POPI Series: Condition 2 – Lawful Processing

Introduction

In our March Newsletter we discussed the first Condition for lawful processing, namely “Accountability”. In this article, we continue our POPI series with a discussion of the second condition for lawful processing in terms of POPI, namely “Processing Limitation”. This may sound a bit vague…. Our aim is to explain to you in layman’s terms, how this condition should be considered and how it may impact on your business operations.

Condition 2: Processing limitation

This condition hinges on four key requirements: (i) lawfulness of processing; (ii) minimality (you may think this is a strange concept); (iii) consent, justification and objection; and (iv) collection of PI directly from Data Subjects.

Before we start, just a reminder that in our previous discussions, we have already dealt with the definition of the “data subject” (DS), but for ease of reference, note that the data subject is the person to whom PI relates – the one whose PI is being processed. And the “responsible party” (RP) is the one processing the PI.

Lawfulness of processing

Section 9 of POPI provides for the following in relation to lawfulness of processing:

Personal information must be processed—

(a) lawfully; and

(b) in a reasonable manner that does not infringe the privacy of the data subject.”

What does it mean to process PI “lawfully”? And could a data subject not take a view that each time that PI is being processed there will be an infringement of privacy?

In essence, this requirement comes down to acting in a manner that is “reasonable”. When looking at “lawfulness”, the RP must conduct itself within the confines of the law. In terms of our law, one may not steal. Loosely speaking, this also applies to PI – one cannot “steal” another company’s database and hope not to breach the requirement of lawfulness. It should be obvious that “stealing” a database or information, will be “unlawful”. If one considers POPI as a whole, the responsible party should at all times be able to say that it conducted itself in a manner that would not (reasonably) infringe on the privacy of the DS.

Minimality

In most instances, the question of how much PI is “more than is necessary” will depend on the purpose for which the PI is processed. The default position is that the RP should only collect and/or process as little PI as is necessary to achieve its business objectives. Next month we will discuss “purpose “in more detail, but it is important to understand that the purpose for which PI is collected and processed must be considered at all times and the amount of PI that can “lawfully” be processed, will be considered against the reason why the PI is processed. It simply means that if you only need a name and telephone number, don’t ask for address and ID number just because…. POPI says you must only process what you need to!

Consent, justification and objection

And now we get to the big CONSENT question….

We have previously written on this topic in an article Is consent the beginning and the end? (http://dommisseattorneys.co.za/popi-is-consent-the-beginning-and-the-end/). There is still a lot of confusion in the market around consent. In essence, consent is one of 6 grounds on which a RP can rely to process PI. This means that without consent, a RP can still be seen to process PI lawfully – but only if it can rely on one of the other 5 grounds provided for in this section. (Note that for electronic direct marketing specific rules around consent apply and therefore our consent discussion below does not necessarily apply to electronic direct marketing.)

Section 11 provides the following:

“Consent, justification and objection.—(1) Personal information may only be processed if—

(a) the data subject or a competent person where the data subject is a child consents to the processing;

(b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;

(c) processing complies with an obligation imposed by law on the responsible party;

(d) processing protects a legitimate interest of the data subject;

(e) processing is necessary for the proper performance of a public law duty by a public body; or

(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

It would often be easy to obtain or infer consent. If I am asked for certain information, and I know exactly what the RP is going to do with my information, and I continue to provide the information requested, surely one can take a view that I have “given consent” for that processing.

The more difficult question to answer would be when can the RP process my PI if I have NOT given consent? Let’s look at some examples when POPI allows processing without consent:

  • If processing is necessary to fulfil a contractual agreement in which the DS is involved [This refers to a situation where the RP has to process my PI in order to perform in terms of a contract with me];
  • If processing is in accordance with the law [This refers to a situation where the law requires from the RP to process my PI. It would be irrelevant whether I consented to it or not – the RP has an obligation in law to do certain things with my PI. Reporting my behaviour to authorities (where a law requires from the RP to report certain behaviour) may be an example of this.];
  • If processing is necessary to protect the legitimate interests of either the RP or third party [What does “legitimate interest” mean? POPI does not define it and reliance on this exception will need to be considered very carefully. In our view, an example could be the following: I enter into a credit agreement with company X for a credit facility to purchase clothing on credit. I do not honour my agreement and I am in arrears. Company X did not ask for my consent for them to trace me and collect on debt that I owe them. Even though they did not obtain my consent, company X can argue that they can (lawfully) trace me and collect debt from me, because it is in their “legitimate interest” to collect on debt that I owe to them.]

In the event of a data subject challenging the RP whether there was consent or not, the RP will bear the burden of proof, to prove consent. This could be very relevant – particularly for marketers.

So once the DS has given consent, can that consent be revoked? Yes, POPI provides for a mechanism in terms whereof a data subject can “object” to processing in certain circumstances. This means that even though (for example) a direct marketing consent was obtained when the DS entered into an agreement with the RP, that DS may at any time request that marketing to stop – basically “objecting” to the processing for the purpose of marketing.

Collection of PI directly from the DS

This requirement provides for a general rule, in terms whereof organisations should collect the PI relating to a particular DS, directly from that DS. As with many other provisions, again some exceptions will apply, meaning that even though PI was not collected directly from the DS as per the general rule, but it was rather collected from a third party, the RP would still be seen to have collected PI in a lawful manner. Let’s look at some examples where collection from another source would be lawful:

  • where PI was made deliberately public by the data subject [This could mean that if I make my PI publically available to anyone on Facebook, without using any security and privacy settings, I should not have the expectation that no one will collect my PI from Facebook. (note that processing of that PI must still need to comply with POPI, but RPs could collect from this source – rather than from me directly)] ;
  • there has been a consent to collection from another party [Where I for example consent that company X may share my information with company Y for marketing purposes, company Y can “lawfully” collect my PI from company X (and not from me directly), because I consented to it];
  • where collection from other sources is necessary to protect the legitimate interests of the organisation [Again, one can look at the collections environment: If I owe money to a credit provider that is entitled to collect on the debt, and I have moved address, surely the credit provider can justify that he must collect my updated details from a tracing agency for example – in this case the credit provider should be able to justify that it was necessary to collect my updated details from a third party – in order to protect its legitimate interests.].

Conclusion

Do the right thing. Act in a reasonable manner and collect and process PI in manner that could be “defended”. POPI is not stopping organisations from collecting and processing PI. But POPI is requiring from all to do the reasonable thing. If you can obtain consent, it is advisable to do so. If not, think about what you are doing and make sure you can justify your actions. Business need to continue as usual – but within the prescribed rules.

POPI Series: Condition 1 – Accountability

Introduction

In our February Newsletter we indicated that we have identified the need to provide our clients with a more detailed discussion on the requirements and Conditions of Lawful Processing as provided for in the Protection of Personal Information Act 4 2013 (POPI). Last month we introduced you to our POPI series.

This article is the second of the series and the first article to start specific discussions around the 8 Conditions for Lawful Processing in accordance with POPI requirements.

Accountability

Condition 1 relates to “accountability” of the organization.

In terms of section 8 of POPI:

Accountability

Responsible party to ensure conditions for lawful processing.—the responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself”.

In our view, Accountability is essentially the point of departure in that it provides for a general requirement to take the necessary steps to ensure that all other POPI conditions and requirements are met.

What does “accountability” mean?

“Accountability” is not defined in the Act. Some dictionary definitions include:

  • “The fact or condition of being accountable or responsible”
  • “To give an account or be answerable”
  • “The obligation of an individual or organization to account for its activities, accept responsibility for them, and to disclose the results in a transparent manner.”
  • “Taking or being assigned responsibility for something that you have done or something you are supposed to do.”

From the above it is clear that accountability relates to accepting responsibility by taking ownership -to ensure that the organisation processes personal information in the manner intended by the Act.

Who is accountable in this regard?

In terms of POPI, this responsibility has been put squarely on the shoulders of the person (natural or juristic) whom the Act refers to as the “Responsible Party”. The Act defines “Responsible Party” as follows: “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.

What does it mean practically?

Condition 1 requires from the Responsible Party to ensure that all conditions are complied with from the time the PI is collected up to and including the time of destruction.

How will the RP achieve this?

We believe that although an Information Officer will be appointed for the organisation, it would be best to implement a strategy in terms whereof each department within the business takes responsibility for POPI compliance by that division – being accountable as a business unit.

We furthermore believe that organisations will need to implement measures to keep individuals accountable – meaning that there should be consequences for “not doing what you are supposed to be doing”. For example, if a policy exists (consider something like a clean desk policy for example), the business division will need to take responsibility to ensure (and monitor) that the division actually implements the policy.

Ongoing training will of course also assist with this challenging task to become and remain an organisation that processes personal information in accordance with the POPI principles.

 

Conclusion

Essentially, appointed individuals within an organisation will be required to take initiative to implement POPI requirements, and ensure that business units comply with requirements through implementing business processes and policies to assist with POPI compliance. As the “person” (responsible party) who makes the decisions around the use of and means for processing personal information, you need to accept accountability to ensure that your organisation processes personal information in a responsible manner and in compliance with the Act.

POPI Series: Introduction

  1. INTRODUCTION

In previous newsletters we have touched on some general considerations relating to the Protection of Personal Information Act 4 2013 (POPI). We have however identified the need to discuss the POPI requirements in more detail. All clients, whether it be start-ups, medium sized or big corporates and listed companies, will need to comply with POPI. This article is therefore the first in a series of POPI articles that will assist you with your POPI compliance project (or if you have not started a project, to get you thinking about what lies ahead.)

In this article we will include information on how POPI differentiates between different “types” of personal information (PI), who the different “role players” are and what responsibilities each will have.

  1. DIFFERENT TYPES OF PERSONAL INFORMATION

POPI requires that all businesses that “process” “personal information” must comply with the requirements prescribed in the Act. What is meant by the two terms “processing” and “personal information”? In terms of the Act, “processing” refers to any use of information by an organization. This could, for example, include any sharing of a record, storing it, destroying it, etc. In essence, whatever form of use of the record, is likely to fall within the umbrella of the term “processing” in terms of the Act.

Another important definition is of course that of “personal Information”. This term refers to any information pertaining to any identifiable person or business, and includes a whole long list of items that should be considered. You can read the definition yourself, but a few interesting and challenging terms have been included. By way of example: views or opinions expressed by someone about a person, could form part of the personal information record of that person.

The Act differentiates between the following types of PI:

  Ø   “normal or ordinary personal information” for example:

o   Identity Document number or registration number (if it’s a business),

o   cell or telephone number,

o   email address,

o   physical address.

  Ø   “special personal information” for example:

o   religious or philosophical beliefs,

o   race or ethnic origin,

o   trade union membership,

o   political persuasion,

o   health or sex life,

o   criminal behaviour, or

o   biometric information.

  Ø   “children’s personal information”:

o   This information refers to any information relating to any natural person under the age of 18 years.

What is the reason for the distinction and why is it important to know whether you process “normal”, “special” or “children’s” PI? It is indeed very important to identify the type of PI that you process, because different requirements may apply. With special and children’s PI, specific limitations have been imposed that would not necessarily apply to other PI.

  1. THE DIFFERENT ROLE PLAYERS

POPI talks about a “data subject”, a “responsible party” and an “operator”. These are terms that we don’t often use. So who are they?

The data subject is the one whose PI is being processed. So this could be a candidate or employee; a customer or prospect; a vendor or applying vendor; or any other person whose PI is being processed by your organisation. Legal entities’ PI is also included within the ambit of POPI, meaning that if you process information relating to an identifiable legal entity, that legal entity would also be a data subject.

The responsible party is the one who decides what to do with the information. We often find that clients refer to responsible parties as the ones who “own” the information. On the other hand, an operator is someone who processes the PI on behalf of the responsible party.

Practical examples would include the following:

  • An employer recruiting employees: The employer who receives CVs of candidates would be the responsible party (the candidate is obviously the data subject). If the employer makes use of a third party’s software during this process and the third party service provider (or its system) processes the information on behalf of the responsible party, that service provider will be the operator. The operator cannot take those CVs and do with it whatever it wants to. It may merely process it on behalf of the employer.
  • A retailer sending marketing material to its customers: The retailer will be the responsible party (deciding to process its customers’ details for marketing purposes) and the customer will be the data subject. If the retailer as part of this process makes use of a third party to send the actual sms messages or emails to the customers on behalf of the retailer, the third party would be the operator. The third party cannot take the customers’ details and use it for any other purposes.

Conclusion

The POPI terminology will not always be easy to understand. We can assist you with the interpretation of the difficult terms and requirements. In previous articles we have referred to the “8 Conditions for lawful processing”. Our next article in this POPI series will include a discussion on the first of the eight Conditions, namely Accountability. Look out for this in our March Newsletter.

Protection Of Personal Information Act: Effective Date

The Protection of Personal Information Act has been a long time coming. And since its promulgation in 2013, various organisations have embarked on projects to bring their operations – and the way in which they handle personal information, in line with POPI’s requirements and conditions.

Once this seemingly daunting task has been started, we have seen that many organisations realise that POPI is not that “unfair” to responsible parties (organisations or persons who collect, process (read “use”) and store personal information) after all – it actually comes down to good business practices that can have a very positive overall effect on the controls and processes of the company.

Tackling a compliance project like a POPI compliance project can however take a significant amount of time, require dedicated resources and will also require the necessary guidance to fully understand the POPI impact on the organisations – especially with regards to obligations that can pose large risks if neglected. In newsletters to follow, we will unpack these in more detail. So watch this space for the first information sheet of our “POPI series” next month.

There have been some rumours in different industries that POPI’s effective date is imminent, which have caused an anxious state for many organisations that suddenly realised that their current non-compliance needs to be addressed. Although we believe that it is unlikely that the commencement date will be published in the near future (please note that we have been wrong before, and this is merely our view, based on all the steps that we believe should probably take place first – to ensure effective enforcement), we seriously advise organisations who have not started their projects to commence without any further delays. Companies who started their projects but somehow lost a bit of steam (granted, it is rather difficult to keep the momentum going without a fixed date) should pick up on it again and finish the good work that it started!

Remember that there is NO quick fix for POPI compliance. Any project will also require training to really be successful. Depending on the size of your organisation, it may take years to complete a successful project.

Currently the only POPI sections already in force, are those relating to the administrative side and that allow for the Information Regulator to be set up. The Information Regulator will comprise of 4 members and 1 chairperson. After the Information Regulator has been appointed, it will first need to create its administration and staff, in order to give effect to and enforce POPI rights.

Lastly, the Regulations will also need to be created.

To conclude – there is no real indication as to when the commencement date will be published. Organisations will have a one year period from the commencement date to become compliant. If you have not started your project, we suggest that you start without any further delay.

POPI in a Nutshell

Introduction

The new Protection of Personal Information Act (POPI) was signed into law in November 2013. POPI is legislation similar to the UK’s Data Protection Act and aims to give effect to the constitutional right to privacy as enshrined in section 14 of our Consitution. POPI therefore prescribes some “rules” in terms whereof businesses will need to process all personal information (that qualifies as “personal information”in terms of POPI) in future.

POPI is not a bad thing. If you read about POPI on the internet, the picture may seem a bit gloomy. There is unfortunately also a lot of wrong information available on POPI on the internet. We therefore urge you to speak to someone with the relevant knowledge to assist you with interpreting the way in which POPI will apply to your particular business.

Implementation

It is important to understand that while POPI has been “signed into law”, therefore meaning that it is an Act (and no longer a Bill that may still change), the majority of provisions are not yet in force. This means that the majority of povisions cannot yet be enforced.

A commencement date will be published in the government gazette and after a one year period from the commencement date, all businesses will need to comply with the POPI requirements (unless the one year period is extended). In effect this means that there will be a “one year compliance period” for businesses to get their ducks in a row. Don’t be fooled by this….There is no quick fix for POPI and businesses should consider this as a “longer term” project. Therefore, the time is most definitly right to start your compliance project (if you have not done so).

POPI conditions

POPI is priciples based. This mean that POPI does not necessarily bed down hard and fast rules in all circumstances. No, POPI rather prescribes certain principles (similar to “good business practices” but with the intention to compel businesses to implement these practices) that all businesses will need to adhere to.

In further articles we will discuss the different conditions in more detail, but by way of summary you can consider the following:

  • In terms of POPI you need to identify the reason why you want to use the personal information and then only use it for those specific reasons. POPI refers to this as the “purpose of use”. The reason for this rule is that a person should be able to know for what reason you will use his or her information.
  • In certain circumstances you may only use (the Act talks about “process”) personal information if you have consent to do so. But note that you will still be able to use information in some instances even if you do not have consent.
  • You need to implement meassures to ensure that you do not lose personal information or share it with other businesses not entitled to have it.
  • People have the right to ask you what information about them you hold.
  • When you market products or services to people, they always have the right to opt out. In some instances you will not even be able to market to people at all without their consent.
  • POPI has implications for transborder flow of information (this will be important if you store information cross border or make use of cloud service providers for example).
  • POPI very specifically requires certain measures from you when you use service providers that will process personal information on your behalf.
  • POPI requires from you to deal with children’s information and “special information” (as defined in POPI) in a very specific manner.

Conclusion

POPI should not be a threat to your business. You can rather embrace this and use it as a differentiating factor, considering that your competitors may not yet be compliant.

Yes, penalties of up to R 10 000 000 could be imposed, but our view remains that reputational risk is a real factor that should also be considered. If you have not started your compliance project, the time is now. You can contact Jana van Zyl at jana@dommisseattorneys.co.za for more information.

POPI: Is “consent” the beginning and the end?

True or false: if you do not have the person’s consent, you cannot use his personal information? From a lot of articles available on the internet, it would seem that the answer to this question must be ‘true’. But is this really the case? Can it be true that unless, for example, I consent to you collecting on debt (money that I owe you and that you are entitled to collect from me in terms of the law) you may not process my personal information and you may not share it with debt collectors? Surely this cannot be the case.

The answer lies in section 11 of the Protection of Personal Information Bill (POPI), which is anticipated to soon come into effect. Section 11, “Consent, justification and objection”, forms part of the second condition for lawful processing, named “processing limitation”. The aim of this condition is, in general, to make the responsible party aware of the fact that that there are some limitations on the processing of personal information and gone are the days where a responsible party could process personal information as and how it pleased.

A lot of people make the mistake of only reading section 11(1)(a) which states that: “Personal information may only be processed if— (a) the data subject or a competent person (where the data subject is a child) consents to the processing”. These people then take the view that if there is no consent, the processing will not be allowed. However, section 11 also makes provision for other justification grounds – meaning that even though there is no consent, the responsible party can “justify” why he is processing the personal information through other means.

The other justification grounds include the following:
1. If the processing is necessary for concluding a contract to which the data subject is a party or it is necessary to perform under such contract;
2. If the processing complies with an obligation imposed by law on the responsible party (an example might be processing for purposes of complying with legislation such as RICA or FICA);
3. If the processing protects a legitimate interest of the data subject;
4. If the processing is necessary for the proper performance of a public law duty by a public body;
5. If the processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

From this it is clear that even if you do not have the data subject’s consent to process personal information in a particular situation, the law may still allow you to process it if you are able to rely on one of the grounds listed above.

It is important to understand however that different rules will apply to electronic direct marketing. This is dealt with in a separate section of the Bill – section 69. We will provide more information on this in a separate post in due course