Businesses acquire, store, use, process, distribute and destroy personal information on a daily basis, often in a rather cavalier manner. Since PoPI was enacted in 2013, however, how a business collects information and what it does with it thereafter, is now highly regulated. In a world where a lot of technology is mobile (laptops, flash sticks, scanners, mobile phones, tablets etc), this leaves you – the “Responsible Party” extremely vulnerable to legal action.
Much of the regulation speaks to a person’s right to know why their information is being requested, who will have access to it and how will it be used. This chain of traceability must be made available to the data subject, on request. This becomes particularly tricky for a company that may have a number of different repositories for information. Personal information is routinely acquired and accessed by people in HR, sales, operations and accounts. To be frank, how a business uses personal information is often vastly different from why it was needed in the first place. At any point, a breach of PoPI is possible, indeed probable. Anyone can sink the ship!
A first point of call is to be sure that the information collected is absolutely necessary and the data subject has given permission for it to be recorded. Many standard forms ask for information that is not directly related to the main purpose. Think of security access forms, job applications, employee files or account applications. In addition to being required to keep information private, there is a requirement to ensure the accuracy of that information and to be able to show where it is stored and the purpose for which it is accessed. To reduce the headaches, keep your data collection to an absolute minimum. (Information that is necessary to complete the transaction e.g. a delivery address, does not require a customer’s permission, but if that information is then stored and used for future marketing purposes without express permission, this will constitute a contravention.)
PoPI stipulates the following eight "conditions for the lawful processing of personal information”:
Company directors or compliance officers can and will be held liable for contraventions and the penalties are severe (possible R10 million fine or ten years in jail). Not only are all reasonable means of prevention required (duty on responsible party to prove this) but if a breach has occurred, there is a duty to inform all data subjects who may be affected.
2. Processing Limitation
Information should be collected from the data subject directly and it should be minimally processed to achieve the purpose for which it was collated. Throughout the data take on process, access to this information must be limited to authorised parties only and only for as long as they need to perform their duty.
It is important to note that this applies equally to existing clients and employees’ information.
3. Purpose Specification
The business needs to be very clear what information is being collected and for which specific purpose. This purpose has to be communicated to the data subject.
4. Further Processing Limitation
Information may only be re-used if it is directly related to the reason it was initially collected otherwise renewed permission is required.
5. Information Quality
As the custodian of someone's personal information you have a responsibility to maintain their records and take reasonable, practical steps to ensure that the information is complete, accurate, not misleading and remains updated where necessary.
Have you informed the data subject? Have you obtained his/her permission? Have you policies in place and traceable data process history? How do you destroy information?
7. Security Safeguards
The Act states that businesses must "identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control". Have you proof that you have taken all reasonable steps to protect personal information? Given that even the US government is vulnerable to hacking…this is a tall order.
8. Data Subject Participation
Should the data subject request their personal information history, are you able to provide it and is it congruent with the reason it was collected? An information register of all personal information kept and who has access and why, is key to staying compliant with PoPI.
Key take out: To reduce risk and even more work, reduce the information collected to an absolute minimum; ensure you have the subject’s permission; maintain the data with tight controls and keep it updated, and when it is no longer needed, ensure it is correctly destroyed.
Author: Janet Askew