Moving right along in connecting the dots between Conditions 1 and 8 of the Protection of Personal Information Act 4 of 2013 (“POPI”). In our previous POPI Series articles, we discussed POPI Conditions 1, 2 and 3 in more detail, which relate to Accountability, Lawful Processing and Purpose Specification respectively. This month, we are going to discuss Condition 4 – which relates to Further Processing Limitations.
In previous articles we have emphasized the importance of knowing the reason – the purpose – for which a responsible party is collecting and using personal information (“PI”). It is vitally important for a responsible party to define the purpose for processing initially when the of POPI, “further processing” of the PI must “link in” with that initial reason (purpose) why the PI was collected.
POPI allows responsible parties to “further process” PI provided that the further processing is within the parameters of the POPI provisions. The general rule is that the further processing must be in accordance with or compatible with the purpose for which it was collected the first time (section 15(1)). POPI does not provide a defined list of what will constitute “compatibility”.
In practical terms this means that you cannot collect personal information for a specifically defined purpose, and then use it for a purpose that is not linked to the original purpose at all. By way of example: As lawyers, we collect information about our clients. If we collect information for purposes of a specific brief, we could possibly argue that if the client returns after a period of time with another brief, the information collected the first time, could be used under the “further processing” provisions of POPI – because the two reasons for processing are closely linked (both being for purposes of assisting with a legal brief – although the two briefs have got nothing to do with one another.)
If however, we collect the information for the first brief from the client (client 1) and we know that another client (client 2) would be very interested to meet with client 1 or use client 1’s information for its own purposes, and we pass on client 1’s information to client 2, this processing action would not be linked to the original purpose for which client 1 provided his information and we would fall foul of the further processing provisions of POPI.
So how do we determine whether the further processing is compatible with the original purpose or not?
POPI does not provide a defined list of what will constitute “compatibility”. It rather answers the question in the negative, to indicate when the processing would “not be incompatible”. The test for compatibility is set out in section 15(3) of POPI. I add my comments to the lawyer example above in square brackets to explain the concept:
Section 15 Further processing to be compatible with purpose of collection —
(1) Further processing of personal information must be in accordance or compatible with the purpose for which it was collected in terms of section 13.
(2) To assess whether further processing is compatible with the purpose of collection, the responsible party must take account of—
(a) the relationship between the purpose of the intended further processing and the purpose for which the information has been collected; [Initial purpose was to assist the client with the legal brief. The secondary purpose is to share his information with an unknown (to him) third party for the third party’s purposes.] (b) the nature of the information concerned; [Possibly not that relevant, but could be very personal in nature.] (c) the consequences of the intended further processing for the data subject; [Depending on what the third party wants to do with it, consequences may not sit well with client 1.] (d) the manner in which the information has been collected; [Would have been with (implied at least) consent to use it for purposes of assisting with the legal brief and the relationship between the attorney and client in general.] and
(e) any contractual rights and obligations between the parties. [Contract would have covered the instruction to the lawyer to assist with the legal brief.] (3) The further processing of personal information is not incompatible with the purpose of collection if—
(a) the data subject or a competent person where the data subject is a child has consented to the further processing of the information; [No consent from the client to pass on the information.] (b) the information is available in or derived from a public record or has deliberately been made public by the data subject; [Not applicable.] (c) further processing is necessary—
(i) to avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences; [Not applicable.] (ii) to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997); [Not applicable.] (iii) for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; [Not applicable.] or
(iv) in the interests of national security; [Not applicable.] (d) the further processing of the information is necessary to prevent or mitigate a serious and imminent threat to—
(i) public health or public safety; or
(ii) the life or health of the data subject or another individual; [Not applicable.] (e) the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form; [Not applicable.] or
(f) the further processing of the information is in accordance with an exemption granted under section 37. [Not applicable.]
CONCLUSION: As can be seen from the above example, the intended further processing to share the information with a third party (client 2) will not meet the requirements of section 15 and the further processing will not be allowed in terms of POPI.
Each time that a responsible party intends to “further process” personal information, the responsible party should therefore assess whether the further processing is “compatible” with the original purpose for which it was collected by using the factors listed in section 15.
Below follows a more detailed discussion of the factors listed in section 15(3) – where the responsible party can argue that the further processing will not be incompatible with the original purpose for processing:
If the data subject consents to the further processing, the responsible party can further process it. Applying it to our lawyer case study: if the lawyer phones the client and obtains his consent to pass on the client’s information to the third party (client 2), there would be no problem.
Further processing is allowed if the information is available in or derived from a public record OR has deliberately been made public by the data subject. (Facebook for example).
Section 1 defines a “public record” as a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body.
Maintenance of the law
If the further processing is necessary for purposes of maintenance of the law, to comply with legislation, for the conduct of court proceedings, or if it is in the interests of national security, it will be allowed. If for example the client in our case study wanted to settle the lawyer’s bill of R 100 000 in cash, the lawyers have a duty in law to report this to the relevant authorities, and that further processing action to report it (without consent from the client) would indeed be allowed.
Health or safety threat
If the further processing is necessary to prevent or mitigate a threat to public health or safety or the life/health of the data subject or another individual, further processing is allowed. If for example the client in the case study needed urgent medical treatment in a situation where his life was in danger, the lawyers would be able to argue that sharing the personal information with medical staff (if this could ever be relevant) would be justified under this exception.
Historical Statistical and Research purposes
Further processing is allowed for these purposes, provided that the information is not in identifiable form.
The further processing will be allowed if it is in accordance with an exemption that was granted by the Information Regulator (once established). This could be where the further processing is necessary for public interest purposes and an exemption was granted.
From a compliance perspective, the data subject must know the purposes for which a responsible party will be collecting and using the PI. If the business did not obtain explicit consent from the data subject at the time of collection for the specific future processing activity it wishes to use the PI for, the business must assess the “compatibility” of the further processing as outlined above. Responsible parties will have to consider the steps above and determine on a case by case basis (based on the facts) whether further processing will be compatible or not.