In previous newsletters we have touched on some general considerations relating to the Protection of Personal Information Act 4 2013 (POPI). We have however identified the need to discuss the POPI requirements in more detail. All clients, whether it be start-ups, medium sized or big corporates and listed companies, will need to comply with POPI. This article is therefore the first in a series of POPI articles that will assist you with your POPI compliance project (or if you have not started a project, to get you thinking about what lies ahead.)
In this article we will include information on how POPI differentiates between different “types” of personal information (PI), who the different “role players” are and what responsibilities each will have.
- DIFFERENT TYPES OF PERSONAL INFORMATION
POPI requires that all businesses that “process” “personal information” must comply with the requirements prescribed in the Act. What is meant by the two terms “processing” and “personal information”? In terms of the Act, “processing” refers to any use of information by an organization. This could, for example, include any sharing of a record, storing it, destroying it, etc. In essence, whatever form of use of the record, is likely to fall within the umbrella of the term “processing” in terms of the Act.
Another important definition is of course that of “personal Information”. This term refers to any information pertaining to any identifiable person or business, and includes a whole long list of items that should be considered. You can read the definition yourself, but a few interesting and challenging terms have been included. By way of example: views or opinions expressed by someone about a person, could form part of the personal information record of that person.
The Act differentiates between the following types of PI:
Ø “normal or ordinary personal information” for example:
o Identity Document number or registration number (if it’s a business),
o cell or telephone number,
o email address,
o physical address.
Ø “special personal information” for example:
o religious or philosophical beliefs,
o race or ethnic origin,
o trade union membership,
o political persuasion,
o health or sex life,
o criminal behaviour, or
o biometric information.
Ø “children’s personal information”:
o This information refers to any information relating to any natural person under the age of 18 years.
What is the reason for the distinction and why is it important to know whether you process “normal”, “special” or “children’s” PI? It is indeed very important to identify the type of PI that you process, because different requirements may apply. With special and children’s PI, specific limitations have been imposed that would not necessarily apply to other PI.
- THE DIFFERENT ROLE PLAYERS
POPI talks about a “data subject”, a “responsible party” and an “operator”. These are terms that we don’t often use. So who are they?
The data subject is the one whose PI is being processed. So this could be a candidate or employee; a customer or prospect; a vendor or applying vendor; or any other person whose PI is being processed by your organisation. Legal entities’ PI is also included within the ambit of POPI, meaning that if you process information relating to an identifiable legal entity, that legal entity would also be a data subject.
The responsible party is the one who decides what to do with the information. We often find that clients refer to responsible parties as the ones who “own” the information. On the other hand, an operator is someone who processes the PI on behalf of the responsible party.
Practical examples would include the following:
- An employer recruiting employees: The employer who receives CVs of candidates would be the responsible party (the candidate is obviously the data subject). If the employer makes use of a third party’s software during this process and the third party service provider (or its system) processes the information on behalf of the responsible party, that service provider will be the operator. The operator cannot take those CVs and do with it whatever it wants to. It may merely process it on behalf of the employer.
- A retailer sending marketing material to its customers: The retailer will be the responsible party (deciding to process its customers’ details for marketing purposes) and the customer will be the data subject. If the retailer as part of this process makes use of a third party to send the actual sms messages or emails to the customers on behalf of the retailer, the third party would be the operator. The third party cannot take the customers’ details and use it for any other purposes.
The POPI terminology will not always be easy to understand. We can assist you with the interpretation of the difficult terms and requirements. In previous articles we have referred to the “8 Conditions for lawful processing”. Our next article in this POPI series will include a discussion on the first of the eight Conditions, namely Accountability. Look out for this in our March Newsletter.