NEW SYSTEM TO CURB DEBIT ORDER ABUSE: DEBICHECK

NEW SYSTEM TO CURB DEBIT ORDER ABUSE: DEBICHECK

  1. INTRODUCTION

Have any of your customers ever disputed a debit order that was legitimately processed against their bank account in favour of you in terms of a debit order mandate? Has your personal bank account ever been debited without your permission? If not, you’ve probably heard of someone who has experienced these rather unfortunate incidents. Well, these disputes will soon be a thing of the past. in this post we’ve set out how the Payments Association of South Africa (“PASA“) has planned to put a stop to debit order abuse.

  1. CURB ON DEBIT ORDER ABUSE

Many of us are familiar with the current workings of debit order authorisation. In brief, a service provider who collects its revenue by means of debit orders is required to enter into a written or oral agreement, commonly known as a “debit order mandate”, with customers. A valid debit order mandate serves as proof of consensus between a customer and the service provider for the repeated deduction of an agreed amount from the customer’s bank account. A service provider would request payment from the customer’s bank, based on the authority from the customer.

PASA (the Payments Association of South Africa, a body created by law to organise, manage and regulate the participation of its members in the South African payment system) has been receiving a significant number of complaints relating to debit order abuse by both customers and service providers. While most complaints related to debit orders processed to customer’s bank accounts without valid debit order mandates, some complaints related to debit orders which had been legitimately processed (where the customer disputes a legitimate debit order and has the payment reversed).  PASA –mandated by the South African Reserve Bank (“SARB“) – has found a solution to this ever-growing problem. PASA has introduced Debicheck, a new debit order system which will hopefully bring peace of mind to service providers and customers alike.

  1. HOW A DEBICHECK WILL OPERATE

In terms of Directive No. 1 of 2017 issued by SARB, the participant (i.e. bank) who is responsible for carrying out the payment instruction from a service provider (i.e. the bank customer’s creditor) must notify its customer (i.e. debtor / the service provider’s customer) of the proposed debit orders before making any deductions against the customer’s account. Customers will be required to approve or reject the proposed debit order and confirm any material information relating to such debit order, such as the service provider’s details, amount to be deducted and the date of debit order. Customers will also be required to re-approve any debit orders when the mandate changes.

According to the Directive, all debit order mandates concluded after the cut-off date (currently 31 January 2019) must comply with these requirements. In other words, these requirements do not apply to debit orders which are already in existence before the cut-off date.

  1. CONCLUSION

Through the Debicheck system, banks will have a record of all confirmed and rejected debit orders – meaning that no debit orders will be loaded by a bank without a customer’s positive authorisation of the debit order. As a result of the consents and rejections being recorded, it is unlikely that there would be debit order abuse on Debicheck debit orders.

WHEN DOES COMPARATIVE ADVERTISING CONSTITUTE TRADE MARK INFRINGEMENT?

WHEN DOES COMPARATIVE ADVERTISING CONSTITUTE TRADE MARK INFRINGEMENT?

It is unlikely that an organisation can consistently keep its “head above water” without marketing or advertising its products or services. As the ways through which organisations do business evolved, so did the art of advertising. Many businesses make use of a variety of advertising strategies to draw the attention of a larger audience compared to their respective competitors. One good example of these strategies which has proven sometimes to be more effective than others, is “comparative advertising”.

COMPARATIVE ADVERTISING

As the name suggests, comparative advertising is when an advert compares the advertiser’s product/service with that of another party (usually, a competitor). In most cases, this advertising ploy focuses on the comparison of prices, quality and/or durability of the product compared. The rationale behind the use of this strategy is usually to:

create the impression that the advertiser’s products or services are of the same or superior quality to those of the compared products or services, but are being offered a lower price – therefore better value for money; or

disparage the quality of the compared product or services.

Whether a comparative advert seeks to put the advertiser’s product on the same footing as that of the compared product/service or to degrade the competitor or its product/service, the overall purpose is to increase the advertiser’s visibility in the market. If the advertiser not only refers to “competitors” in general but refers to them by name or product (specific to the competitor), the question is whether the adverts may infringe the trade mark of the other party whose product is being compared.

TRADE MARK INFRINGEMENT

A trade mark is essentially a registered brand name, slogan or logo with which a person may identify and distinguish his/her products or services from those of others. Provided it is well-known and/or registered with the relevant regulatory body, being the Companies and Intellectual Property Commission in South Africa, the proprietor’s (i.e. trade mark owner) exclusive right to the goodwill of the mark is protected in terms of the Trade Marks Act 194 of 1993 (“the Act“).

Section 34 of the Act is the most relevant section in relation to comparative advertising. In terms of this section, any unauthorised use of a registered trade mark is prohibited. The section also sets out the circumstances under which trade mark infringement may arise.  From the provisions of section 34, infringement of this nature can be summarised or classified into three different forms, namely (i) primary infringement, (ii) extended infringement and (iii) infringement by dilution. Discussion of these categories however, falls outside the purview of this article.

TRADE MARK INFRINGEMENT CAUSED BY COMPARATIVE ADVERTS

In the past, South African courts have been faced with various legal questions around the practice of trade mark infringement as a result of comparative advertising and have developed precedence on the matter. Based on that precedence, the current position is that not all comparative adverts have the potential of infringing a trade mark.

The legal developments in relation to trade mark infringement have shown that the question whether an advert constitutes trade mark infringement depends predominantly on the degree of reference intensity used, which means, some adverts may not necessarily amount to infringement.  One good example of an advert with low reference intensity would be claims like: ” XYZ, the best burgers in town“. This type of advertisement is generally known as “puffery statements” and, strictly speaking, not relevant to trade mark law provided it does not contain any marks (trade mark related) which could potentially identify the other party.

Problems normally arise when an advert employs a higher degree of reference intensity. This type of referencing is a typical determining factor on whether an advertisement is lawful/permissible or not. It usually happens in cases where the advertiser employs some form of advertising technique and makes subtle reference to a competing brand rather than explicitly naming or showing the competitor’s product/service. Given the subtle approach and disguise followed, many may get confused as to whether such advertisements do in fact cause infringement. In the decision of De Beers Abrasive Products v International General Electric Co of New York, the court laid down what is regarded as the borderline between a lawful and unlawful comparative advert. In this case, it was held that the deciding factor in relation to the issue of trade mark infringement hinges on whether a reasonable consumer would identify the competitor against whom a comparative statement has been made and take such statement(s) as being a “serious claim” in comparison. If so, such advertisement may constitute trade mark infringement. When one follows this approach, there are less chances of the advertiser finding him/herself on the wrong side of the law.

The highest level of reference intensity relates to those cases where an advertiser blatantly names and/or shows the competitor’s products/services or trade mark. With regards to this type of referencing, we do not anticipate any difficulties in determining whether infringement does arise – the advertiser is highly likely to be at risk.

CONCLUSION

In as much as adverts with a higher level of reference intensity would draw more attention, it may cause more harm than good on both parties, in most instances. The better approach from a risk point of view would be to keep your comparison of other parties’ products to a minimum. Alternatively, to use the so called own-price referencing/comparison.

PRODUCT LIABILITY: IS THE SUPPLIER LIABLE FOR HARM SUFFERED BY A CONSUMER?

PRODUCT LIABILITY: IS THE SUPPLIER LIABLE FOR HARM SUFFERED BY A CONSUMER?

In a previous article entitled “The responsibility of a supplier to conduct a consumer product safety recall“, we dealt with various matters around product safety recalls. As a follow-on to that, this article deals with the “product liability” concept which goes hand-in-hand with “product safety recall“.

INTRODUCTION

From as far back as the early days of the Romans, a plethora of claims for damage suffered or loss incurred as a result of defective or unsafe goods or products have been a part of the ever-evolving legal fraternity. These claims ranged from a claim against a horse-drawn coach manufacturer, to a claim against a man who sold a diseased horse which later dies in the possession of the buyer, or anything in between. To date, product liability claims is still a practice in most legal systems around the world – including South Africa.

PRODUCT LIABILITY

In essence, the concept “product liability” refers to a supplier’s liability towards the consumer or third-party for damage suffered or for loss incurred as a result of the supplier’s defective or unsafe goods/products supplied.

Product liability is regulated by the Consumer Protection Act 68 of 2008 (the “CPA“). As the name suggests, the main objective of the CPA is to regulate relations between the supplier and the consumer. In line with that objective, the provisions of the CPA relating to product liability focus on regulation of the relationship between the supplier (i.e. manufacturer, designer, distributor or retailer) and the consumer, rather than between suppliers themselves.

SUPPLIER’S LIABILITY FOR HARM SUFFERED BY A CONSUMER

Until the inception of the CPA, claims arising from damage suffered or loss incurred by a consumer or third party as a result of defective product were regulated by our common (i.e. uncodified) law. As such, liability for such damage or loss could only be determined in terms of the common law of delict. Given the burden an aggrieved party is required to discharge in order to succeed with a delictual claim, it was often difficult for many consumers to successfully prove their claims in this regard.

To plug this gap, the Legislature introduced a different approach with regards to the consumer’s burden of proof through the CPA. In terms of section 61 of the CPA, a supplier may be held liable to a consumer for any damage or loss arising from (i) the supply of a defective/unsafe product or (ii) where damage or loss arises from the supplier’s failure to provide adequate information relating to the risks associated with the use of a product. The main benefit to the consumer lies in the fact that the supplier may be held liable regardless of whether it (the supplier) was negligent or not.

Consideration of whether there is any probability of success in a claim in terms of section 61 hinges on the following three questions:

  • whether goods and/ or services as defined in CPA are involved;
  • if so, whether the person (against whom the claim has been instituted) is in fact the “supplier” as defined in the CPA; and
  • whether the claimant suffered harm as a result of defective goods supplied by the such supplier?

CONCLUSION

The purpose of this article is to provide an insight into the supplier’s liability towards the consumer for damage or loss arising from supply of defective goods/product and should not be considered as advice.

In our last article of this series, we will discuss some aspects around whether the role-players in the supply chain can decide, among each other, who will be liable to the consumer.

THE RESPONSIBILITY OF A SUPPLIER TO CONDUCT A CONSUMER PRODUCT SAFETY RECALL

THE RESPONSIBILITY OF A SUPPLIER TO CONDUCT A CONSUMER PRODUCT SAFETY RECALL

Introduction

The Consumer Protection Act 68 of 2008 (“CPA” or “the Act“) establishes certain rights applicable to all consumers when purchasing goods (and services) for their personal use. The Act sets out, amongst others, that consumers have the right to fair value, good quality and safety as well as an implied warranty of quality.

The implied warranty of quality warrants that the goods comply with the requirements of being of good quality, durable, and safe for the use as advertised or designed. Where goods are of inferior quality, unsafe or defective, the consumer may return the product and the supplier is obliged to repair, refund or replace the failed, defective or unsafe product.

Consumers have a further right to have goods monitored for safety and recalled when such goods or components of such goods are hazardous, unsafe or defective. The Consumer Product Safety Recall Guidelines (“Recall Guidelines“) have been drafted in terms of the CPA to provide further detail for such instances and set out the procedure to be followed where products are to be recalled.

Hazardous products

Whilst suppliers would take necessary steps to ensure that their product is manufactured or produced in line with the required design and/or material specification, the reality is that there may be some unforeseen occurrences where manufacturing/production lines may deviate from such design or material specifications. In such cases, a product may be identified as unsafe where it presents health or safety hazards to the public. However, in some instances, a consumer product may also be identified as unsafe to consumers irrespective of whether there was a manufacturing or production error. The deciding factor is whether the product poses health or safety hazards to the public.

The CPA doesn’t clearly unpack the term “hazard”, but generally, a supplier’s product may be identified as presenting health or safety hazard where such product has the potential to cause the following:

  • injury;
  • illness;
  • death;
  • loss of, or physical damage to, any property; or
  • any economic loss as a result of any of the above.

Product safety recalls

In terms of the CPA and the Recall Guidelines, a supplier is required to, among other things, conduct a consumer product safety recall where a product poses a health or safety hazard. In essence, a consumer product safety recall is a process whereby a supplier is required to remove all affected product(s) from production, supply chain and any point of sale.  In terms of section 5(5) of the CPA, these Recall Guidelines apply to all goods supplied in South Africa, regardless of whether the transaction for the supply of such goods is subject to the CPA or not.

In 2012, the National Consumer Commission (“NCC“) published the Recall Guidelines detailing, among other things, procedural steps required to be followed by suppliers when conducting a product recall. In terms of the Recall Guidelines, a supplier may voluntarily initiate a safety recall. Where a supplier fails to voluntarily conduct a safety recall, the NCC may issue a written notice to the relevant supplier ordering it to conduct such safety recall.

Irrespective of whether a supplier voluntarily conducts the safety recall or is ordered to do so, a supplier is required to ensure that the procedural steps, as briefly set out below, are followed:

  • assess the risk;
  • cease distribution of the product;
  • notify the NCC;
  • notify consumers;
  • facilitate returns; and
  • facilitate returns.

In order to comply with the above mentioned procedural steps and to avoid any penal sanctions, a supplier may be required to prepare and put in place some form of a policy document(s) in anticipation of a product recall becoming necessary in the future.

Conclusion

Like with non-compliance with the provisions of the CPA in general, non-compliance with sections 60 and 61 of the CPA and the Recall Guidelines may have dire consequences. Suppliers may be declared to have engaged in prohibited conduct and an administrative fine of up to R1 million or 10% of its annual turn-over for the preceding financial year may be imposed.

Closely linked to the topic of safety recall, our next article on the CPA will be dealing with a discussion around the concept of “product liability”. For any further details on this topic, please do not hesitate to contact us.

The Edcon Ruling: What to take away from it

The Edcon Ruling: What to take away from it

1. BACKGROUND

Credit providers assist customers who cannot afford to make all payments in cash. In turn for the risk they take, they are allowed to charge certain costs and fees.  When credit agreements are within the ambit of the National Credit Act 34 of 2005 (“NCA” or “the Act“), the Act imposes maximum limits on these fees. Irrespective of the type of credit agreement, section 101 of the NCA provides for a closed list of the fees that a credit provider may charge the consumer in relation to a credit agreement. These fees include, amongst others, initiation fees, service fees, interest, credit insurance and/or default administration charges

2. INTRODUCTION

It has become common practice for retailers to make membership clubs available to consumers in exchange for a monthly “membership/club fee”. Typically, when a consumer becomes a club member he or she would earn points or similar consideration for different reasons – such as a percentage of the purchase price being earned in points. Depending on the type of club joined and/or amount of points earned by that club member, he or she would be entitled to convert his or her points into some form of benefit or product (for example, entertainment, travel, spa, gym etc.). For credit providers who want to offer similar “clubs” there is a challenge in that the NCA does not provide for this kind of “club fee”.

3. THE EDCON RULING

More recently, the National Credit Regulator (“NCR“) started to investigate this business practice and focused on a well-known credit provider retailer: Edcon Holdings Limited (“Edcon“). Following the investigation, they initiated action against Edcon by referring the matter to the National Consumer Tribunal (“NCT“) seeking an order declaring that Edcon has, among other things, repeatedly contravened the provisions of the NCA relating to prohibited charges – by charging a fee not allowed for in the NCA.

The NCT considered the matter from a broader legal perspective, namely whether the NCA allows a credit agreement to contain any fee or charge other than those permitted by the NCA. Edcon argued that the club membership was a stand-alone product, not intended to be part of the credit agreement.

As a starting point, the NCT concluded that the NCA unambiguously prohibits credit providers from charging any fee or charge other than those listed in and provided for in the Act.  The NCT found that Edcon was not allowed to charge its credit customers any fee or charge other than that permitted by the NCA and could therefore not charge the club membership fees. In conclusion, it was held that, by doing so, Edcon had engaged in repeated prohibited conduct in terms of the NCA.

The NCT emphasised that the business practice of charging “membership/club fees” is explicitly prohibited by the NCA and any credit provider who does business in this way may face dire consequences. From perusal of the ruling, the likely consequences that Edcon faces may include being directed to refund consumers charged club and membership fees from 2007 to date and/or an administrative fine on Edcon. According to media reports, Edcon has indicated that they will appeal the ruling.

4. CONCLUSION

The above ruling raises a red flag to many credit providers or credit retailers who may be involved in similar business practices. Retailers should take the following away from this ruling:

  • irrespective of whether customers voluntarily choose to purchase this type of (club) product, a membership/club fee may be seen as a cost of credit if it is inseparably linked to a credit agreement; and
  • review your credit agreements to ensure you do not include any provisions or charges not allowed in terms of the NCA.

Please note that not all club memberships will fall within the ambit of this ruling and club structures will need to be considered on a case to case basis. Please do not hesitate to contact us should you have any queries.

POPI SERIES – CONDITION 8 – DATA SUBJECT PARTICIPATION

We are coming to the end of our POPI series. The first seven POPI Conditions for Lawful Processing have been discussed in detail in our previous articles and this month it is time for a discussion of the eighth and final condition: Data Subject Participation. This condition is comprised of three elements, namely (i) access to personal information, (ii) correction of personal information and (iii) the manner in which the personal information is accessed.

Applicable popi sections and commentary

The relevant sections of POPI applicable to “data subject participation” have been reproduced below with our commentary:

Access to Personal Information

Section 23 “Access to personal information.—

(1) A data subject, having provided adequate proof of identity, has the right to—

(a) request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject; and

(b) request from a responsible party the record or a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information—

(i) within a reasonable time;

(ii) at a prescribed fee, if any;

(iii) in a reasonable manner and format; and

(iv) in a form that is generally understandable.

(2) If, in response to a request in terms of subsection (1), personal information is communicated to a data subject, the data subject must be advised of the right in terms of section 24 to request the correction of information.

(3) If a data subject is required by a responsible party to pay a fee for services provided to the data subject in terms of subsection (1) (b) to enable the responsible party to respond to a request, the responsible party—

(a) must give the applicant a written estimate of the fee before providing the services; and

(b) may require the applicant to pay a deposit for all or part of the fee.

(4) (a) A responsible party may or must refuse, as the case may be, to disclose any information requested in terms of subsection (1) to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act apply.

(b) The provisions of sections 30 and 61 of the Promotion of Access to Information Act are applicable in respect of access to health or other records.

(5) If a request for access to personal information is made to a responsible party and part of that information may or must be refused in terms of subsection (4) (a), every other part must be disclosed.”

Commentary to Section 23 above:

  1. Data subjects have a right to access their personal information records and receive copies of these records. This right is not, however, unlimited. A responsible party will have some discretion as to the process to be followed in allowing data subjects to request access to their information, as well as the means through which the data subject will be obliged to identify him/herself before being given access to their personal information. One method of regulating these requests may be through a responsible party’s PAIA manual or a similar ‘personal information request document’.
  2. If it appears that a responsible party is indeed in possession of certain information about a data subject, the data subject may request that responsible party to provide it with a record of this information.
  3. Within that record provided to the data subject, the responsible party will have to bring to the attention of the data subject that it has the right in terms of section 24 to request a correction to such information.
  4. Depending on the costs that a responsible party may have incurred or anticipates incurring in the process of providing the above information to the data subject, the responsible party may request the data subject for reimbursement therefor.
  5. Where the provisions of the Promotion of Access to Information Act 4 of 2000 (“PAIA”) so permit, a responsible party may refuse to disclose particular information to the data subject. If, however, such right to refuse relates only to certain information, the remaining information (in respect of which PAIA permits disclosure) must be disclosed to the data subject.

Correction of Personal Information

Section 24: “Correction of personal information.—

(1) A data subject may, in the prescribed manner, request a responsible party to—

(a) correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or

(b) destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain in terms of section 14.

(2) On receipt of a request in terms of subsection (1) a responsible party must, as soon as reasonably practicable—

(a) correct the information;

(b) destroy or delete the information;

(c) provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or

(d) where agreement cannot be reached between the responsible party and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.

(3) If the responsible party has taken steps under subsection (2) that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, the responsible party must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.

(4) The responsible party must notify a data subject, who has made a request in terms of subsection (1), of the action taken as a result of the request.”

Commentary to Section 24 above:

  1. After receiving a record of personal information from a responsible party in terms of section 23, a data subject may request the deletion or correction of such personal information.
  2. Any request made by a data subject should be made on the basis of the personal information in question being inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
  3. If the data subject has requested the deletion or correction of its personal information in accordance with section 23 and 24, the responsible party may do so, alternatively, it may provide the data subject with credible evidence in support of the personal information, or where agreement cannot be reached and the responsible party believes it is entitled to maintain the personal information, there may be circumstances in which a kind of disclaimer is attached to the information, informing users that a correction to this information has been requested but not made.
  4. If a responsible party has changed information in relation to a data subject, and this change has an impact on decisions that have been or will be taken in respect of that data subject, the responsible party must (if reasonably practicable) inform each person to whom that personal information has been disclosed of such change.

Manner of Access

Section 25: “Manner of access.—

The provisions of sections 18 and 53 of the Promotion of Access to Information Act apply to requests made in terms of section 23 of this Act.”

Commentary to Section 25 above:

  1. This section provides that the data subject may make use of the relevant provisions in PAIA to make a request for personal information in terms of section 23 of POPI.
  2. In each PAIA request for personal information, there will need to be a procedure through which the responsible party appropriately identifies the data subject as the person to whom the relevant personal information relates.

Conclusion

Essentially, POPI’s Condition 8 aims to ensure a practical and accessible transparency for data subjects in the processing of personal information. This transparency demands that a responsible party allows a data subject to have a say in the processing of the personal information in the possession or under the control of such responsible party. Ultimately, this all boils down to a responsible party’s responsibility to maintain up-to-date information registers and implement suitable controls, so that it is able to easily (i) identify what personal information is in its possession or under its control; (ii) identify to whom does that personal information relate; and (iii) update such personal information.

 

 

Popi series – Condition 7 – Information Security

INTRODUCTION

The purpose of the Protection of Personal Information Act 4 2013 (“POPI”) is not to prohibit processing of Personal Information (“PI”) per se. One of the purposes of POPI is rather to regulate the processing of the PI, by also prescribing that organisations must implement appropriate safeguards to ensure that PI processed will be protected and secured.

This month our focus is on Condition 7 which pertains to Security Safeguards. In essence, this condition requires from organisations to secure the integrity and confidentiality of all PI in its possession or under its control. This will be achieved through implementing appropriate and reasonable security measures.

RELEVANT POPI SECTIONS

We will discuss the practical implications in the next paragraph below but also note our high level comments to the POPI sections in square brackets.

Section 19

“Security measures on integrity and confidentiality of personal information.—

(1) A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—

(a) loss of, damage to or unauthorised destruction of personal information; and

(b) unlawful access to or processing of personal information. [This is the general obligation on the responsible party to take steps to secure personal information.]

(2) In order to give effect to subsection (1), the responsible party must take reasonable measures to—

(a) identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;

(b) establish and maintain appropriate safeguards against the risks identified;

(c) regularly verify that the safeguards are effectively implemented; and

(d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. [This is a continual obligation to identify security risks on an ongoing basis and implement measures to reduce risks so identified.]

(3)The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.” [POPI does not provide a “tick list” of security requirements to meet. Responsible parties must consider applicable industry security practices and then implement security appropriate security measures for the business.]

Section 20:

“Information processed by operator or person acting under authority.—

An operator or anyone processing personal information on behalf of a responsible party or an operator, must—

(a) process such information only with the knowledge or authorisation of the responsible party; and

(b) treat personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.” [This is the limitation on operators – they may not use personal information received from the responsible party for their own purposes outside of the scope of the contract with the responsible party.]

Section 21: Security measures regarding information processed by operator.—

(1) A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section 19. [There is a duty on the responsible party to regulate the relationship with the operator by written contract.]

(2) The operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person. [Operators to note this duty to report unauthorised access.]

WHAT DOES ALL OF THIS MEAN IN PRACTICE?

Different requirements will need to be considered, depending whether you are acting as a responsible party of operator.

As responsible party you will have an on-going obligation to safeguard the PI in your possession from being destroyed unlawfully, accessed unlawfully, lost or damaged. This obligation entails, your organisation to have reasonable technical and organisational measures in place to protect PI under your control or in your possession. Organisational and technical measures include for example measures in terms whereof organisations restrict unauthorised individuals from entering their premises and implementing controls through which organisation restrict access rights and the usage of their networks, devices, etc.

There is also an ongoing obligation on organisations to identify new risks. These should be prioritized according to the threat posed.

Practical controls or processes in response to risks identified, could include the following:

  • Review of access rights on an ongoing basis;
  • Ownership for PI;
  • Physical access controls;
  • Computer/ device passwords;
  • Firewalls;
  • Encryption;
  • Remote destruction;
  • Anti-virus programs;
  • Exit process.

Most organisations had been implementing some of these measures to secure PI long before POPI was even enacted. Condition 7 of POPI will require from organisations to review the current processes and implement additional processes where so identified.

If your organisation outsources any functions involving the processing of personal information to a third party operator, you will still remain responsible for the processing of the PI. You also have the obligation in terms of POPI to regulate your relationship with the operator by way of written contract to ensure that the operator provides the service in accordance with POPI requirements.

In terms of POPI there is a duty on responsible parties to regularly consider whether there are any new risks and then implement processes to address the risks identified.

As an operator, it is very important to understand that you cannot do with the personal information received from the responsible party as and how you want to. The responsible party as the custodian of the information will authorise you to only use the information for the purposes of the service that you are rendering to the responsible party. You cannot use the information for any of your own purposes.

WHAT HAPPENS IF THERE IS A SECURITY BREACH?

In terms of POPI you cannot keep quiet and hope that no one will ever find out. The law puts an obligation on you to report the breach.

In terms of section 22: Notification of security compromises.—

(1) Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify—

(a) the Regulator; and

(b) subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.

The law also determines that the notification to the data subject must be in writing and communicated in one of the following ways:

  • mailed to the data subject’s last known physical or postal address;
  • sent by e-mail to the data subject’s last known e-mail address;
  • placed in a prominent position on the website of the responsible party;
  • published in the news media; or
  • as may be directed by the Regulator.

The following information needs to be disclosed in the notification:

  • a description of the possible consequences of the security compromise;
  • a description of the measures that the responsible party intends to take or has taken to address the security compromise;
  • a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
  • if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.

CONCLUSION

In preparation for POPI you should consider your current processes, access rights and security measures. It is likely that some of these may need to be reviewed and new processes implemented to ensure compliance. Remember that POPI does not provide for a defined list of measures to implement. But consider applicable industry standards and make sure that you can comply with this important condition 7.

POPI SERIES – CONDITION 6 – OPENNESS

Introduction

We have now passed the half way mark of our POPI Series and the next exciting topic in the series is that of “Openness” or “Notification”. In our view, Notification is one of the most challenging provisions of POPI. This condition will most definitely require from responsible parties to change current processes and possibly develop new processes to ensure compliance.

In this article, we are going to try and focus on the practical implementation of this condition.

This condition is premised on two primary elements, namely:

  • Documentation; and
  • Notification to the Data Subject.

This condition must not be confused with the “prior notification” sections (section 57 and 58) in terms whereof a responsible party needs to notify the Information Regulator of certain processing actions before it can process the personal information. This will be discussed in a separate article in future.

Relevant sections and practical implications.

Let’s first look at the requirements of section 17:

“Documentation.—

A responsible party must maintain the documentation of all processing operations under its responsibility as referred to in section 14 or 51 of the Promotion of Access to Information Act.”

In terms of this section, a responsible party must consider the provisions of sections 14 or 51 of the Promotion of Access to Information Act 2000 (“PAIA”). Note that for private bodies, section 51 will apply. In terms of section 51 of PAIA certain private bodies need to disclose specified information through a manual – generally referred to as a PAIA Manual. Note that POPI will be amending the PAIA to provide for additional information that must be included in a company’s PAIA manual.

It is not difficult to comply with section 17 and responsible parties must remember to amend their PAIA manuals to include the required information.

Now we turn to the provisions of section 18, which will be more challenging to comply with.

“Notification to data subject when collecting personal information.—

(1) If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of—

(a) the information being collected and where the information is not collected from the data subject, the source from which it is collected;

(b) the name and address of the responsible party;

(c) the purpose for which the information is being collected;

(d) whether or not the supply of the information by that data subject is voluntary or mandatory;

(e) the consequences of failure to provide the information;

( f ) any particular law authorising or requiring the collection of the information;

(g) the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;

(h) any further information such as the—

(i) recipient or category of recipients of the information;

(ii) nature or category of the information;

(iii) existence of the right of access to and the right to rectify the information collected;

(iv) the existence of the right to object to the processing of personal information as referred to in section 11 (3); and

(v) right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.

(2) The steps referred to in subsection (1) must be taken—

(a) if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information referred to in that subsection; or

(b) in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.

(3) A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to the subsequent collection from the data subject of the same information or information of the same kind if the purpose of collection of the information remains the same.

(4) It is not necessary for a responsible party to comply with subsection (1) if—

(a) the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;

(b)non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;

(c) non-compliance is necessary—

(i) to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;

(ii) to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);

(iii) for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or

(iv) in the interests of national security;

(d) compliance would prejudice a lawful purpose of the collection;

(e) compliance is not reasonably practicable in the circumstances of the particular case; or

( f ) the information will—

  • not be used in a form in which the data subject may be identified; or

(ii) be used for historical, statistical or research purposes”

From the above it follows that in terms of this condition, a responsible party has an obligation to notify a data subject of certain specified information each time that information about the data subject is being collected from which ever source – unless the responsible party can rely on one of the exceptions to the general rule – in terms whereof the responsible party can justify why notification is not necessary.

Why did the legislator include this section? Compliance with this section will clearly be very onerous on business and could also be a costly exercise.

We believe that some of the main reasons for including this section are the following:

  • Currently information flows between companies without data subjects ever realising what is happening with their information.
  • Data subjects provide their personal information to companies for specific reasons, but companies often take the information and do with it whatever they want to –including to use it for reasons that would never have been intended by the data subject.
  • Data subjects do not know which companies hold their personal information.

In terms of this section 18, companies will therefore need to inform data subjects of the reasons for which they would use the data subject’s information. They also need to inform them of the type of companies with whom the personal information will be shared, including where information will be shared with third party service providers who will have access to the information or receive the information for processing on behalf of the responsible party.

When do you need to notify data subjects? According to POPI this must happen even before you collect the information – if you collect it directly from the data subject, or if not directly from the data subject, before you collect or as soon as reasonably possible after you have collected it.

How do you need to notify the data subject? POPI does not provide exact details on how this notification needs to take place. Once the Regulator has been set up, we may get a better idea of the expectations around ways to notify. Currently it seems that the most popular way would be to include the information in privacy policies. This is not a no go, but without the data subject knowing about the privacy policy and the notification information provided through the policy, it may have little effect. The proposed solution is to include some specific reference to the policy in your customer terms, application forms, or other applicable documentation and then include the majority of the required information in the actual policy.

By far the biggest challenge will come in where information is not collected directly from the data subject. This happens on a daily basis and a few examples include:

  • Collecting information about a relative / friend of your customer
  • Collecting information from the credit bureau
  • Collecting information from third party data suppliers
  • Collecting information from fraud data bases
  • Collecting information from other companies within your group of companies
  • Collecting information from business partners

As you would have seen from section (4) quoted above, in some instances you do not need to comply with the notification requirements. We however urge business to consider the exceptions very careful and not flippantly rely on something like “it is not reasonably practicable” to notify – without properly determining whether it would really be possible to rely on the exception. To merely take a view that it would be “very costly” to comply, is unlikely to be “good enough” to justify non-compliance.

Conclusion

It’s evident that POPI conditions or requirements are closely connected to another. Notification for example links in with purpose specification. In terms of Condition 3, you need to specify the purposes for which you intend to use the personal information. In terms of Condition 6, you need to tell the data subject what these purposes are that you identified in terms of Condition 3.

Remember to update your PAIA manual to include the required information in terms of POPI.

Consider all situations where you collect personal information and consider how you will notify. You may be able in some instances to rely on an exception and decide not to notify. Document those decisions and explain your justification for record purposes.

For any assistance with this challenging condition, please contact Jana van Zyl at jana@dommisseattorneys.co.za

POPI SERIES CONDITION 5 – INFORMATION QUALITY

  1. INTRODUCTION

Let’s recap: we have previously discussed Conditions 1-4 of the Protection of Personal Information Act 4 of 2013 (“POPI”), dealing with Accountability, Lawful Processing, Purpose Specification and Further Processing Limitations. In this month’s POPI series, we are going to discuss Condition 5 which deals with the Information Quality.

    2. INFORMATION QUALITY IN TERMS OF POPI

In terms of section 16:

“Quality of information—

  1. A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
  2. In taking the steps referred to in subsection (1), the responsible party must have regard to the purpose for which personal information is collected or further processed.”

In terms of this Condition 5, a responsible party is required to take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary. This requirement is applicable to personal information collected both manually and electronically. POPI does not provide further details on what reasonably practicable steps would mean and therefore each business will need to consider its operations and decide which steps and processes it would implement to reasonably keep personal information updated.

In terms of subsection (2), the purpose of collection and processing must be considered when deciding on the steps to be taken to update information. This is an example of how the POPI Conditions work together – purpose specification is an obligation in terms of Condition 3 but should also be considered for compliance with Condition 5. In essence the decision of the responsible party in relation to the quality of the personal information as well as the reasonably practicable steps to be taken is directly linked to the purpose for which the personal information was collected.

Data subjects should also be responsible and could be requested to advise responsible parties of a change in details where applicable. This could for example be regulated with the data subject (if it is a customer) in the customer contract or in general user term and conditions.

Other examples of possible processes to update information could include through call centre interaction – each time you speak to the customer, ask whether details have changed; or through providing online access to customer accounts (if your business allows for this) in terms whereof the customer through logging in, can update its details.

   3. CONCLUSION

In order for organisations to comply with the requirements of Condition 5, they would firstly need to identify the purpose for which they intend to use the information, and then implement reasonable processes to make sure that data subjects have access to processes in terms whereof current information can be updated where required.

POPI SERIES: CONDITION 4 – FURTHER PROCESSING LIMITATIONS

Moving right along in connecting the dots between Conditions 1 and 8 of the Protection of Personal Information Act 4 of 2013 (“POPI”). In our previous POPI Series articles, we discussed POPI Conditions 1, 2 and 3 in more detail, which relate to Accountability, Lawful Processing and Purpose Specification respectively. This month, we are going to discuss Condition 4 – which relates to Further Processing Limitations.

In previous articles we have emphasized the importance of knowing the reason – the purpose – for which a responsible party is collecting and using personal information (“PI”). It is vitally important for a responsible party to define the purpose for processing initially when the of POPI, “further processing” of the PI must “link in” with that initial reason (purpose) why the PI was collected.

POPI allows responsible parties to “further process” PI provided that the further processing is within the parameters of the POPI provisions. The general rule is that the further processing must be in accordance with or compatible with the purpose for which it was collected the first time (section 15(1)). POPI does not provide a defined list of what will constitute “compatibility”.

In practical terms this means that you cannot collect personal information for a specifically defined purpose, and then use it for a purpose that is not linked to the original purpose at all. By way of example: As lawyers, we collect information about our clients. If we collect information for purposes of a specific brief, we could possibly argue that if the client returns after a period of time with another brief, the information collected the first time, could be used under the “further processing” provisions of POPI – because the two reasons for processing are closely linked (both being for purposes of assisting with a legal brief – although the two briefs have got nothing to do with one another.)

If however, we collect the information for the first brief from the client (client 1) and we know that another client (client 2) would be very interested to meet with client 1 or use client 1’s information for its own purposes, and we pass on client 1’s information to client 2, this processing action would not be linked to the original purpose for which client 1 provided his information and we would fall foul of the further processing provisions of POPI.

So how do we determine whether the further processing is compatible with the original purpose or not?
POPI does not provide a defined list of what will constitute “compatibility”. It rather answers the question in the negative, to indicate when the processing would “not be incompatible”. The test for compatibility is set out in section 15(3) of POPI. I add my comments to the lawyer example above in square brackets to explain the concept:

Section 15 Further processing to be compatible with purpose of collection —
(1) Further processing of personal information must be in accordance or compatible with the purpose for which it was collected in terms of section 13.
(2) To assess whether further processing is compatible with the purpose of collection, the responsible party must take account of—
(a) the relationship between the purpose of the intended further processing and the purpose for which the information has been collected; [Initial purpose was to assist the client with the legal brief. The secondary purpose is to share his information with an unknown (to him) third party for the third party’s purposes.] (b) the nature of the information concerned; [Possibly not that relevant, but could be very personal in nature.] (c) the consequences of the intended further processing for the data subject; [Depending on what the third party wants to do with it, consequences may not sit well with client 1.] (d) the manner in which the information has been collected; [Would have been with (implied at least) consent to use it for purposes of assisting with the legal brief and the relationship between the attorney and client in general.] and
(e) any contractual rights and obligations between the parties. [Contract would have covered the instruction to the lawyer to assist with the legal brief.] (3) The further processing of personal information is not incompatible with the purpose of collection if—
(a) the data subject or a competent person where the data subject is a child has consented to the further processing of the information; [No consent from the client to pass on the information.] (b) the information is available in or derived from a public record or has deliberately been made public by the data subject; [Not applicable.] (c) further processing is necessary—
(i) to avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences; [Not applicable.] (ii) to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997); [Not applicable.] (iii) for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; [Not applicable.] or
(iv) in the interests of national security; [Not applicable.] (d) the further processing of the information is necessary to prevent or mitigate a serious and imminent threat to—
(i) public health or public safety; or
(ii) the life or health of the data subject or another individual; [Not applicable.] (e) the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form; [Not applicable.] or
(f) the further processing of the information is in accordance with an exemption granted under section 37. [Not applicable.]

CONCLUSION: As can be seen from the above example, the intended further processing to share the information with a third party (client 2) will not meet the requirements of section 15 and the further processing will not be allowed in terms of POPI.

Each time that a responsible party intends to “further process” personal information, the responsible party should therefore assess whether the further processing is “compatible” with the original purpose for which it was collected by using the factors listed in section 15.

Below follows a more detailed discussion of the factors listed in section 15(3) – where the responsible party can argue that the further processing will not be incompatible with the original purpose for processing:

:

Consent
If the data subject consents to the further processing, the responsible party can further process it. Applying it to our lawyer case study: if the lawyer phones the client and obtains his consent to pass on the client’s information to the third party (client 2), there would be no problem.

Public record
Further processing is allowed if the information is available in or derived from a public record OR has deliberately been made public by the data subject. (Facebook for example).
Section 1 defines a “public record” as a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body.

Maintenance of the law
If the further processing is necessary for purposes of maintenance of the law, to comply with legislation, for the conduct of court proceedings, or if it is in the interests of national security, it will be allowed. If for example the client in our case study wanted to settle the lawyer’s bill of R 100 000 in cash, the lawyers have a duty in law to report this to the relevant authorities, and that further processing action to report it (without consent from the client) would indeed be allowed.

Health or safety threat
If the further processing is necessary to prevent or mitigate a threat to public health or safety or the life/health of the data subject or another individual, further processing is allowed. If for example the client in the case study needed urgent medical treatment in a situation where his life was in danger, the lawyers would be able to argue that sharing the personal information with medical staff (if this could ever be relevant) would be justified under this exception.

Historical Statistical and Research purposes
Further processing is allowed for these purposes, provided that the information is not in identifiable form.

Regulator Exemption
The further processing will be allowed if it is in accordance with an exemption that was granted by the Information Regulator (once established). This could be where the further processing is necessary for public interest purposes and an exemption was granted.

Conclusion

From a compliance perspective, the data subject must know the purposes for which a responsible party will be collecting and using the PI. If the business did not obtain explicit consent from the data subject at the time of collection for the specific future processing activity it wishes to use the PI for, the business must assess the “compatibility” of the further processing as outlined above. Responsible parties will have to consider the steps above and determine on a case by case basis (based on the facts) whether further processing will be compatible or not.