2017 Budget Speech implications for the externalisation of intellectual property (IP)

2017 Budget Speech implications for the externalisation of intellectual property (IP)

Relaxing the South African (SA) Exchange Control Regulations, in relation to IP in particular, is crucial for many of our start up clients (especially those operating in the software development and technology space). Up to now, SA resident companies could not export their IP to a non-resident, unless the approval of the Financial Surveillance Department (FSD) of the South African Reserve Bank (SARB) was obtained. This proved to be an insurmountable hurdle for many companies trying to externalise their businesses by moving them “offshore” for any reason, including that of attracting foreign capital investments.

The Exchange Control Regulations provide that when a SA resident (natural or juristic person) enters any transaction in terms of which capital, or any right to capital, is directly or indirectly exported (i.e. transferred by way of cession, assignment, sale transfer or any other means) from South Africa to a non-resident (natural or juristic person) such transaction falls in the ambit of the Exchange Control Regulations.

The export of “capital” specifically includes any IP right (whether registered or unregistered), which means the Exchange Control Regulations must be considered when dealing with an externalisation of IP.

The reasoning behind this regulation is that the offshoring of assets / capital belonging to SA residents amounts to an exportation of assets / capital and therefore erodes the asset base of the SA resident by way of a transfer of ownership from a SA resident to a non-resident. While this reasoning may have seemed sound, the application of the Exchange Control Regulations to the export of IP has led to many negative and unintended consequences for SA companies, and start ups in particular.

In the 2017 National Budget review the Government proposed that SA residents would no longer need the SARB’s approval for “standard IP transactions”. It was also proposed that the “loop structure” restriction for all IP transactions be lifted, provided they are at arms-length and at a fair market price. “Loop structure” restrictions prevent SA residents from holding any SA asset indirectly through a non-resident entity.

The SARB has started the process of relaxing the Exchange Control Regulations by issuing two circulars relating to IP. These latest amendments to the Currency and Exchanges Manual for Authorised Dealers mean that, under certain circumstances, approval for the exportation of IP can now be sought from Authorised Dealers (banks appointed by the Minister of Finance for exchange control purposes), as opposed to the FSD. This is good news for clients looking to restructure and offshore their IP, as the approval process should now be less administratively intense, less expensive and with faster turnaround times.

Approval can now be sought through an Authorised Dealer for:

  • a sale, transfer and assignment of IP;
  • by a SA resident;
  • to unrelated non-resident parties;
  • at an arm’s length and fair and market related price.

The Authorised Dealer will need to be presented with: (i) the sale / transfer / assignment agreement; and (ii) an auditor’s letter or intellectual property valuation certificate confirming the basis for calculating the sale price ((iii) together with any additional internal requirements).

For the approval of the licensing of IP by a SA resident to non-resident parties at an arm’s length and fair and market related price, the Authorised Dealer will need to be presented with: (i) the licensing agreement in question; and (ii) an auditor’s letter confirming the basis for calculating the royalty or licence fee ((iii) together with any additional internal requirements).

The second set of amendments provide that private (unlisted) technology (among others) companies in South Africa may now establish companies offshore without the requirement to primary list offshore in order to raise foreign funding for their operations. This effectively means that “loop structures” can now be created to raise loans and capital offshore, and these companies may hold investments in South Africa. Note that there are still certain requirements that must be met, for example, registration with the FSD.

Our commercial team has experience in making the necessary applications for exchange control approval. Feel free to get in touch if this is something on the horizon for your business.

POPI: First meeting for the Information Regulator

POPI: First meeting for the Information Regulator

In our blog post on 7 November 2016 we referred you to the appointment of the members of the Information Regulator – which is an independent juristic person in terms of the Protection of Personal Information Act – commonly referred to as “POPI”. The Information Regulator will be responsible for monitoring and enforcing compliance with both POPI and the Promotion of Access to Information Act 2000 (PAIA).

The 5 members of the Information Regulator (Chairperson, 2 full-time and 2 part-time) have been appointed for a 5 year period that commenced the beginning of the month and according to a media statement issued by Adv. Tlakula (the Chairperson) on 2 December 2016, the Information Regulator held a meeting on 1 December 2016 to commence their function and duties. It has been confirmed that the full time member responsible for PAIA is Adv. Stroom-Nzama and the full time member responsible for POPI is Adv. Weapond.

The POPI commencement date has not been confirmed yet, but the general view in the industry is that 24 May 2017 is the likely day – as this will mean that compliance with POPI will be required as from the 25th of May 2018, which is also the date for compliance with the European Union’s General Data Protection Regulation.

In practice we are starting to see more clients focussing on POPI requirements and starting to create POPI awareness through training sessions and implementation of amended policies and practices. It would probably be unrealistic to think that POPI will mean a “quick fix” for all data concerns, but POPI will certainly play a big role to regulate the way in which companies manage data in future.

POPI News: Appointment of the Information Regulator

POPI News: Appointment of the Information Regulator

“Are you ready for POPI??” This question has been asked so many times in marketing material over the last couple of years. Answering this question has lately become very relevant, since the POPI Information Regulator has (at last) been appointed!!  Advocate Pansy Tlakula, former chairperson of the South African Independent Electoral Commission, has been appointed as the chairperson of the office of the Information Regulator.  The remainder of the office is made up of four others, two full-time members and two part-time members. Advocate Cordelia Stroom and Johannes Weapond will fulfil the full-time positions with Professor Tana Pistorius and Sizwe Snail as the part-time members.  The office of the Information Regulator will be effective from 1 December 2016 and members will hold office for five years. They will be eligible for reappointment after the first five-year period.

The office of the Information Regulator has been granted widespread powers, amongst others, to investigate alleged breaches of POPI as the office provides a platform for data subjects to approach with any complaints.

With the appointment of the Information Regulator we are likely to receive a date for the commencement of POPI relatively soon.  This will result in the remainder of the Act commencing and will grant responsible parties a “grace period” of one year from the effective date to become compliant with the Act.  The sections of POPI which have already commenced are:

  • Section 1, the definitions clause;
  • Part A of Chapter 5, which deals with the establishment, staffing, powers and meetings of the Information Regulator;
  • Section 112 which authorises the Minister and Information Regulator to make regulations; and
  • Section 113, the procedure for making regulations.

The Information Regulator has been granted a budget by the Minister of Finance. This budget is to be used for the establishment and capacitation of the office. R10 million has been set aside for the 2016/2017 financial year, R26 million for the 2017/2018 financial year and R27 million for the following financial year.

What we can expect to happen next:

  1. Regulations will be promulgated;
  2. And the commencement date will be announced.

Contact us for more information on all POPI questions.

POPI SERIES – CONDITION 8 – DATA SUBJECT PARTICIPATION

We are coming to the end of our POPI series. The first seven POPI Conditions for Lawful Processing have been discussed in detail in our previous articles and this month it is time for a discussion of the eighth and final condition: Data Subject Participation. This condition is comprised of three elements, namely (i) access to personal information, (ii) correction of personal information and (iii) the manner in which the personal information is accessed.

Applicable popi sections and commentary

The relevant sections of POPI applicable to “data subject participation” have been reproduced below with our commentary:

Access to Personal Information

Section 23 “Access to personal information.—

(1) A data subject, having provided adequate proof of identity, has the right to—

(a) request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject; and

(b) request from a responsible party the record or a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information—

(i) within a reasonable time;

(ii) at a prescribed fee, if any;

(iii) in a reasonable manner and format; and

(iv) in a form that is generally understandable.

(2) If, in response to a request in terms of subsection (1), personal information is communicated to a data subject, the data subject must be advised of the right in terms of section 24 to request the correction of information.

(3) If a data subject is required by a responsible party to pay a fee for services provided to the data subject in terms of subsection (1) (b) to enable the responsible party to respond to a request, the responsible party—

(a) must give the applicant a written estimate of the fee before providing the services; and

(b) may require the applicant to pay a deposit for all or part of the fee.

(4) (a) A responsible party may or must refuse, as the case may be, to disclose any information requested in terms of subsection (1) to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act apply.

(b) The provisions of sections 30 and 61 of the Promotion of Access to Information Act are applicable in respect of access to health or other records.

(5) If a request for access to personal information is made to a responsible party and part of that information may or must be refused in terms of subsection (4) (a), every other part must be disclosed.”

Commentary to Section 23 above:

  1. Data subjects have a right to access their personal information records and receive copies of these records. This right is not, however, unlimited. A responsible party will have some discretion as to the process to be followed in allowing data subjects to request access to their information, as well as the means through which the data subject will be obliged to identify him/herself before being given access to their personal information. One method of regulating these requests may be through a responsible party’s PAIA manual or a similar ‘personal information request document’.
  2. If it appears that a responsible party is indeed in possession of certain information about a data subject, the data subject may request that responsible party to provide it with a record of this information.
  3. Within that record provided to the data subject, the responsible party will have to bring to the attention of the data subject that it has the right in terms of section 24 to request a correction to such information.
  4. Depending on the costs that a responsible party may have incurred or anticipates incurring in the process of providing the above information to the data subject, the responsible party may request the data subject for reimbursement therefor.
  5. Where the provisions of the Promotion of Access to Information Act 4 of 2000 (“PAIA”) so permit, a responsible party may refuse to disclose particular information to the data subject. If, however, such right to refuse relates only to certain information, the remaining information (in respect of which PAIA permits disclosure) must be disclosed to the data subject.

Correction of Personal Information

Section 24: “Correction of personal information.—

(1) A data subject may, in the prescribed manner, request a responsible party to—

(a) correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or

(b) destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain in terms of section 14.

(2) On receipt of a request in terms of subsection (1) a responsible party must, as soon as reasonably practicable—

(a) correct the information;

(b) destroy or delete the information;

(c) provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or

(d) where agreement cannot be reached between the responsible party and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.

(3) If the responsible party has taken steps under subsection (2) that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, the responsible party must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.

(4) The responsible party must notify a data subject, who has made a request in terms of subsection (1), of the action taken as a result of the request.”

Commentary to Section 24 above:

  1. After receiving a record of personal information from a responsible party in terms of section 23, a data subject may request the deletion or correction of such personal information.
  2. Any request made by a data subject should be made on the basis of the personal information in question being inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
  3. If the data subject has requested the deletion or correction of its personal information in accordance with section 23 and 24, the responsible party may do so, alternatively, it may provide the data subject with credible evidence in support of the personal information, or where agreement cannot be reached and the responsible party believes it is entitled to maintain the personal information, there may be circumstances in which a kind of disclaimer is attached to the information, informing users that a correction to this information has been requested but not made.
  4. If a responsible party has changed information in relation to a data subject, and this change has an impact on decisions that have been or will be taken in respect of that data subject, the responsible party must (if reasonably practicable) inform each person to whom that personal information has been disclosed of such change.

Manner of Access

Section 25: “Manner of access.—

The provisions of sections 18 and 53 of the Promotion of Access to Information Act apply to requests made in terms of section 23 of this Act.”

Commentary to Section 25 above:

  1. This section provides that the data subject may make use of the relevant provisions in PAIA to make a request for personal information in terms of section 23 of POPI.
  2. In each PAIA request for personal information, there will need to be a procedure through which the responsible party appropriately identifies the data subject as the person to whom the relevant personal information relates.

Conclusion

Essentially, POPI’s Condition 8 aims to ensure a practical and accessible transparency for data subjects in the processing of personal information. This transparency demands that a responsible party allows a data subject to have a say in the processing of the personal information in the possession or under the control of such responsible party. Ultimately, this all boils down to a responsible party’s responsibility to maintain up-to-date information registers and implement suitable controls, so that it is able to easily (i) identify what personal information is in its possession or under its control; (ii) identify to whom does that personal information relate; and (iii) update such personal information.

 

 

Popi series – Condition 7 – Information Security

INTRODUCTION

The purpose of the Protection of Personal Information Act 4 2013 (“POPI”) is not to prohibit processing of Personal Information (“PI”) per se. One of the purposes of POPI is rather to regulate the processing of the PI, by also prescribing that organisations must implement appropriate safeguards to ensure that PI processed will be protected and secured.

This month our focus is on Condition 7 which pertains to Security Safeguards. In essence, this condition requires from organisations to secure the integrity and confidentiality of all PI in its possession or under its control. This will be achieved through implementing appropriate and reasonable security measures.

RELEVANT POPI SECTIONS

We will discuss the practical implications in the next paragraph below but also note our high level comments to the POPI sections in square brackets.

Section 19

“Security measures on integrity and confidentiality of personal information.—

(1) A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—

(a) loss of, damage to or unauthorised destruction of personal information; and

(b) unlawful access to or processing of personal information. [This is the general obligation on the responsible party to take steps to secure personal information.]

(2) In order to give effect to subsection (1), the responsible party must take reasonable measures to—

(a) identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;

(b) establish and maintain appropriate safeguards against the risks identified;

(c) regularly verify that the safeguards are effectively implemented; and

(d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. [This is a continual obligation to identify security risks on an ongoing basis and implement measures to reduce risks so identified.]

(3)The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.” [POPI does not provide a “tick list” of security requirements to meet. Responsible parties must consider applicable industry security practices and then implement security appropriate security measures for the business.]

Section 20:

“Information processed by operator or person acting under authority.—

An operator or anyone processing personal information on behalf of a responsible party or an operator, must—

(a) process such information only with the knowledge or authorisation of the responsible party; and

(b) treat personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.” [This is the limitation on operators – they may not use personal information received from the responsible party for their own purposes outside of the scope of the contract with the responsible party.]

Section 21: Security measures regarding information processed by operator.—

(1) A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section 19. [There is a duty on the responsible party to regulate the relationship with the operator by written contract.]

(2) The operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person. [Operators to note this duty to report unauthorised access.]

WHAT DOES ALL OF THIS MEAN IN PRACTICE?

Different requirements will need to be considered, depending whether you are acting as a responsible party of operator.

As responsible party you will have an on-going obligation to safeguard the PI in your possession from being destroyed unlawfully, accessed unlawfully, lost or damaged. This obligation entails, your organisation to have reasonable technical and organisational measures in place to protect PI under your control or in your possession. Organisational and technical measures include for example measures in terms whereof organisations restrict unauthorised individuals from entering their premises and implementing controls through which organisation restrict access rights and the usage of their networks, devices, etc.

There is also an ongoing obligation on organisations to identify new risks. These should be prioritized according to the threat posed.

Practical controls or processes in response to risks identified, could include the following:

  • Review of access rights on an ongoing basis;
  • Ownership for PI;
  • Physical access controls;
  • Computer/ device passwords;
  • Firewalls;
  • Encryption;
  • Remote destruction;
  • Anti-virus programs;
  • Exit process.

Most organisations had been implementing some of these measures to secure PI long before POPI was even enacted. Condition 7 of POPI will require from organisations to review the current processes and implement additional processes where so identified.

If your organisation outsources any functions involving the processing of personal information to a third party operator, you will still remain responsible for the processing of the PI. You also have the obligation in terms of POPI to regulate your relationship with the operator by way of written contract to ensure that the operator provides the service in accordance with POPI requirements.

In terms of POPI there is a duty on responsible parties to regularly consider whether there are any new risks and then implement processes to address the risks identified.

As an operator, it is very important to understand that you cannot do with the personal information received from the responsible party as and how you want to. The responsible party as the custodian of the information will authorise you to only use the information for the purposes of the service that you are rendering to the responsible party. You cannot use the information for any of your own purposes.

WHAT HAPPENS IF THERE IS A SECURITY BREACH?

In terms of POPI you cannot keep quiet and hope that no one will ever find out. The law puts an obligation on you to report the breach.

In terms of section 22: Notification of security compromises.—

(1) Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify—

(a) the Regulator; and

(b) subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.

The law also determines that the notification to the data subject must be in writing and communicated in one of the following ways:

  • mailed to the data subject’s last known physical or postal address;
  • sent by e-mail to the data subject’s last known e-mail address;
  • placed in a prominent position on the website of the responsible party;
  • published in the news media; or
  • as may be directed by the Regulator.

The following information needs to be disclosed in the notification:

  • a description of the possible consequences of the security compromise;
  • a description of the measures that the responsible party intends to take or has taken to address the security compromise;
  • a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
  • if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.

CONCLUSION

In preparation for POPI you should consider your current processes, access rights and security measures. It is likely that some of these may need to be reviewed and new processes implemented to ensure compliance. Remember that POPI does not provide for a defined list of measures to implement. But consider applicable industry standards and make sure that you can comply with this important condition 7.

POPI SERIES – CONDITION 6 – OPENNESS

Introduction

We have now passed the half way mark of our POPI Series and the next exciting topic in the series is that of “Openness” or “Notification”. In our view, Notification is one of the most challenging provisions of POPI. This condition will most definitely require from responsible parties to change current processes and possibly develop new processes to ensure compliance.

In this article, we are going to try and focus on the practical implementation of this condition.

This condition is premised on two primary elements, namely:

  • Documentation; and
  • Notification to the Data Subject.

This condition must not be confused with the “prior notification” sections (section 57 and 58) in terms whereof a responsible party needs to notify the Information Regulator of certain processing actions before it can process the personal information. This will be discussed in a separate article in future.

Relevant sections and practical implications.

Let’s first look at the requirements of section 17:

“Documentation.—

A responsible party must maintain the documentation of all processing operations under its responsibility as referred to in section 14 or 51 of the Promotion of Access to Information Act.”

In terms of this section, a responsible party must consider the provisions of sections 14 or 51 of the Promotion of Access to Information Act 2000 (“PAIA”). Note that for private bodies, section 51 will apply. In terms of section 51 of PAIA certain private bodies need to disclose specified information through a manual – generally referred to as a PAIA Manual. Note that POPI will be amending the PAIA to provide for additional information that must be included in a company’s PAIA manual.

It is not difficult to comply with section 17 and responsible parties must remember to amend their PAIA manuals to include the required information.

Now we turn to the provisions of section 18, which will be more challenging to comply with.

“Notification to data subject when collecting personal information.—

(1) If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of—

(a) the information being collected and where the information is not collected from the data subject, the source from which it is collected;

(b) the name and address of the responsible party;

(c) the purpose for which the information is being collected;

(d) whether or not the supply of the information by that data subject is voluntary or mandatory;

(e) the consequences of failure to provide the information;

( f ) any particular law authorising or requiring the collection of the information;

(g) the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;

(h) any further information such as the—

(i) recipient or category of recipients of the information;

(ii) nature or category of the information;

(iii) existence of the right of access to and the right to rectify the information collected;

(iv) the existence of the right to object to the processing of personal information as referred to in section 11 (3); and

(v) right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.

(2) The steps referred to in subsection (1) must be taken—

(a) if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information referred to in that subsection; or

(b) in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.

(3) A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to the subsequent collection from the data subject of the same information or information of the same kind if the purpose of collection of the information remains the same.

(4) It is not necessary for a responsible party to comply with subsection (1) if—

(a) the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;

(b)non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;

(c) non-compliance is necessary—

(i) to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;

(ii) to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);

(iii) for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or

(iv) in the interests of national security;

(d) compliance would prejudice a lawful purpose of the collection;

(e) compliance is not reasonably practicable in the circumstances of the particular case; or

( f ) the information will—

  • not be used in a form in which the data subject may be identified; or

(ii) be used for historical, statistical or research purposes”

From the above it follows that in terms of this condition, a responsible party has an obligation to notify a data subject of certain specified information each time that information about the data subject is being collected from which ever source – unless the responsible party can rely on one of the exceptions to the general rule – in terms whereof the responsible party can justify why notification is not necessary.

Why did the legislator include this section? Compliance with this section will clearly be very onerous on business and could also be a costly exercise.

We believe that some of the main reasons for including this section are the following:

  • Currently information flows between companies without data subjects ever realising what is happening with their information.
  • Data subjects provide their personal information to companies for specific reasons, but companies often take the information and do with it whatever they want to –including to use it for reasons that would never have been intended by the data subject.
  • Data subjects do not know which companies hold their personal information.

In terms of this section 18, companies will therefore need to inform data subjects of the reasons for which they would use the data subject’s information. They also need to inform them of the type of companies with whom the personal information will be shared, including where information will be shared with third party service providers who will have access to the information or receive the information for processing on behalf of the responsible party.

When do you need to notify data subjects? According to POPI this must happen even before you collect the information – if you collect it directly from the data subject, or if not directly from the data subject, before you collect or as soon as reasonably possible after you have collected it.

How do you need to notify the data subject? POPI does not provide exact details on how this notification needs to take place. Once the Regulator has been set up, we may get a better idea of the expectations around ways to notify. Currently it seems that the most popular way would be to include the information in privacy policies. This is not a no go, but without the data subject knowing about the privacy policy and the notification information provided through the policy, it may have little effect. The proposed solution is to include some specific reference to the policy in your customer terms, application forms, or other applicable documentation and then include the majority of the required information in the actual policy.

By far the biggest challenge will come in where information is not collected directly from the data subject. This happens on a daily basis and a few examples include:

  • Collecting information about a relative / friend of your customer
  • Collecting information from the credit bureau
  • Collecting information from third party data suppliers
  • Collecting information from fraud data bases
  • Collecting information from other companies within your group of companies
  • Collecting information from business partners

As you would have seen from section (4) quoted above, in some instances you do not need to comply with the notification requirements. We however urge business to consider the exceptions very careful and not flippantly rely on something like “it is not reasonably practicable” to notify – without properly determining whether it would really be possible to rely on the exception. To merely take a view that it would be “very costly” to comply, is unlikely to be “good enough” to justify non-compliance.

Conclusion

It’s evident that POPI conditions or requirements are closely connected to another. Notification for example links in with purpose specification. In terms of Condition 3, you need to specify the purposes for which you intend to use the personal information. In terms of Condition 6, you need to tell the data subject what these purposes are that you identified in terms of Condition 3.

Remember to update your PAIA manual to include the required information in terms of POPI.

Consider all situations where you collect personal information and consider how you will notify. You may be able in some instances to rely on an exception and decide not to notify. Document those decisions and explain your justification for record purposes.

For any assistance with this challenging condition, please contact Jana van Zyl at jana@dommisseattorneys.co.za

POPI SERIES CONDITION 5 – INFORMATION QUALITY

  1. INTRODUCTION

Let’s recap: we have previously discussed Conditions 1-4 of the Protection of Personal Information Act 4 of 2013 (“POPI”), dealing with Accountability, Lawful Processing, Purpose Specification and Further Processing Limitations. In this month’s POPI series, we are going to discuss Condition 5 which deals with the Information Quality.

    2. INFORMATION QUALITY IN TERMS OF POPI

In terms of section 16:

“Quality of information—

  1. A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
  2. In taking the steps referred to in subsection (1), the responsible party must have regard to the purpose for which personal information is collected or further processed.”

In terms of this Condition 5, a responsible party is required to take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary. This requirement is applicable to personal information collected both manually and electronically. POPI does not provide further details on what reasonably practicable steps would mean and therefore each business will need to consider its operations and decide which steps and processes it would implement to reasonably keep personal information updated.

In terms of subsection (2), the purpose of collection and processing must be considered when deciding on the steps to be taken to update information. This is an example of how the POPI Conditions work together – purpose specification is an obligation in terms of Condition 3 but should also be considered for compliance with Condition 5. In essence the decision of the responsible party in relation to the quality of the personal information as well as the reasonably practicable steps to be taken is directly linked to the purpose for which the personal information was collected.

Data subjects should also be responsible and could be requested to advise responsible parties of a change in details where applicable. This could for example be regulated with the data subject (if it is a customer) in the customer contract or in general user term and conditions.

Other examples of possible processes to update information could include through call centre interaction – each time you speak to the customer, ask whether details have changed; or through providing online access to customer accounts (if your business allows for this) in terms whereof the customer through logging in, can update its details.

   3. CONCLUSION

In order for organisations to comply with the requirements of Condition 5, they would firstly need to identify the purpose for which they intend to use the information, and then implement reasonable processes to make sure that data subjects have access to processes in terms whereof current information can be updated where required.

POPI SERIES: CONDITION 4 – FURTHER PROCESSING LIMITATIONS

Moving right along in connecting the dots between Conditions 1 and 8 of the Protection of Personal Information Act 4 of 2013 (“POPI”). In our previous POPI Series articles, we discussed POPI Conditions 1, 2 and 3 in more detail, which relate to Accountability, Lawful Processing and Purpose Specification respectively. This month, we are going to discuss Condition 4 – which relates to Further Processing Limitations.

In previous articles we have emphasized the importance of knowing the reason – the purpose – for which a responsible party is collecting and using personal information (“PI”). It is vitally important for a responsible party to define the purpose for processing initially when the of POPI, “further processing” of the PI must “link in” with that initial reason (purpose) why the PI was collected.

POPI allows responsible parties to “further process” PI provided that the further processing is within the parameters of the POPI provisions. The general rule is that the further processing must be in accordance with or compatible with the purpose for which it was collected the first time (section 15(1)). POPI does not provide a defined list of what will constitute “compatibility”.

In practical terms this means that you cannot collect personal information for a specifically defined purpose, and then use it for a purpose that is not linked to the original purpose at all. By way of example: As lawyers, we collect information about our clients. If we collect information for purposes of a specific brief, we could possibly argue that if the client returns after a period of time with another brief, the information collected the first time, could be used under the “further processing” provisions of POPI – because the two reasons for processing are closely linked (both being for purposes of assisting with a legal brief – although the two briefs have got nothing to do with one another.)

If however, we collect the information for the first brief from the client (client 1) and we know that another client (client 2) would be very interested to meet with client 1 or use client 1’s information for its own purposes, and we pass on client 1’s information to client 2, this processing action would not be linked to the original purpose for which client 1 provided his information and we would fall foul of the further processing provisions of POPI.

So how do we determine whether the further processing is compatible with the original purpose or not?
POPI does not provide a defined list of what will constitute “compatibility”. It rather answers the question in the negative, to indicate when the processing would “not be incompatible”. The test for compatibility is set out in section 15(3) of POPI. I add my comments to the lawyer example above in square brackets to explain the concept:

Section 15 Further processing to be compatible with purpose of collection —
(1) Further processing of personal information must be in accordance or compatible with the purpose for which it was collected in terms of section 13.
(2) To assess whether further processing is compatible with the purpose of collection, the responsible party must take account of—
(a) the relationship between the purpose of the intended further processing and the purpose for which the information has been collected; [Initial purpose was to assist the client with the legal brief. The secondary purpose is to share his information with an unknown (to him) third party for the third party’s purposes.] (b) the nature of the information concerned; [Possibly not that relevant, but could be very personal in nature.] (c) the consequences of the intended further processing for the data subject; [Depending on what the third party wants to do with it, consequences may not sit well with client 1.] (d) the manner in which the information has been collected; [Would have been with (implied at least) consent to use it for purposes of assisting with the legal brief and the relationship between the attorney and client in general.] and
(e) any contractual rights and obligations between the parties. [Contract would have covered the instruction to the lawyer to assist with the legal brief.] (3) The further processing of personal information is not incompatible with the purpose of collection if—
(a) the data subject or a competent person where the data subject is a child has consented to the further processing of the information; [No consent from the client to pass on the information.] (b) the information is available in or derived from a public record or has deliberately been made public by the data subject; [Not applicable.] (c) further processing is necessary—
(i) to avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences; [Not applicable.] (ii) to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997); [Not applicable.] (iii) for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; [Not applicable.] or
(iv) in the interests of national security; [Not applicable.] (d) the further processing of the information is necessary to prevent or mitigate a serious and imminent threat to—
(i) public health or public safety; or
(ii) the life or health of the data subject or another individual; [Not applicable.] (e) the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form; [Not applicable.] or
(f) the further processing of the information is in accordance with an exemption granted under section 37. [Not applicable.]

CONCLUSION: As can be seen from the above example, the intended further processing to share the information with a third party (client 2) will not meet the requirements of section 15 and the further processing will not be allowed in terms of POPI.

Each time that a responsible party intends to “further process” personal information, the responsible party should therefore assess whether the further processing is “compatible” with the original purpose for which it was collected by using the factors listed in section 15.

Below follows a more detailed discussion of the factors listed in section 15(3) – where the responsible party can argue that the further processing will not be incompatible with the original purpose for processing:

:

Consent
If the data subject consents to the further processing, the responsible party can further process it. Applying it to our lawyer case study: if the lawyer phones the client and obtains his consent to pass on the client’s information to the third party (client 2), there would be no problem.

Public record
Further processing is allowed if the information is available in or derived from a public record OR has deliberately been made public by the data subject. (Facebook for example).
Section 1 defines a “public record” as a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body.

Maintenance of the law
If the further processing is necessary for purposes of maintenance of the law, to comply with legislation, for the conduct of court proceedings, or if it is in the interests of national security, it will be allowed. If for example the client in our case study wanted to settle the lawyer’s bill of R 100 000 in cash, the lawyers have a duty in law to report this to the relevant authorities, and that further processing action to report it (without consent from the client) would indeed be allowed.

Health or safety threat
If the further processing is necessary to prevent or mitigate a threat to public health or safety or the life/health of the data subject or another individual, further processing is allowed. If for example the client in the case study needed urgent medical treatment in a situation where his life was in danger, the lawyers would be able to argue that sharing the personal information with medical staff (if this could ever be relevant) would be justified under this exception.

Historical Statistical and Research purposes
Further processing is allowed for these purposes, provided that the information is not in identifiable form.

Regulator Exemption
The further processing will be allowed if it is in accordance with an exemption that was granted by the Information Regulator (once established). This could be where the further processing is necessary for public interest purposes and an exemption was granted.

Conclusion

From a compliance perspective, the data subject must know the purposes for which a responsible party will be collecting and using the PI. If the business did not obtain explicit consent from the data subject at the time of collection for the specific future processing activity it wishes to use the PI for, the business must assess the “compatibility” of the further processing as outlined above. Responsible parties will have to consider the steps above and determine on a case by case basis (based on the facts) whether further processing will be compatible or not.

POPI Series: Condition 3 – Purpose Specification

Introduction

In our previous two POPI series articles, we considered Conditions 1 and 2 in more detail, which conditions relate to Accountability and Lawful Processing. This month we are going to tackle Condition 3 – Purpose Specification.

The purpose of collection or processing of personal information is in some way or another, the crux of a number of the POPI requirements as set out in the different conditions for lawful processing. This condition is comprised of two elements, namely: Collection for specific purpose as well as retention and restriction of records. The two elements provide us, firstly, with parameters within which organisations may collect and process personal information, and secondly the time period for which an organisation may lawfully retain personal information records.

Collection for a specific purpose

In terms of section 13:

“Collection for specific purpose.—

(1) Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.

(2) Steps must be taken in accordance with section 18 (1) to ensure that the data subject is aware of the purpose of the collection of the information unless the provisions of section 18 (4) are applicable.”

Section 13 (1) is self- explanatory and straight forward in that the requirement is for a responsible party to collect personal information for a specific purpose. This means that going forward, responsible parties will need to define the different reasons for which personal information will be processed and also make sure that these reasons tie in with the responsible party’s general business activities. The current practice for many organisations is to obtain as many information fields as the data subject would complete. POPI requires from organisation to actually take a step back and consider the reasons why the information is being collected (and processed) and then only process the relevant information fields – as required for the particular business operation.

This principle will also apply when the responsible party shares information with third parties. If for example, your business makes use of a third party to send out your bulk marketing messages, you should only share with the third party the information that they need to send out the messages on your behalf. Do not share all the information fields relating to the data subjects if the third party only needs cell phone numbers or email addresses.

Once the organisation has determined the various purposes for which it may want to use the personal information, a further step is required from a POPI point of view. The responsible party has a duty to bring to the attention of the data subject, these defined purposes for processing. The intention is that if I provide my information to your company, I should know for which purposes you are going to use my information. (And if you plan to use it for purposes that I don’t like, and you don’t have a right in law to process it for those reasons, I may object to the processing for that purpose!)

Section 18 provides that reasonably practicable steps must be taken to make the data subject aware of the specific collection and processing of the personal information. This boils down to a question as to what would constitute reasonably practicable steps. The section 18 notification requirements will be discussed in more detail in a future article, but for now it is important to take note of the fact that there could be an obligation to disclose the purposes of use. (Section 18 does allow for some exceptions – again, these would be discussed in future.)

Retention and restriction of records

In terms of section 14:

Retention and restriction of records.—

(1) Subject to subsections (2) and (3), records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless—

(a)retention of the record is required or authorised by law;

(b)the responsible party reasonably requires the record for lawful purposes related to its functions or activities;

(c)retention of the record is required by a contract between the parties thereto; or

(d)the data subject or a competent person where the data subject is a child has consented to the retention of the record.

(2) Records of personal information may be retained for periods in excess of those contemplated in subsection (1) for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.

In practice, this element relates, mostly to the role the management has in ensuring that there are policies and/ or procedures in place to categorise the PI collected or processed and define retention periods to apply the different categories of personal information.

The default position in this regard is that the RP may only keep PI for the period necessary to achieve the objective for which it was collected – unless one of the exceptions apply – for example, if the data subject consents otherwise, or another law requires the information to be retained for a specified period.

In practice, organisations should identify the different purposes for which information is collected and processed, and then develop retention policies in accordance with the reasons for which the information was collected. Bear in mind that where another piece of legislation, like the National Credit Act, or FICA, or Companies Act, or tax or labour legislation for example specify a minimum period, the specified period will need to be applied in the retention policy.

In our view, it would mostly be difficult to justify retention for an indefinite period. Even if marketing is the purpose for which the information is being retained, it would be hard to justify why information that was for example collected 10 years ago and not processed in the meantime could still be retained “for marketing purposes”.

Conclusion

Identify the reasons (purpose) for which you are processing personal information. (Also bear in mind that you will probably have to notify data subject of these reasons).

When considering your reason for processing, think about the information that you actually need for that particular purpose and don’t ask for or use more information than what is needed.

Only keep information as long as necessary for the purpose. But bear in mind that other legislation may prescribe minimum retention periods that you will still need to adhere to and that you need to build in to your retention policies.

POPI Series: Condition 2 – Lawful Processing

Introduction

In our March Newsletter we discussed the first Condition for lawful processing, namely “Accountability”. In this article, we continue our POPI series with a discussion of the second condition for lawful processing in terms of POPI, namely “Processing Limitation”. This may sound a bit vague…. Our aim is to explain to you in layman’s terms, how this condition should be considered and how it may impact on your business operations.

Condition 2: Processing limitation

This condition hinges on four key requirements: (i) lawfulness of processing; (ii) minimality (you may think this is a strange concept); (iii) consent, justification and objection; and (iv) collection of PI directly from Data Subjects.

Before we start, just a reminder that in our previous discussions, we have already dealt with the definition of the “data subject” (DS), but for ease of reference, note that the data subject is the person to whom PI relates – the one whose PI is being processed. And the “responsible party” (RP) is the one processing the PI.

Lawfulness of processing

Section 9 of POPI provides for the following in relation to lawfulness of processing:

Personal information must be processed—

(a) lawfully; and

(b) in a reasonable manner that does not infringe the privacy of the data subject.”

What does it mean to process PI “lawfully”? And could a data subject not take a view that each time that PI is being processed there will be an infringement of privacy?

In essence, this requirement comes down to acting in a manner that is “reasonable”. When looking at “lawfulness”, the RP must conduct itself within the confines of the law. In terms of our law, one may not steal. Loosely speaking, this also applies to PI – one cannot “steal” another company’s database and hope not to breach the requirement of lawfulness. It should be obvious that “stealing” a database or information, will be “unlawful”. If one considers POPI as a whole, the responsible party should at all times be able to say that it conducted itself in a manner that would not (reasonably) infringe on the privacy of the DS.

Minimality

In most instances, the question of how much PI is “more than is necessary” will depend on the purpose for which the PI is processed. The default position is that the RP should only collect and/or process as little PI as is necessary to achieve its business objectives. Next month we will discuss “purpose “in more detail, but it is important to understand that the purpose for which PI is collected and processed must be considered at all times and the amount of PI that can “lawfully” be processed, will be considered against the reason why the PI is processed. It simply means that if you only need a name and telephone number, don’t ask for address and ID number just because…. POPI says you must only process what you need to!

Consent, justification and objection

And now we get to the big CONSENT question….

We have previously written on this topic in an article Is consent the beginning and the end? (http://dommisseattorneys.co.za/popi-is-consent-the-beginning-and-the-end/). There is still a lot of confusion in the market around consent. In essence, consent is one of 6 grounds on which a RP can rely to process PI. This means that without consent, a RP can still be seen to process PI lawfully – but only if it can rely on one of the other 5 grounds provided for in this section. (Note that for electronic direct marketing specific rules around consent apply and therefore our consent discussion below does not necessarily apply to electronic direct marketing.)

Section 11 provides the following:

“Consent, justification and objection.—(1) Personal information may only be processed if—

(a) the data subject or a competent person where the data subject is a child consents to the processing;

(b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;

(c) processing complies with an obligation imposed by law on the responsible party;

(d) processing protects a legitimate interest of the data subject;

(e) processing is necessary for the proper performance of a public law duty by a public body; or

(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

It would often be easy to obtain or infer consent. If I am asked for certain information, and I know exactly what the RP is going to do with my information, and I continue to provide the information requested, surely one can take a view that I have “given consent” for that processing.

The more difficult question to answer would be when can the RP process my PI if I have NOT given consent? Let’s look at some examples when POPI allows processing without consent:

  • If processing is necessary to fulfil a contractual agreement in which the DS is involved [This refers to a situation where the RP has to process my PI in order to perform in terms of a contract with me];
  • If processing is in accordance with the law [This refers to a situation where the law requires from the RP to process my PI. It would be irrelevant whether I consented to it or not – the RP has an obligation in law to do certain things with my PI. Reporting my behaviour to authorities (where a law requires from the RP to report certain behaviour) may be an example of this.];
  • If processing is necessary to protect the legitimate interests of either the RP or third party [What does “legitimate interest” mean? POPI does not define it and reliance on this exception will need to be considered very carefully. In our view, an example could be the following: I enter into a credit agreement with company X for a credit facility to purchase clothing on credit. I do not honour my agreement and I am in arrears. Company X did not ask for my consent for them to trace me and collect on debt that I owe them. Even though they did not obtain my consent, company X can argue that they can (lawfully) trace me and collect debt from me, because it is in their “legitimate interest” to collect on debt that I owe to them.]

In the event of a data subject challenging the RP whether there was consent or not, the RP will bear the burden of proof, to prove consent. This could be very relevant – particularly for marketers.

So once the DS has given consent, can that consent be revoked? Yes, POPI provides for a mechanism in terms whereof a data subject can “object” to processing in certain circumstances. This means that even though (for example) a direct marketing consent was obtained when the DS entered into an agreement with the RP, that DS may at any time request that marketing to stop – basically “objecting” to the processing for the purpose of marketing.

Collection of PI directly from the DS

This requirement provides for a general rule, in terms whereof organisations should collect the PI relating to a particular DS, directly from that DS. As with many other provisions, again some exceptions will apply, meaning that even though PI was not collected directly from the DS as per the general rule, but it was rather collected from a third party, the RP would still be seen to have collected PI in a lawful manner. Let’s look at some examples where collection from another source would be lawful:

  • where PI was made deliberately public by the data subject [This could mean that if I make my PI publically available to anyone on Facebook, without using any security and privacy settings, I should not have the expectation that no one will collect my PI from Facebook. (note that processing of that PI must still need to comply with POPI, but RPs could collect from this source – rather than from me directly)] ;
  • there has been a consent to collection from another party [Where I for example consent that company X may share my information with company Y for marketing purposes, company Y can “lawfully” collect my PI from company X (and not from me directly), because I consented to it];
  • where collection from other sources is necessary to protect the legitimate interests of the organisation [Again, one can look at the collections environment: If I owe money to a credit provider that is entitled to collect on the debt, and I have moved address, surely the credit provider can justify that he must collect my updated details from a tracing agency for example – in this case the credit provider should be able to justify that it was necessary to collect my updated details from a third party – in order to protect its legitimate interests.].

Conclusion

Do the right thing. Act in a reasonable manner and collect and process PI in manner that could be “defended”. POPI is not stopping organisations from collecting and processing PI. But POPI is requiring from all to do the reasonable thing. If you can obtain consent, it is advisable to do so. If not, think about what you are doing and make sure you can justify your actions. Business need to continue as usual – but within the prescribed rules.