POPI ACT

Last week I needed to visit a client in a residential estate in Kyalami. On arrival, my licence disk of my car and my driver’s licence was scanned by a security officer. Whilst my name , ID and car registration number was recorded manually by another security officer. Prior to my arriving my client had sent me a secure pre-generated code to give to the guard to enter onto a touchpad at the boom entrance. On exit, the security personnel again entered the pre-generated code. This always makes me feel uncomfortable. Why do they need all that information just to give me access; they have me on a camera and my car registration number and the home owner obtained a pass code for me personally which was sent to me on my cell phone?

Immediately from the aforesaid, it is apparent that POPI is a welcome piece of legislation, necessary to give us our constitutional right to privacy. In essence, this is exactly what POPI is about. Personal (identifiable) information being gathered and what it is used for and how and when it is discarded after it has been used, and ensuring it was used for a legitimate purpose.

But what does it mean for businesses? It means that all businesses must have measures in place to protect the personal information that they have of clients/suppliers/staff (the data subject), to use it only for a lawful purpose, and to delete the information in a safe way once it is no longer required for that purpose. POPI is not only applicable for business to individual but business to business as well.

POPI Guidelines

Purpose

The purpose of POPI is to protect us including juristic persons from harm by protecting our personal information, to make identity fraud, accessing of your banking account details, and generally to protect and respect our privacy, which is a fundamental human right.

How will this be done?

POPI lays down “processing conditions”, which sets out the instances and ways where it would be lawful to process someone else’s personal information, from when it is collected to when it is destroyed.

What are the penalties for Non-compliance

There are essentially two legal penalties or consequences namely; a fine or imprisonment of between R1 million and R10 million or one to ten years in jail or paying compensation to the data subject.

Personal information includes but is not limited to:

• Contact information – telephone number, email address etc.;

• Private correspondence;

• Biometric information – blood group, finger prints;

• Demographic information – age, gender, race, date of birth, ethnicity, etc.;

• A person’s opinions of and about a person or group; and

• A person’s history – employment, financial information, medical history, criminal history as well as educational history.

This includes your staffs employment records such as salary and bank account, e-mails about an incident, leave records, performance reviews. There are some exemptions such as data processed by or for a public body relating to, law enforcement, or the justice system; but in most cases would not apply to most businesses.

How does the application of the Act work practically over a full “life cycle”?

Gathering/collecting information

e.g. when you conclude a sale with a client and ask for identifiable information such as; ID, Cell Number, Address, VAT Number etc.

Processing

Continuing with our example you record on your laptop and on a mandated form, in your office these details; your office’s security gate asked your client to provide his driver’s licence and scanned his vehicle’s registration details before he could enter the premises to come to your office; and the pricey CCTV camera at the entrance to your business that you installed for security reasons, makes a visual recording of him; whilst you have him in the office, you make a copy for your file of his ID and SARS compliance certificate; your printer gives problems and the first copy of his ID appeared slightly smudged, so you throw that in the bin next to the printer and make another copy. The second one is better and you put that in your file.

Processing means, in effect, doing something with the data. Examples of activities that constitute the processing of personal data include:

• Collecting an email address via a web form;

• Storing a list of customers’ addresses;

• Sending a person marketing communication.

Store

You keep all these details with you (in your office computer system, on your phone and laptop, and a hard copy file that you keep in a cabinet. There are keys to the cabinet, but you never lock it anyway as everyone has a key to the cabinet anyway.

Disseminate

You forward via email and WhatsApp image the contact details, ID and SARS compliance certificate of the client to your accountant for loading of invoices

Destroy

Sometime after completion of assignment, you close the file and put it in your archive shelf in your office. There you keep files for a year or so, and then destroy them by sending it to a company to shred. But you keep the clients details on your laptop, add a reminder to contact the client later because he intimated that there might be more work in the pipeline.

You can see from the above example; personal information is being transferred with no thought of protection.

So just how is this personal information protected?

Protection is achieved by eight “processing conditions” laid down in POPI. In other words, if you collect and process data in accordance with these very stringent conditions, your handling thereof will not breach the Act nor the person’s right to privacy.

Think of these as legally-binding principles that must underpin all processing of personal information within your company. These conditions are explained by way of an example. Pretend that on behalf of your company, you requested your operations manager to find out from your client, who rents out student accommodation to university students, their particulars so you can monitor their device usage and prepared in case there is a loss in connectivity. Summarised, these conditions for processing stipulate:

1. Accountability: Your company must ensure compliance with POPI when collecting data from the prospective client and students

2. Lawfulness: The collection of personal information must not be excessive, it must be legally justifiable, and it must not be collected from third parties (in this case the students) without good reason. There are 6 justification grounds in order to lawfully process personal information. The lawful basis will have to be determined before a company may start processing personal information. The 6 justification grounds include:

1. Consent: The individual (student) has given clear consent for a business to process the data subject’s personal data for a specific purpose

2. Contract: The processing is necessary for the performance or conclusion of a contract to which the data subject is a party (internet connectivity)

3. Legal obligation: The processing is necessary as it complies with an obligation imposed by law (FICA)

4. Legitimate interest of the individual: Processing protects the vital interests of the data subject (client protected from overuse abuse of internet supplied)

5. Public law: The processing is necessary to perform a public law duty by a public body

6. Legitimate interests of the responsible party (i.e. your business that collects or holds the personal information): The processing is necessary for pursuing the legitimate interests of the responsible party or the legitimate interests of a third party to whom the information is supplied (both client and students).

In our example, were the operations manager to ask for the student tenant’s banking details and FICA documents, as well as cell phone number, these could be justified under these exceptions. His/her consent will be obtained as your request will be legitimate in light of the transaction you are processing, and to ensure that he is financially capable of paying the data amount.

3. Purpose limitation: Personal information must only be collected in connection with a specific purpose and must not be stored for longer than necessary. In our example, were the operations manager to ask other details such as church affinity, gender, sexual orientation, it would exceed the purpose of what the agent is required to do, and will not be compliant with this principle.

4. Restriction on further processing: Personal information may only be processed for the purpose it was collected under specific conditions.In our example, were the operations manager to keep the email address and contact numbers of the student with the plan to market other products to them without a specific request to do so, this condition will be breached.

5. Information quality: Personal information must be complete and accurate and must ideally be obtained from the person himself, where possible. Only where this is not possible, may another source be approached. In other words, in our example, the information obtained must come from the students themselves, or from the client and the operations manager must make effort to ensure that it is recorded correctly.

6. Openness: Personal information must be processed in a transparent manner. In our example, the student must therefore be made aware of the fact that his data is being collected for purposes of his data/internet supply.This can be achieved easily, by a note in the application form that his personal information is being collected for purposes of data and internet supply and will be stored securely in terms of the agency’s privacy policy

7. Security safeguards: Personal information must be processed securely and the responsible party must provide notification of any data breaches. This simply means that the company must take care, when collecting and storing the information to take care that all information is kept secure and not accidentally lost or made known to someone that does not need the information

8. Data subject participation: People must be allowed to access their personal information and request that it is corrected or deleted if it is inaccurate. In our example, the company must have a system/process in place to answer a person’s enquiry regarding what information of him/her, the agency is holding; they are allowed to view it and allowed to ask for it to be rectified if the information is incorrect.

Practical application

Generally, the following must be implemented:

1. Do a GAP analysis of how and where the personal information is collected, and how it is dealt with in each stage, until deletion/destroying.

2. Proper Record keeping of the personal info you have.

3. Create relevant Policies such as privacy policy, document retention policy, internal policy regarding employment records.

4. Review terms and conditions of Service level agreements with third parties to make sure that any data shared with them is treated by that service provider with the same privacy measures as you have in place. The company may be outsourcing certain functions to third party partners, external service providers that perform the accounting or auditing functions, facilitate payroll, manage the marketing of your company. Most of these functions will require the organisation to share personal information about its staff, clients and others with the third party partner in order for this function to be effectively completed.

Section 20 of POPI provides that where an operator processes personal information on behalf of the organisation, the operator must treat the personal information as confidential and not disclose it, unless required by law or in the course of their duties. In the event of there being a data breach, the operator is required to notify the organisation immediately where there are grounds to believe that personal information has been accessed or acquired by an unauthorised person. It is therefore particularly important, when engaging the services of third party partners, to ensure that there is a written contract in place with the provider, requiring the operator to take appropriate, reasonable technical and organisational measures to prevent a data breach. This contract should also require that the third party provider, among other things, ensures that its safeguards are continually updated and that it has due regard to generally accepted information security practices and procedures. Ultimately, in the event of a data breach, it will remain the responsibility of the company (the party that instructed the third party) to notify the Information Regulator and the affected data subjects.

5. Can data subjects Request in terms of data correction systems in place where data subjects can ask what info you have of them, can view it and can you accommodate corrections? If it has been deleted/destroyed, can you confirm to them how it was deleted, destroyed and when?

6. Appoint an Information officer, to be done between 1st May 2021 and 30th June 2021

7. What is your procedure for Notification of security compromises to data subjects.

8. Employee training, your employees must understand their responsibilities in terms of POPI; using office paper as scrap paper for children to draw on would not be a good idea.

9. Adapting Marketing methods in general, and specifically direct marketing.