In our previous two POPI series articles, we considered Conditions 1 and 2 in more detail, which conditions relate to Accountability and Lawful Processing. This month we are going to tackle Condition 3 – Purpose Specification.
The purpose of collection or processing of personal information is in some way or another, the crux of a number of the POPI requirements as set out in the different conditions for lawful processing. This condition is comprised of two elements, namely: Collection for specific purpose as well as retention and restriction of records. The two elements provide us, firstly, with parameters within which organisations may collect and process personal information, and secondly the time period for which an organisation may lawfully retain personal information records.
Collection for a specific purpose
In terms of section 13:
“Collection for specific purpose.—
(1) Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
(2) Steps must be taken in accordance with section 18 (1) to ensure that the data subject is aware of the purpose of the collection of the information unless the provisions of section 18 (4) are applicable.”
Section 13 (1) is self- explanatory and straight forward in that the requirement is for a responsible party to collect personal information for a specific purpose. This means that going forward, responsible parties will need to define the different reasons for which personal information will be processed and also make sure that these reasons tie in with the responsible party’s general business activities. The current practice for many organisations is to obtain as many information fields as the data subject would complete. POPI requires from organisation to actually take a step back and consider the reasons why the information is being collected (and processed) and then only process the relevant information fields – as required for the particular business operation.
This principle will also apply when the responsible party shares information with third parties. If for example, your business makes use of a third party to send out your bulk marketing messages, you should only share with the third party the information that they need to send out the messages on your behalf. Do not share all the information fields relating to the data subjects if the third party only needs cell phone numbers or email addresses.
Once the organisation has determined the various purposes for which it may want to use the personal information, a further step is required from a POPI point of view. The responsible party has a duty to bring to the attention of the data subject, these defined purposes for processing. The intention is that if I provide my information to your company, I should know for which purposes you are going to use my information. (And if you plan to use it for purposes that I don’t like, and you don’t have a right in law to process it for those reasons, I may object to the processing for that purpose!)
Section 18 provides that reasonably practicable steps must be taken to make the data subject aware of the specific collection and processing of the personal information. This boils down to a question as to what would constitute reasonably practicable steps. The section 18 notification requirements will be discussed in more detail in a future article, but for now it is important to take note of the fact that there could be an obligation to disclose the purposes of use. (Section 18 does allow for some exceptions – again, these would be discussed in future.)
Retention and restriction of records
In terms of section 14:
Retention and restriction of records.—
(1) Subject to subsections (2) and (3), records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless—
(a)retention of the record is required or authorised by law;
(b)the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
(c)retention of the record is required by a contract between the parties thereto; or
(d)the data subject or a competent person where the data subject is a child has consented to the retention of the record.
(2) Records of personal information may be retained for periods in excess of those contemplated in subsection (1) for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.
In practice, this element relates, mostly to the role the management has in ensuring that there are policies and/ or procedures in place to categorise the PI collected or processed and define retention periods to apply the different categories of personal information.
The default position in this regard is that the RP may only keep PI for the period necessary to achieve the objective for which it was collected – unless one of the exceptions apply – for example, if the data subject consents otherwise, or another law requires the information to be retained for a specified period.
In practice, organisations should identify the different purposes for which information is collected and processed, and then develop retention policies in accordance with the reasons for which the information was collected. Bear in mind that where another piece of legislation, like the National Credit Act, or FICA, or Companies Act, or tax or labour legislation for example specify a minimum period, the specified period will need to be applied in the retention policy.
In our view, it would mostly be difficult to justify retention for an indefinite period. Even if marketing is the purpose for which the information is being retained, it would be hard to justify why information that was for example collected 10 years ago and not processed in the meantime could still be retained “for marketing purposes”.
Identify the reasons (purpose) for which you are processing personal information. (Also bear in mind that you will probably have to notify data subject of these reasons).
When considering your reason for processing, think about the information that you actually need for that particular purpose and don’t ask for or use more information than what is needed.
Only keep information as long as necessary for the purpose. But bear in mind that other legislation may prescribe minimum retention periods that you will still need to adhere to and that you need to build in to your retention policies.