In our March Newsletter we discussed the first Condition for lawful processing, namely “Accountability”. In this article, we continue our POPI series with a discussion of the second condition for lawful processing in terms of POPI, namely “Processing Limitation”. This may sound a bit vague…. Our aim is to explain to you in layman’s terms, how this condition should be considered and how it may impact on your business operations.
Condition 2: Processing limitation
This condition hinges on four key requirements: (i) lawfulness of processing; (ii) minimality (you may think this is a strange concept); (iii) consent, justification and objection; and (iv) collection of PI directly from Data Subjects.
Before we start, just a reminder that in our previous discussions, we have already dealt with the definition of the “data subject” (DS), but for ease of reference, note that the data subject is the person to whom PI relates – the one whose PI is being processed. And the “responsible party” (RP) is the one processing the PI.
Lawfulness of processing
Section 9 of POPI provides for the following in relation to lawfulness of processing:
“Personal information must be processed—
(a) lawfully; and
(b) in a reasonable manner that does not infringe the privacy of the data subject.”
What does it mean to process PI “lawfully”? And could a data subject not take a view that each time that PI is being processed there will be an infringement of privacy?
In essence, this requirement comes down to acting in a manner that is “reasonable”. When looking at “lawfulness”, the RP must conduct itself within the confines of the law. In terms of our law, one may not steal. Loosely speaking, this also applies to PI – one cannot “steal” another company’s database and hope not to breach the requirement of lawfulness. It should be obvious that “stealing” a database or information, will be “unlawful”. If one considers POPI as a whole, the responsible party should at all times be able to say that it conducted itself in a manner that would not (reasonably) infringe on the privacy of the DS.
In most instances, the question of how much PI is “more than is necessary” will depend on the purpose for which the PI is processed. The default position is that the RP should only collect and/or process as little PI as is necessary to achieve its business objectives. Next month we will discuss “purpose “in more detail, but it is important to understand that the purpose for which PI is collected and processed must be considered at all times and the amount of PI that can “lawfully” be processed, will be considered against the reason why the PI is processed. It simply means that if you only need a name and telephone number, don’t ask for address and ID number just because…. POPI says you must only process what you need to!
Consent, justification and objection
And now we get to the big CONSENT question….
We have previously written on this topic in an article Is consent the beginning and the end? (http://dommisseattorneys.co.za/popi-is-consent-the-beginning-and-the-end/). There is still a lot of confusion in the market around consent. In essence, consent is one of 6 grounds on which a RP can rely to process PI. This means that without consent, a RP can still be seen to process PI lawfully – but only if it can rely on one of the other 5 grounds provided for in this section. (Note that for electronic direct marketing specific rules around consent apply and therefore our consent discussion below does not necessarily apply to electronic direct marketing.)
Section 11 provides the following:
“Consent, justification and objection.—(1) Personal information may only be processed if—
(a) the data subject or a competent person where the data subject is a child consents to the processing;
(b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
(c) processing complies with an obligation imposed by law on the responsible party;
(d) processing protects a legitimate interest of the data subject;
(e) processing is necessary for the proper performance of a public law duty by a public body; or
(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
It would often be easy to obtain or infer consent. If I am asked for certain information, and I know exactly what the RP is going to do with my information, and I continue to provide the information requested, surely one can take a view that I have “given consent” for that processing.
The more difficult question to answer would be when can the RP process my PI if I have NOT given consent? Let’s look at some examples when POPI allows processing without consent:
- If processing is necessary to fulfil a contractual agreement in which the DS is involved [This refers to a situation where the RP has to process my PI in order to perform in terms of a contract with me];
- If processing is in accordance with the law [This refers to a situation where the law requires from the RP to process my PI. It would be irrelevant whether I consented to it or not – the RP has an obligation in law to do certain things with my PI. Reporting my behaviour to authorities (where a law requires from the RP to report certain behaviour) may be an example of this.];
- If processing is necessary to protect the legitimate interests of either the RP or third party [What does “legitimate interest” mean? POPI does not define it and reliance on this exception will need to be considered very carefully. In our view, an example could be the following: I enter into a credit agreement with company X for a credit facility to purchase clothing on credit. I do not honour my agreement and I am in arrears. Company X did not ask for my consent for them to trace me and collect on debt that I owe them. Even though they did not obtain my consent, company X can argue that they can (lawfully) trace me and collect debt from me, because it is in their “legitimate interest” to collect on debt that I owe to them.]
In the event of a data subject challenging the RP whether there was consent or not, the RP will bear the burden of proof, to prove consent. This could be very relevant – particularly for marketers.
So once the DS has given consent, can that consent be revoked? Yes, POPI provides for a mechanism in terms whereof a data subject can “object” to processing in certain circumstances. This means that even though (for example) a direct marketing consent was obtained when the DS entered into an agreement with the RP, that DS may at any time request that marketing to stop – basically “objecting” to the processing for the purpose of marketing.
Collection of PI directly from the DS
This requirement provides for a general rule, in terms whereof organisations should collect the PI relating to a particular DS, directly from that DS. As with many other provisions, again some exceptions will apply, meaning that even though PI was not collected directly from the DS as per the general rule, but it was rather collected from a third party, the RP would still be seen to have collected PI in a lawful manner. Let’s look at some examples where collection from another source would be lawful:
- where PI was made deliberately public by the data subject [This could mean that if I make my PI publically available to anyone on Facebook, without using any security and privacy settings, I should not have the expectation that no one will collect my PI from Facebook. (note that processing of that PI must still need to comply with POPI, but RPs could collect from this source – rather than from me directly)] ;
- there has been a consent to collection from another party [Where I for example consent that company X may share my information with company Y for marketing purposes, company Y can “lawfully” collect my PI from company X (and not from me directly), because I consented to it];
- where collection from other sources is necessary to protect the legitimate interests of the organisation [Again, one can look at the collections environment: If I owe money to a credit provider that is entitled to collect on the debt, and I have moved address, surely the credit provider can justify that he must collect my updated details from a tracing agency for example – in this case the credit provider should be able to justify that it was necessary to collect my updated details from a third party – in order to protect its legitimate interests.].
Do the right thing. Act in a reasonable manner and collect and process PI in manner that could be “defended”. POPI is not stopping organisations from collecting and processing PI. But POPI is requiring from all to do the reasonable thing. If you can obtain consent, it is advisable to do so. If not, think about what you are doing and make sure you can justify your actions. Business need to continue as usual – but within the prescribed rules.