Let’s recap: we have previously discussed Conditions 1-4 of the Protection of Personal Information Act 4 of 2013 (“POPI”), dealing with Accountability, Lawful Processing, Purpose Specification and Further Processing Limitations. In this month’s POPI series, we are going to discuss Condition 5 which deals with the Information Quality.
2. INFORMATION QUALITY IN TERMS OF POPI
In terms of section 16:
“Quality of information—
- A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
- In taking the steps referred to in subsection (1), the responsible party must have regard to the purpose for which personal information is collected or further processed.”
In terms of this Condition 5, a responsible party is required to take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary. This requirement is applicable to personal information collected both manually and electronically. POPI does not provide further details on what reasonably practicable steps would mean and therefore each business will need to consider its operations and decide which steps and processes it would implement to reasonably keep personal information updated.
In terms of subsection (2), the purpose of collection and processing must be considered when deciding on the steps to be taken to update information. This is an example of how the POPI Conditions work together – purpose specification is an obligation in terms of Condition 3 but should also be considered for compliance with Condition 5. In essence the decision of the responsible party in relation to the quality of the personal information as well as the reasonably practicable steps to be taken is directly linked to the purpose for which the personal information was collected.
Data subjects should also be responsible and could be requested to advise responsible parties of a change in details where applicable. This could for example be regulated with the data subject (if it is a customer) in the customer contract or in general user term and conditions.
Other examples of possible processes to update information could include through call centre interaction – each time you speak to the customer, ask whether details have changed; or through providing online access to customer accounts (if your business allows for this) in terms whereof the customer through logging in, can update its details.
In order for organisations to comply with the requirements of Condition 5, they would firstly need to identify the purpose for which they intend to use the information, and then implement reasonable processes to make sure that data subjects have access to processes in terms whereof current information can be updated where required.