The Edcon Ruling: What to take away from it

The Edcon Ruling: What to take away from it

1. BACKGROUND

Credit providers assist customers who cannot afford to make all payments in cash. In turn for the risk they take, they are allowed to charge certain costs and fees.  When credit agreements are within the ambit of the National Credit Act 34 of 2005 (“NCA” or “the Act“), the Act imposes maximum limits on these fees. Irrespective of the type of credit agreement, section 101 of the NCA provides for a closed list of the fees that a credit provider may charge the consumer in relation to a credit agreement. These fees include, amongst others, initiation fees, service fees, interest, credit insurance and/or default administration charges

2. INTRODUCTION

It has become common practice for retailers to make membership clubs available to consumers in exchange for a monthly “membership/club fee”. Typically, when a consumer becomes a club member he or she would earn points or similar consideration for different reasons – such as a percentage of the purchase price being earned in points. Depending on the type of club joined and/or amount of points earned by that club member, he or she would be entitled to convert his or her points into some form of benefit or product (for example, entertainment, travel, spa, gym etc.). For credit providers who want to offer similar “clubs” there is a challenge in that the NCA does not provide for this kind of “club fee”.

3. THE EDCON RULING

More recently, the National Credit Regulator (“NCR“) started to investigate this business practice and focused on a well-known credit provider retailer: Edcon Holdings Limited (“Edcon“). Following the investigation, they initiated action against Edcon by referring the matter to the National Consumer Tribunal (“NCT“) seeking an order declaring that Edcon has, among other things, repeatedly contravened the provisions of the NCA relating to prohibited charges – by charging a fee not allowed for in the NCA.

The NCT considered the matter from a broader legal perspective, namely whether the NCA allows a credit agreement to contain any fee or charge other than those permitted by the NCA. Edcon argued that the club membership was a stand-alone product, not intended to be part of the credit agreement.

As a starting point, the NCT concluded that the NCA unambiguously prohibits credit providers from charging any fee or charge other than those listed in and provided for in the Act.  The NCT found that Edcon was not allowed to charge its credit customers any fee or charge other than that permitted by the NCA and could therefore not charge the club membership fees. In conclusion, it was held that, by doing so, Edcon had engaged in repeated prohibited conduct in terms of the NCA.

The NCT emphasised that the business practice of charging “membership/club fees” is explicitly prohibited by the NCA and any credit provider who does business in this way may face dire consequences. From perusal of the ruling, the likely consequences that Edcon faces may include being directed to refund consumers charged club and membership fees from 2007 to date and/or an administrative fine on Edcon. According to media reports, Edcon has indicated that they will appeal the ruling.

4. CONCLUSION

The above ruling raises a red flag to many credit providers or credit retailers who may be involved in similar business practices. Retailers should take the following away from this ruling:

  • irrespective of whether customers voluntarily choose to purchase this type of (club) product, a membership/club fee may be seen as a cost of credit if it is inseparably linked to a credit agreement; and
  • review your credit agreements to ensure you do not include any provisions or charges not allowed in terms of the NCA.

Please note that not all club memberships will fall within the ambit of this ruling and club structures will need to be considered on a case to case basis. Please do not hesitate to contact us should you have any queries.

POPI SERIES – CONDITION 8 – DATA SUBJECT PARTICIPATION

We are coming to the end of our POPI series. The first seven POPI Conditions for Lawful Processing have been discussed in detail in our previous articles and this month it is time for a discussion of the eighth and final condition: Data Subject Participation. This condition is comprised of three elements, namely (i) access to personal information, (ii) correction of personal information and (iii) the manner in which the personal information is accessed.

Applicable popi sections and commentary

The relevant sections of POPI applicable to “data subject participation” have been reproduced below with our commentary:

Access to Personal Information

Section 23 “Access to personal information.—

(1) A data subject, having provided adequate proof of identity, has the right to—

(a) request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject; and

(b) request from a responsible party the record or a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information—

(i) within a reasonable time;

(ii) at a prescribed fee, if any;

(iii) in a reasonable manner and format; and

(iv) in a form that is generally understandable.

(2) If, in response to a request in terms of subsection (1), personal information is communicated to a data subject, the data subject must be advised of the right in terms of section 24 to request the correction of information.

(3) If a data subject is required by a responsible party to pay a fee for services provided to the data subject in terms of subsection (1) (b) to enable the responsible party to respond to a request, the responsible party—

(a) must give the applicant a written estimate of the fee before providing the services; and

(b) may require the applicant to pay a deposit for all or part of the fee.

(4) (a) A responsible party may or must refuse, as the case may be, to disclose any information requested in terms of subsection (1) to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act apply.

(b) The provisions of sections 30 and 61 of the Promotion of Access to Information Act are applicable in respect of access to health or other records.

(5) If a request for access to personal information is made to a responsible party and part of that information may or must be refused in terms of subsection (4) (a), every other part must be disclosed.”

Commentary to Section 23 above:

  1. Data subjects have a right to access their personal information records and receive copies of these records. This right is not, however, unlimited. A responsible party will have some discretion as to the process to be followed in allowing data subjects to request access to their information, as well as the means through which the data subject will be obliged to identify him/herself before being given access to their personal information. One method of regulating these requests may be through a responsible party’s PAIA manual or a similar ‘personal information request document’.
  2. If it appears that a responsible party is indeed in possession of certain information about a data subject, the data subject may request that responsible party to provide it with a record of this information.
  3. Within that record provided to the data subject, the responsible party will have to bring to the attention of the data subject that it has the right in terms of section 24 to request a correction to such information.
  4. Depending on the costs that a responsible party may have incurred or anticipates incurring in the process of providing the above information to the data subject, the responsible party may request the data subject for reimbursement therefor.
  5. Where the provisions of the Promotion of Access to Information Act 4 of 2000 (“PAIA”) so permit, a responsible party may refuse to disclose particular information to the data subject. If, however, such right to refuse relates only to certain information, the remaining information (in respect of which PAIA permits disclosure) must be disclosed to the data subject.

Correction of Personal Information

Section 24: “Correction of personal information.—

(1) A data subject may, in the prescribed manner, request a responsible party to—

(a) correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or

(b) destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain in terms of section 14.

(2) On receipt of a request in terms of subsection (1) a responsible party must, as soon as reasonably practicable—

(a) correct the information;

(b) destroy or delete the information;

(c) provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or

(d) where agreement cannot be reached between the responsible party and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.

(3) If the responsible party has taken steps under subsection (2) that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, the responsible party must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.

(4) The responsible party must notify a data subject, who has made a request in terms of subsection (1), of the action taken as a result of the request.”

Commentary to Section 24 above:

  1. After receiving a record of personal information from a responsible party in terms of section 23, a data subject may request the deletion or correction of such personal information.
  2. Any request made by a data subject should be made on the basis of the personal information in question being inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
  3. If the data subject has requested the deletion or correction of its personal information in accordance with section 23 and 24, the responsible party may do so, alternatively, it may provide the data subject with credible evidence in support of the personal information, or where agreement cannot be reached and the responsible party believes it is entitled to maintain the personal information, there may be circumstances in which a kind of disclaimer is attached to the information, informing users that a correction to this information has been requested but not made.
  4. If a responsible party has changed information in relation to a data subject, and this change has an impact on decisions that have been or will be taken in respect of that data subject, the responsible party must (if reasonably practicable) inform each person to whom that personal information has been disclosed of such change.

Manner of Access

Section 25: “Manner of access.—

The provisions of sections 18 and 53 of the Promotion of Access to Information Act apply to requests made in terms of section 23 of this Act.”

Commentary to Section 25 above:

  1. This section provides that the data subject may make use of the relevant provisions in PAIA to make a request for personal information in terms of section 23 of POPI.
  2. In each PAIA request for personal information, there will need to be a procedure through which the responsible party appropriately identifies the data subject as the person to whom the relevant personal information relates.

Conclusion

Essentially, POPI’s Condition 8 aims to ensure a practical and accessible transparency for data subjects in the processing of personal information. This transparency demands that a responsible party allows a data subject to have a say in the processing of the personal information in the possession or under the control of such responsible party. Ultimately, this all boils down to a responsible party’s responsibility to maintain up-to-date information registers and implement suitable controls, so that it is able to easily (i) identify what personal information is in its possession or under its control; (ii) identify to whom does that personal information relate; and (iii) update such personal information.

 

 

Popi series – Condition 7 – Information Security

INTRODUCTION

The purpose of the Protection of Personal Information Act 4 2013 (“POPI”) is not to prohibit processing of Personal Information (“PI”) per se. One of the purposes of POPI is rather to regulate the processing of the PI, by also prescribing that organisations must implement appropriate safeguards to ensure that PI processed will be protected and secured.

This month our focus is on Condition 7 which pertains to Security Safeguards. In essence, this condition requires from organisations to secure the integrity and confidentiality of all PI in its possession or under its control. This will be achieved through implementing appropriate and reasonable security measures.

RELEVANT POPI SECTIONS

We will discuss the practical implications in the next paragraph below but also note our high level comments to the POPI sections in square brackets.

Section 19

“Security measures on integrity and confidentiality of personal information.—

(1) A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—

(a) loss of, damage to or unauthorised destruction of personal information; and

(b) unlawful access to or processing of personal information. [This is the general obligation on the responsible party to take steps to secure personal information.]

(2) In order to give effect to subsection (1), the responsible party must take reasonable measures to—

(a) identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;

(b) establish and maintain appropriate safeguards against the risks identified;

(c) regularly verify that the safeguards are effectively implemented; and

(d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. [This is a continual obligation to identify security risks on an ongoing basis and implement measures to reduce risks so identified.]

(3)The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.” [POPI does not provide a “tick list” of security requirements to meet. Responsible parties must consider applicable industry security practices and then implement security appropriate security measures for the business.]

Section 20:

“Information processed by operator or person acting under authority.—

An operator or anyone processing personal information on behalf of a responsible party or an operator, must—

(a) process such information only with the knowledge or authorisation of the responsible party; and

(b) treat personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.” [This is the limitation on operators – they may not use personal information received from the responsible party for their own purposes outside of the scope of the contract with the responsible party.]

Section 21: Security measures regarding information processed by operator.—

(1) A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section 19. [There is a duty on the responsible party to regulate the relationship with the operator by written contract.]

(2) The operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person. [Operators to note this duty to report unauthorised access.]

WHAT DOES ALL OF THIS MEAN IN PRACTICE?

Different requirements will need to be considered, depending whether you are acting as a responsible party of operator.

As responsible party you will have an on-going obligation to safeguard the PI in your possession from being destroyed unlawfully, accessed unlawfully, lost or damaged. This obligation entails, your organisation to have reasonable technical and organisational measures in place to protect PI under your control or in your possession. Organisational and technical measures include for example measures in terms whereof organisations restrict unauthorised individuals from entering their premises and implementing controls through which organisation restrict access rights and the usage of their networks, devices, etc.

There is also an ongoing obligation on organisations to identify new risks. These should be prioritized according to the threat posed.

Practical controls or processes in response to risks identified, could include the following:

  • Review of access rights on an ongoing basis;
  • Ownership for PI;
  • Physical access controls;
  • Computer/ device passwords;
  • Firewalls;
  • Encryption;
  • Remote destruction;
  • Anti-virus programs;
  • Exit process.

Most organisations had been implementing some of these measures to secure PI long before POPI was even enacted. Condition 7 of POPI will require from organisations to review the current processes and implement additional processes where so identified.

If your organisation outsources any functions involving the processing of personal information to a third party operator, you will still remain responsible for the processing of the PI. You also have the obligation in terms of POPI to regulate your relationship with the operator by way of written contract to ensure that the operator provides the service in accordance with POPI requirements.

In terms of POPI there is a duty on responsible parties to regularly consider whether there are any new risks and then implement processes to address the risks identified.

As an operator, it is very important to understand that you cannot do with the personal information received from the responsible party as and how you want to. The responsible party as the custodian of the information will authorise you to only use the information for the purposes of the service that you are rendering to the responsible party. You cannot use the information for any of your own purposes.

WHAT HAPPENS IF THERE IS A SECURITY BREACH?

In terms of POPI you cannot keep quiet and hope that no one will ever find out. The law puts an obligation on you to report the breach.

In terms of section 22: Notification of security compromises.—

(1) Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify—

(a) the Regulator; and

(b) subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.

The law also determines that the notification to the data subject must be in writing and communicated in one of the following ways:

  • mailed to the data subject’s last known physical or postal address;
  • sent by e-mail to the data subject’s last known e-mail address;
  • placed in a prominent position on the website of the responsible party;
  • published in the news media; or
  • as may be directed by the Regulator.

The following information needs to be disclosed in the notification:

  • a description of the possible consequences of the security compromise;
  • a description of the measures that the responsible party intends to take or has taken to address the security compromise;
  • a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
  • if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.

CONCLUSION

In preparation for POPI you should consider your current processes, access rights and security measures. It is likely that some of these may need to be reviewed and new processes implemented to ensure compliance. Remember that POPI does not provide for a defined list of measures to implement. But consider applicable industry standards and make sure that you can comply with this important condition 7.

POPI SERIES – CONDITION 6 – OPENNESS

Introduction

We have now passed the half way mark of our POPI Series and the next exciting topic in the series is that of “Openness” or “Notification”. In our view, Notification is one of the most challenging provisions of POPI. This condition will most definitely require from responsible parties to change current processes and possibly develop new processes to ensure compliance.

In this article, we are going to try and focus on the practical implementation of this condition.

This condition is premised on two primary elements, namely:

  • Documentation; and
  • Notification to the Data Subject.

This condition must not be confused with the “prior notification” sections (section 57 and 58) in terms whereof a responsible party needs to notify the Information Regulator of certain processing actions before it can process the personal information. This will be discussed in a separate article in future.

Relevant sections and practical implications.

Let’s first look at the requirements of section 17:

“Documentation.—

A responsible party must maintain the documentation of all processing operations under its responsibility as referred to in section 14 or 51 of the Promotion of Access to Information Act.”

In terms of this section, a responsible party must consider the provisions of sections 14 or 51 of the Promotion of Access to Information Act 2000 (“PAIA”). Note that for private bodies, section 51 will apply. In terms of section 51 of PAIA certain private bodies need to disclose specified information through a manual – generally referred to as a PAIA Manual. Note that POPI will be amending the PAIA to provide for additional information that must be included in a company’s PAIA manual.

It is not difficult to comply with section 17 and responsible parties must remember to amend their PAIA manuals to include the required information.

Now we turn to the provisions of section 18, which will be more challenging to comply with.

“Notification to data subject when collecting personal information.—

(1) If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of—

(a) the information being collected and where the information is not collected from the data subject, the source from which it is collected;

(b) the name and address of the responsible party;

(c) the purpose for which the information is being collected;

(d) whether or not the supply of the information by that data subject is voluntary or mandatory;

(e) the consequences of failure to provide the information;

( f ) any particular law authorising or requiring the collection of the information;

(g) the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;

(h) any further information such as the—

(i) recipient or category of recipients of the information;

(ii) nature or category of the information;

(iii) existence of the right of access to and the right to rectify the information collected;

(iv) the existence of the right to object to the processing of personal information as referred to in section 11 (3); and

(v) right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.

(2) The steps referred to in subsection (1) must be taken—

(a) if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information referred to in that subsection; or

(b) in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.

(3) A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to the subsequent collection from the data subject of the same information or information of the same kind if the purpose of collection of the information remains the same.

(4) It is not necessary for a responsible party to comply with subsection (1) if—

(a) the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;

(b)non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;

(c) non-compliance is necessary—

(i) to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;

(ii) to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);

(iii) for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or

(iv) in the interests of national security;

(d) compliance would prejudice a lawful purpose of the collection;

(e) compliance is not reasonably practicable in the circumstances of the particular case; or

( f ) the information will—

  • not be used in a form in which the data subject may be identified; or

(ii) be used for historical, statistical or research purposes”

From the above it follows that in terms of this condition, a responsible party has an obligation to notify a data subject of certain specified information each time that information about the data subject is being collected from which ever source – unless the responsible party can rely on one of the exceptions to the general rule – in terms whereof the responsible party can justify why notification is not necessary.

Why did the legislator include this section? Compliance with this section will clearly be very onerous on business and could also be a costly exercise.

We believe that some of the main reasons for including this section are the following:

  • Currently information flows between companies without data subjects ever realising what is happening with their information.
  • Data subjects provide their personal information to companies for specific reasons, but companies often take the information and do with it whatever they want to –including to use it for reasons that would never have been intended by the data subject.
  • Data subjects do not know which companies hold their personal information.

In terms of this section 18, companies will therefore need to inform data subjects of the reasons for which they would use the data subject’s information. They also need to inform them of the type of companies with whom the personal information will be shared, including where information will be shared with third party service providers who will have access to the information or receive the information for processing on behalf of the responsible party.

When do you need to notify data subjects? According to POPI this must happen even before you collect the information – if you collect it directly from the data subject, or if not directly from the data subject, before you collect or as soon as reasonably possible after you have collected it.

How do you need to notify the data subject? POPI does not provide exact details on how this notification needs to take place. Once the Regulator has been set up, we may get a better idea of the expectations around ways to notify. Currently it seems that the most popular way would be to include the information in privacy policies. This is not a no go, but without the data subject knowing about the privacy policy and the notification information provided through the policy, it may have little effect. The proposed solution is to include some specific reference to the policy in your customer terms, application forms, or other applicable documentation and then include the majority of the required information in the actual policy.

By far the biggest challenge will come in where information is not collected directly from the data subject. This happens on a daily basis and a few examples include:

  • Collecting information about a relative / friend of your customer
  • Collecting information from the credit bureau
  • Collecting information from third party data suppliers
  • Collecting information from fraud data bases
  • Collecting information from other companies within your group of companies
  • Collecting information from business partners

As you would have seen from section (4) quoted above, in some instances you do not need to comply with the notification requirements. We however urge business to consider the exceptions very careful and not flippantly rely on something like “it is not reasonably practicable” to notify – without properly determining whether it would really be possible to rely on the exception. To merely take a view that it would be “very costly” to comply, is unlikely to be “good enough” to justify non-compliance.

Conclusion

It’s evident that POPI conditions or requirements are closely connected to another. Notification for example links in with purpose specification. In terms of Condition 3, you need to specify the purposes for which you intend to use the personal information. In terms of Condition 6, you need to tell the data subject what these purposes are that you identified in terms of Condition 3.

Remember to update your PAIA manual to include the required information in terms of POPI.

Consider all situations where you collect personal information and consider how you will notify. You may be able in some instances to rely on an exception and decide not to notify. Document those decisions and explain your justification for record purposes.

For any assistance with this challenging condition, please contact Jana van Zyl at jana@dommisseattorneys.co.za

POPI SERIES CONDITION 5 – INFORMATION QUALITY

  1. INTRODUCTION

Let’s recap: we have previously discussed Conditions 1-4 of the Protection of Personal Information Act 4 of 2013 (“POPI”), dealing with Accountability, Lawful Processing, Purpose Specification and Further Processing Limitations. In this month’s POPI series, we are going to discuss Condition 5 which deals with the Information Quality.

    2. INFORMATION QUALITY IN TERMS OF POPI

In terms of section 16:

“Quality of information—

  1. A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
  2. In taking the steps referred to in subsection (1), the responsible party must have regard to the purpose for which personal information is collected or further processed.”

In terms of this Condition 5, a responsible party is required to take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary. This requirement is applicable to personal information collected both manually and electronically. POPI does not provide further details on what reasonably practicable steps would mean and therefore each business will need to consider its operations and decide which steps and processes it would implement to reasonably keep personal information updated.

In terms of subsection (2), the purpose of collection and processing must be considered when deciding on the steps to be taken to update information. This is an example of how the POPI Conditions work together – purpose specification is an obligation in terms of Condition 3 but should also be considered for compliance with Condition 5. In essence the decision of the responsible party in relation to the quality of the personal information as well as the reasonably practicable steps to be taken is directly linked to the purpose for which the personal information was collected.

Data subjects should also be responsible and could be requested to advise responsible parties of a change in details where applicable. This could for example be regulated with the data subject (if it is a customer) in the customer contract or in general user term and conditions.

Other examples of possible processes to update information could include through call centre interaction – each time you speak to the customer, ask whether details have changed; or through providing online access to customer accounts (if your business allows for this) in terms whereof the customer through logging in, can update its details.

   3. CONCLUSION

In order for organisations to comply with the requirements of Condition 5, they would firstly need to identify the purpose for which they intend to use the information, and then implement reasonable processes to make sure that data subjects have access to processes in terms whereof current information can be updated where required.

POPI SERIES: CONDITION 4 – FURTHER PROCESSING LIMITATIONS

Moving right along in connecting the dots between Conditions 1 and 8 of the Protection of Personal Information Act 4 of 2013 (“POPI”). In our previous POPI Series articles, we discussed POPI Conditions 1, 2 and 3 in more detail, which relate to Accountability, Lawful Processing and Purpose Specification respectively. This month, we are going to discuss Condition 4 – which relates to Further Processing Limitations.

In previous articles we have emphasized the importance of knowing the reason – the purpose – for which a responsible party is collecting and using personal information (“PI”). It is vitally important for a responsible party to define the purpose for processing initially when the of POPI, “further processing” of the PI must “link in” with that initial reason (purpose) why the PI was collected.

POPI allows responsible parties to “further process” PI provided that the further processing is within the parameters of the POPI provisions. The general rule is that the further processing must be in accordance with or compatible with the purpose for which it was collected the first time (section 15(1)). POPI does not provide a defined list of what will constitute “compatibility”.

In practical terms this means that you cannot collect personal information for a specifically defined purpose, and then use it for a purpose that is not linked to the original purpose at all. By way of example: As lawyers, we collect information about our clients. If we collect information for purposes of a specific brief, we could possibly argue that if the client returns after a period of time with another brief, the information collected the first time, could be used under the “further processing” provisions of POPI – because the two reasons for processing are closely linked (both being for purposes of assisting with a legal brief – although the two briefs have got nothing to do with one another.)

If however, we collect the information for the first brief from the client (client 1) and we know that another client (client 2) would be very interested to meet with client 1 or use client 1’s information for its own purposes, and we pass on client 1’s information to client 2, this processing action would not be linked to the original purpose for which client 1 provided his information and we would fall foul of the further processing provisions of POPI.

So how do we determine whether the further processing is compatible with the original purpose or not?
POPI does not provide a defined list of what will constitute “compatibility”. It rather answers the question in the negative, to indicate when the processing would “not be incompatible”. The test for compatibility is set out in section 15(3) of POPI. I add my comments to the lawyer example above in square brackets to explain the concept:

Section 15 Further processing to be compatible with purpose of collection —
(1) Further processing of personal information must be in accordance or compatible with the purpose for which it was collected in terms of section 13.
(2) To assess whether further processing is compatible with the purpose of collection, the responsible party must take account of—
(a) the relationship between the purpose of the intended further processing and the purpose for which the information has been collected; [Initial purpose was to assist the client with the legal brief. The secondary purpose is to share his information with an unknown (to him) third party for the third party’s purposes.] (b) the nature of the information concerned; [Possibly not that relevant, but could be very personal in nature.] (c) the consequences of the intended further processing for the data subject; [Depending on what the third party wants to do with it, consequences may not sit well with client 1.] (d) the manner in which the information has been collected; [Would have been with (implied at least) consent to use it for purposes of assisting with the legal brief and the relationship between the attorney and client in general.] and
(e) any contractual rights and obligations between the parties. [Contract would have covered the instruction to the lawyer to assist with the legal brief.] (3) The further processing of personal information is not incompatible with the purpose of collection if—
(a) the data subject or a competent person where the data subject is a child has consented to the further processing of the information; [No consent from the client to pass on the information.] (b) the information is available in or derived from a public record or has deliberately been made public by the data subject; [Not applicable.] (c) further processing is necessary—
(i) to avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences; [Not applicable.] (ii) to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997); [Not applicable.] (iii) for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; [Not applicable.] or
(iv) in the interests of national security; [Not applicable.] (d) the further processing of the information is necessary to prevent or mitigate a serious and imminent threat to—
(i) public health or public safety; or
(ii) the life or health of the data subject or another individual; [Not applicable.] (e) the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form; [Not applicable.] or
(f) the further processing of the information is in accordance with an exemption granted under section 37. [Not applicable.]

CONCLUSION: As can be seen from the above example, the intended further processing to share the information with a third party (client 2) will not meet the requirements of section 15 and the further processing will not be allowed in terms of POPI.

Each time that a responsible party intends to “further process” personal information, the responsible party should therefore assess whether the further processing is “compatible” with the original purpose for which it was collected by using the factors listed in section 15.

Below follows a more detailed discussion of the factors listed in section 15(3) – where the responsible party can argue that the further processing will not be incompatible with the original purpose for processing:

:

Consent
If the data subject consents to the further processing, the responsible party can further process it. Applying it to our lawyer case study: if the lawyer phones the client and obtains his consent to pass on the client’s information to the third party (client 2), there would be no problem.

Public record
Further processing is allowed if the information is available in or derived from a public record OR has deliberately been made public by the data subject. (Facebook for example).
Section 1 defines a “public record” as a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body.

Maintenance of the law
If the further processing is necessary for purposes of maintenance of the law, to comply with legislation, for the conduct of court proceedings, or if it is in the interests of national security, it will be allowed. If for example the client in our case study wanted to settle the lawyer’s bill of R 100 000 in cash, the lawyers have a duty in law to report this to the relevant authorities, and that further processing action to report it (without consent from the client) would indeed be allowed.

Health or safety threat
If the further processing is necessary to prevent or mitigate a threat to public health or safety or the life/health of the data subject or another individual, further processing is allowed. If for example the client in the case study needed urgent medical treatment in a situation where his life was in danger, the lawyers would be able to argue that sharing the personal information with medical staff (if this could ever be relevant) would be justified under this exception.

Historical Statistical and Research purposes
Further processing is allowed for these purposes, provided that the information is not in identifiable form.

Regulator Exemption
The further processing will be allowed if it is in accordance with an exemption that was granted by the Information Regulator (once established). This could be where the further processing is necessary for public interest purposes and an exemption was granted.

Conclusion

From a compliance perspective, the data subject must know the purposes for which a responsible party will be collecting and using the PI. If the business did not obtain explicit consent from the data subject at the time of collection for the specific future processing activity it wishes to use the PI for, the business must assess the “compatibility” of the further processing as outlined above. Responsible parties will have to consider the steps above and determine on a case by case basis (based on the facts) whether further processing will be compatible or not.

POPI Series: Condition 3 – Purpose Specification

Introduction

In our previous two POPI series articles, we considered Conditions 1 and 2 in more detail, which conditions relate to Accountability and Lawful Processing. This month we are going to tackle Condition 3 – Purpose Specification.

The purpose of collection or processing of personal information is in some way or another, the crux of a number of the POPI requirements as set out in the different conditions for lawful processing. This condition is comprised of two elements, namely: Collection for specific purpose as well as retention and restriction of records. The two elements provide us, firstly, with parameters within which organisations may collect and process personal information, and secondly the time period for which an organisation may lawfully retain personal information records.

Collection for a specific purpose

In terms of section 13:

“Collection for specific purpose.—

(1) Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.

(2) Steps must be taken in accordance with section 18 (1) to ensure that the data subject is aware of the purpose of the collection of the information unless the provisions of section 18 (4) are applicable.”

Section 13 (1) is self- explanatory and straight forward in that the requirement is for a responsible party to collect personal information for a specific purpose. This means that going forward, responsible parties will need to define the different reasons for which personal information will be processed and also make sure that these reasons tie in with the responsible party’s general business activities. The current practice for many organisations is to obtain as many information fields as the data subject would complete. POPI requires from organisation to actually take a step back and consider the reasons why the information is being collected (and processed) and then only process the relevant information fields – as required for the particular business operation.

This principle will also apply when the responsible party shares information with third parties. If for example, your business makes use of a third party to send out your bulk marketing messages, you should only share with the third party the information that they need to send out the messages on your behalf. Do not share all the information fields relating to the data subjects if the third party only needs cell phone numbers or email addresses.

Once the organisation has determined the various purposes for which it may want to use the personal information, a further step is required from a POPI point of view. The responsible party has a duty to bring to the attention of the data subject, these defined purposes for processing. The intention is that if I provide my information to your company, I should know for which purposes you are going to use my information. (And if you plan to use it for purposes that I don’t like, and you don’t have a right in law to process it for those reasons, I may object to the processing for that purpose!)

Section 18 provides that reasonably practicable steps must be taken to make the data subject aware of the specific collection and processing of the personal information. This boils down to a question as to what would constitute reasonably practicable steps. The section 18 notification requirements will be discussed in more detail in a future article, but for now it is important to take note of the fact that there could be an obligation to disclose the purposes of use. (Section 18 does allow for some exceptions – again, these would be discussed in future.)

Retention and restriction of records

In terms of section 14:

Retention and restriction of records.—

(1) Subject to subsections (2) and (3), records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless—

(a)retention of the record is required or authorised by law;

(b)the responsible party reasonably requires the record for lawful purposes related to its functions or activities;

(c)retention of the record is required by a contract between the parties thereto; or

(d)the data subject or a competent person where the data subject is a child has consented to the retention of the record.

(2) Records of personal information may be retained for periods in excess of those contemplated in subsection (1) for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.

In practice, this element relates, mostly to the role the management has in ensuring that there are policies and/ or procedures in place to categorise the PI collected or processed and define retention periods to apply the different categories of personal information.

The default position in this regard is that the RP may only keep PI for the period necessary to achieve the objective for which it was collected – unless one of the exceptions apply – for example, if the data subject consents otherwise, or another law requires the information to be retained for a specified period.

In practice, organisations should identify the different purposes for which information is collected and processed, and then develop retention policies in accordance with the reasons for which the information was collected. Bear in mind that where another piece of legislation, like the National Credit Act, or FICA, or Companies Act, or tax or labour legislation for example specify a minimum period, the specified period will need to be applied in the retention policy.

In our view, it would mostly be difficult to justify retention for an indefinite period. Even if marketing is the purpose for which the information is being retained, it would be hard to justify why information that was for example collected 10 years ago and not processed in the meantime could still be retained “for marketing purposes”.

Conclusion

Identify the reasons (purpose) for which you are processing personal information. (Also bear in mind that you will probably have to notify data subject of these reasons).

When considering your reason for processing, think about the information that you actually need for that particular purpose and don’t ask for or use more information than what is needed.

Only keep information as long as necessary for the purpose. But bear in mind that other legislation may prescribe minimum retention periods that you will still need to adhere to and that you need to build in to your retention policies.

POPI Series: Condition 2 – Lawful Processing

Introduction

In our March Newsletter we discussed the first Condition for lawful processing, namely “Accountability”. In this article, we continue our POPI series with a discussion of the second condition for lawful processing in terms of POPI, namely “Processing Limitation”. This may sound a bit vague…. Our aim is to explain to you in layman’s terms, how this condition should be considered and how it may impact on your business operations.

Condition 2: Processing limitation

This condition hinges on four key requirements: (i) lawfulness of processing; (ii) minimality (you may think this is a strange concept); (iii) consent, justification and objection; and (iv) collection of PI directly from Data Subjects.

Before we start, just a reminder that in our previous discussions, we have already dealt with the definition of the “data subject” (DS), but for ease of reference, note that the data subject is the person to whom PI relates – the one whose PI is being processed. And the “responsible party” (RP) is the one processing the PI.

Lawfulness of processing

Section 9 of POPI provides for the following in relation to lawfulness of processing:

Personal information must be processed—

(a) lawfully; and

(b) in a reasonable manner that does not infringe the privacy of the data subject.”

What does it mean to process PI “lawfully”? And could a data subject not take a view that each time that PI is being processed there will be an infringement of privacy?

In essence, this requirement comes down to acting in a manner that is “reasonable”. When looking at “lawfulness”, the RP must conduct itself within the confines of the law. In terms of our law, one may not steal. Loosely speaking, this also applies to PI – one cannot “steal” another company’s database and hope not to breach the requirement of lawfulness. It should be obvious that “stealing” a database or information, will be “unlawful”. If one considers POPI as a whole, the responsible party should at all times be able to say that it conducted itself in a manner that would not (reasonably) infringe on the privacy of the DS.

Minimality

In most instances, the question of how much PI is “more than is necessary” will depend on the purpose for which the PI is processed. The default position is that the RP should only collect and/or process as little PI as is necessary to achieve its business objectives. Next month we will discuss “purpose “in more detail, but it is important to understand that the purpose for which PI is collected and processed must be considered at all times and the amount of PI that can “lawfully” be processed, will be considered against the reason why the PI is processed. It simply means that if you only need a name and telephone number, don’t ask for address and ID number just because…. POPI says you must only process what you need to!

Consent, justification and objection

And now we get to the big CONSENT question….

We have previously written on this topic in an article Is consent the beginning and the end? (http://dommisseattorneys.co.za/popi-is-consent-the-beginning-and-the-end/). There is still a lot of confusion in the market around consent. In essence, consent is one of 6 grounds on which a RP can rely to process PI. This means that without consent, a RP can still be seen to process PI lawfully – but only if it can rely on one of the other 5 grounds provided for in this section. (Note that for electronic direct marketing specific rules around consent apply and therefore our consent discussion below does not necessarily apply to electronic direct marketing.)

Section 11 provides the following:

“Consent, justification and objection.—(1) Personal information may only be processed if—

(a) the data subject or a competent person where the data subject is a child consents to the processing;

(b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;

(c) processing complies with an obligation imposed by law on the responsible party;

(d) processing protects a legitimate interest of the data subject;

(e) processing is necessary for the proper performance of a public law duty by a public body; or

(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

It would often be easy to obtain or infer consent. If I am asked for certain information, and I know exactly what the RP is going to do with my information, and I continue to provide the information requested, surely one can take a view that I have “given consent” for that processing.

The more difficult question to answer would be when can the RP process my PI if I have NOT given consent? Let’s look at some examples when POPI allows processing without consent:

  • If processing is necessary to fulfil a contractual agreement in which the DS is involved [This refers to a situation where the RP has to process my PI in order to perform in terms of a contract with me];
  • If processing is in accordance with the law [This refers to a situation where the law requires from the RP to process my PI. It would be irrelevant whether I consented to it or not – the RP has an obligation in law to do certain things with my PI. Reporting my behaviour to authorities (where a law requires from the RP to report certain behaviour) may be an example of this.];
  • If processing is necessary to protect the legitimate interests of either the RP or third party [What does “legitimate interest” mean? POPI does not define it and reliance on this exception will need to be considered very carefully. In our view, an example could be the following: I enter into a credit agreement with company X for a credit facility to purchase clothing on credit. I do not honour my agreement and I am in arrears. Company X did not ask for my consent for them to trace me and collect on debt that I owe them. Even though they did not obtain my consent, company X can argue that they can (lawfully) trace me and collect debt from me, because it is in their “legitimate interest” to collect on debt that I owe to them.]

In the event of a data subject challenging the RP whether there was consent or not, the RP will bear the burden of proof, to prove consent. This could be very relevant – particularly for marketers.

So once the DS has given consent, can that consent be revoked? Yes, POPI provides for a mechanism in terms whereof a data subject can “object” to processing in certain circumstances. This means that even though (for example) a direct marketing consent was obtained when the DS entered into an agreement with the RP, that DS may at any time request that marketing to stop – basically “objecting” to the processing for the purpose of marketing.

Collection of PI directly from the DS

This requirement provides for a general rule, in terms whereof organisations should collect the PI relating to a particular DS, directly from that DS. As with many other provisions, again some exceptions will apply, meaning that even though PI was not collected directly from the DS as per the general rule, but it was rather collected from a third party, the RP would still be seen to have collected PI in a lawful manner. Let’s look at some examples where collection from another source would be lawful:

  • where PI was made deliberately public by the data subject [This could mean that if I make my PI publically available to anyone on Facebook, without using any security and privacy settings, I should not have the expectation that no one will collect my PI from Facebook. (note that processing of that PI must still need to comply with POPI, but RPs could collect from this source – rather than from me directly)] ;
  • there has been a consent to collection from another party [Where I for example consent that company X may share my information with company Y for marketing purposes, company Y can “lawfully” collect my PI from company X (and not from me directly), because I consented to it];
  • where collection from other sources is necessary to protect the legitimate interests of the organisation [Again, one can look at the collections environment: If I owe money to a credit provider that is entitled to collect on the debt, and I have moved address, surely the credit provider can justify that he must collect my updated details from a tracing agency for example – in this case the credit provider should be able to justify that it was necessary to collect my updated details from a third party – in order to protect its legitimate interests.].

Conclusion

Do the right thing. Act in a reasonable manner and collect and process PI in manner that could be “defended”. POPI is not stopping organisations from collecting and processing PI. But POPI is requiring from all to do the reasonable thing. If you can obtain consent, it is advisable to do so. If not, think about what you are doing and make sure you can justify your actions. Business need to continue as usual – but within the prescribed rules.

POPI Series: Condition 1 – Accountability

Introduction

In our February Newsletter we indicated that we have identified the need to provide our clients with a more detailed discussion on the requirements and Conditions of Lawful Processing as provided for in the Protection of Personal Information Act 4 2013 (POPI). Last month we introduced you to our POPI series.

This article is the second of the series and the first article to start specific discussions around the 8 Conditions for Lawful Processing in accordance with POPI requirements.

Accountability

Condition 1 relates to “accountability” of the organization.

In terms of section 8 of POPI:

Accountability

Responsible party to ensure conditions for lawful processing.—the responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself”.

In our view, Accountability is essentially the point of departure in that it provides for a general requirement to take the necessary steps to ensure that all other POPI conditions and requirements are met.

What does “accountability” mean?

“Accountability” is not defined in the Act. Some dictionary definitions include:

  • “The fact or condition of being accountable or responsible”
  • “To give an account or be answerable”
  • “The obligation of an individual or organization to account for its activities, accept responsibility for them, and to disclose the results in a transparent manner.”
  • “Taking or being assigned responsibility for something that you have done or something you are supposed to do.”

From the above it is clear that accountability relates to accepting responsibility by taking ownership -to ensure that the organisation processes personal information in the manner intended by the Act.

Who is accountable in this regard?

In terms of POPI, this responsibility has been put squarely on the shoulders of the person (natural or juristic) whom the Act refers to as the “Responsible Party”. The Act defines “Responsible Party” as follows: “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.

What does it mean practically?

Condition 1 requires from the Responsible Party to ensure that all conditions are complied with from the time the PI is collected up to and including the time of destruction.

How will the RP achieve this?

We believe that although an Information Officer will be appointed for the organisation, it would be best to implement a strategy in terms whereof each department within the business takes responsibility for POPI compliance by that division – being accountable as a business unit.

We furthermore believe that organisations will need to implement measures to keep individuals accountable – meaning that there should be consequences for “not doing what you are supposed to be doing”. For example, if a policy exists (consider something like a clean desk policy for example), the business division will need to take responsibility to ensure (and monitor) that the division actually implements the policy.

Ongoing training will of course also assist with this challenging task to become and remain an organisation that processes personal information in accordance with the POPI principles.

 

Conclusion

Essentially, appointed individuals within an organisation will be required to take initiative to implement POPI requirements, and ensure that business units comply with requirements through implementing business processes and policies to assist with POPI compliance. As the “person” (responsible party) who makes the decisions around the use of and means for processing personal information, you need to accept accountability to ensure that your organisation processes personal information in a responsible manner and in compliance with the Act.

POPI Series: Introduction

  1. INTRODUCTION

In previous newsletters we have touched on some general considerations relating to the Protection of Personal Information Act 4 2013 (POPI). We have however identified the need to discuss the POPI requirements in more detail. All clients, whether it be start-ups, medium sized or big corporates and listed companies, will need to comply with POPI. This article is therefore the first in a series of POPI articles that will assist you with your POPI compliance project (or if you have not started a project, to get you thinking about what lies ahead.)

In this article we will include information on how POPI differentiates between different “types” of personal information (PI), who the different “role players” are and what responsibilities each will have.

  1. DIFFERENT TYPES OF PERSONAL INFORMATION

POPI requires that all businesses that “process” “personal information” must comply with the requirements prescribed in the Act. What is meant by the two terms “processing” and “personal information”? In terms of the Act, “processing” refers to any use of information by an organization. This could, for example, include any sharing of a record, storing it, destroying it, etc. In essence, whatever form of use of the record, is likely to fall within the umbrella of the term “processing” in terms of the Act.

Another important definition is of course that of “personal Information”. This term refers to any information pertaining to any identifiable person or business, and includes a whole long list of items that should be considered. You can read the definition yourself, but a few interesting and challenging terms have been included. By way of example: views or opinions expressed by someone about a person, could form part of the personal information record of that person.

The Act differentiates between the following types of PI:

  Ø   “normal or ordinary personal information” for example:

o   Identity Document number or registration number (if it’s a business),

o   cell or telephone number,

o   email address,

o   physical address.

  Ø   “special personal information” for example:

o   religious or philosophical beliefs,

o   race or ethnic origin,

o   trade union membership,

o   political persuasion,

o   health or sex life,

o   criminal behaviour, or

o   biometric information.

  Ø   “children’s personal information”:

o   This information refers to any information relating to any natural person under the age of 18 years.

What is the reason for the distinction and why is it important to know whether you process “normal”, “special” or “children’s” PI? It is indeed very important to identify the type of PI that you process, because different requirements may apply. With special and children’s PI, specific limitations have been imposed that would not necessarily apply to other PI.

  1. THE DIFFERENT ROLE PLAYERS

POPI talks about a “data subject”, a “responsible party” and an “operator”. These are terms that we don’t often use. So who are they?

The data subject is the one whose PI is being processed. So this could be a candidate or employee; a customer or prospect; a vendor or applying vendor; or any other person whose PI is being processed by your organisation. Legal entities’ PI is also included within the ambit of POPI, meaning that if you process information relating to an identifiable legal entity, that legal entity would also be a data subject.

The responsible party is the one who decides what to do with the information. We often find that clients refer to responsible parties as the ones who “own” the information. On the other hand, an operator is someone who processes the PI on behalf of the responsible party.

Practical examples would include the following:

  • An employer recruiting employees: The employer who receives CVs of candidates would be the responsible party (the candidate is obviously the data subject). If the employer makes use of a third party’s software during this process and the third party service provider (or its system) processes the information on behalf of the responsible party, that service provider will be the operator. The operator cannot take those CVs and do with it whatever it wants to. It may merely process it on behalf of the employer.
  • A retailer sending marketing material to its customers: The retailer will be the responsible party (deciding to process its customers’ details for marketing purposes) and the customer will be the data subject. If the retailer as part of this process makes use of a third party to send the actual sms messages or emails to the customers on behalf of the retailer, the third party would be the operator. The third party cannot take the customers’ details and use it for any other purposes.

Conclusion

The POPI terminology will not always be easy to understand. We can assist you with the interpretation of the difficult terms and requirements. In previous articles we have referred to the “8 Conditions for lawful processing”. Our next article in this POPI series will include a discussion on the first of the eight Conditions, namely Accountability. Look out for this in our March Newsletter.