was previously disclosed.