POPI series – condition 6 – openness

Introduction

We have now passed the half way mark of our POPI Series and the next exciting topic in the series is that of “Openness” or “Notification”. In our view, Notification is one of the most challenging provisions of POPI. This condition will most definitely require from responsible parties to change current processes and possibly develop new processes to ensure compliance.

In this article, we are going to try and focus on the practical implementation of this condition.

This condition is premised on two primary elements, namely:

  • Documentation; and
  • Notification to the Data Subject.

This condition must not be confused with the “prior notification” sections (section 57 and 58) in terms whereof a responsible party needs to notify the Information Regulator of certain processing actions before it can process the personal information. This will be discussed in a separate article in future.

Relevant sections and practical implications.

Let’s first look at the requirements of section 17:

“Documentation.—

A responsible party must maintain the documentation of all processing operations under its responsibility as referred to in section 14 or 51 of the Promotion of Access to Information Act.”

In terms of this section, a responsible party must consider the provisions of sections 14 or 51 of the Promotion of Access to Information Act 2000 (“PAIA”). Note that for private bodies, section 51 will apply. In terms of section 51 of PAIA certain private bodies need to disclose specified information through a manual – generally referred to as a PAIA Manual. Note that POPI will be amending the PAIA to provide for additional information that must be included in a company’s PAIA manual.

It is not difficult to comply with section 17 and responsible parties must remember to amend their PAIA manuals to include the required information.

Now we turn to the provisions of section 18, which will be more challenging to comply with.

“Notification to data subject when collecting personal information.—

(1) If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of—

(a) the information being collected and where the information is not collected from the data subject, the source from which it is collected;

(b) the name and address of the responsible party;

(c) the purpose for which the information is being collected;

(d) whether or not the supply of the information by that data subject is voluntary or mandatory;

(e) the consequences of failure to provide the information;

( f ) any particular law authorising or requiring the collection of the information;

(g) the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;

(h) any further information such as the—

(i) recipient or category of recipients of the information;

(ii) nature or category of the information;

(iii) existence of the right of access to and the right to rectify the information collected;

(iv) the existence of the right to object to the processing of personal information as referred to in section 11 (3); and

(v) right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.

(2) The steps referred to in subsection (1) must be taken—

(a) if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information referred to in that subsection; or

(b) in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.

(3) A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to the subsequent collection from the data subject of the same information or information of the same kind if the purpose of collection of the information remains the same.

(4) It is not necessary for a responsible party to comply with subsection (1) if—

(a) the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;

(b)non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;

(c) non-compliance is necessary—

(i) to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;

(ii) to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);

(iii) for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or

(iv) in the interests of national security;

(d) compliance would prejudice a lawful purpose of the collection;

(e) compliance is not reasonably practicable in the circumstances of the particular case; or

( f ) the information will—

  • not be used in a form in which the data subject may be identified; or

(ii) be used for historical, statistical or research purposes”

From the above it follows that in terms of this condition, a responsible party has an obligation to notify a data subject of certain specified information each time that information about the data subject is being collected from which ever source – unless the responsible party can rely on one of the exceptions to the general rule – in terms whereof the responsible party can justify why notification is not necessary.

Why did the legislator include this section? Compliance with this section will clearly be very onerous on business and could also be a costly exercise.

We believe that some of the main reasons for including this section are the following:

  • Currently information flows between companies without data subjects ever realising what is happening with their information.
  • Data subjects provide their personal information to companies for specific reasons, but companies often take the information and do with it whatever they want to –including to use it for reasons that would never have been intended by the data subject.
  • Data subjects do not know which companies hold their personal information.

In terms of this section 18, companies will therefore need to inform data subjects of the reasons for which they would use the data subject’s information. They also need to inform them of the type of companies with whom the personal information will be shared, including where information will be shared with third party service providers who will have access to the information or receive the information for processing on behalf of the responsible party.

When do you need to notify data subjects? According to POPI this must happen even before you collect the information – if you collect it directly from the data subject, or if not directly from the data subject, before you collect or as soon as reasonably possible after you have collected it.

How do you need to notify the data subject? POPI does not provide exact details on how this notification needs to take place. Once the Regulator has been set up, we may get a better idea of the expectations around ways to notify. Currently it seems that the most popular way would be to include the information in privacy policies. This is not a no go, but without the data subject knowing about the privacy policy and the notification information provided through the policy, it may have little effect. The proposed solution is to include some specific reference to the policy in your customer terms, application forms, or other applicable documentation and then include the majority of the required information in the actual policy.

By far the biggest challenge will come in where information is not collected directly from the data subject. This happens on a daily basis and a few examples include:

  • Collecting information about a relative / friend of your customer
  • Collecting information from the credit bureau
  • Collecting information from third party data suppliers
  • Collecting information from fraud data bases
  • Collecting information from other companies within your group of companies
  • Collecting information from business partners

As you would have seen from section (4) quoted above, in some instances you do not need to comply with the notification requirements. We however urge business to consider the exceptions very careful and not flippantly rely on something like “it is not reasonably practicable” to notify – without properly determining whether it would really be possible to rely on the exception. To merely take a view that it would be “very costly” to comply, is unlikely to be “good enough” to justify non-compliance.

Conclusion

It’s evident that POPI conditions or requirements are closely connected to another. Notification for example links in with purpose specification. In terms of Condition 3, you need to specify the purposes for which you intend to use the personal information. In terms of Condition 6, you need to tell the data subject what these purposes are that you identified in terms of Condition 3.

Remember to update your PAIA manual to include the required information in terms of POPI.

Consider all situations where you collect personal information and consider how you will notify. You may be able in some instances to rely on an exception and decide not to notify. Document those decisions and explain your justification for record purposes.

For any assistance with this challenging condition, please contact Jana van Zyl at jana@dommisseattorneys.co.za

Interested to find out more?

Sign Up To Our Newsletter