The importance and value of a privacy policy

The Protection of Personal Information Act 4 of 2013 (“POPIA“) is now effective, since 1 July 2021, meaning that compliance with the act is required. The focus of this post is on the value of a privacy policy/notice and how it can help you comply with your POPIA obligations when processing personal information. One of the obligations that POPIA places on a responsible party processing personal information is to inform data subjects about their rights in respect of their personal information and how and why the responsible party is processing their personal information (section 18). A privacy policy (or in some jurisdictions referred to as a privacy notice) is a tool widely used to comply with this notification obligation. In this blog, we discuss some of the aspects that are important to include in your privacy policy. 

What personal information you are collecting. It is important to inform the data subject what personal information of theirs you are collecting and processing, and whether you are collecting that information directly from them or from another source. The definition of personal information has a very broad ambit, and in South Africa, personal information includes information of both individuals and juristic persons.  Personal information includes, amongst others, name, identity or registration number, contact details, IP addresses and cookies, payment information, views and opinions and children’s or special (such as medical information and fingerprints) personal information. 

Why you are collecting and processing the personal information. The data subject must be informed for what purpose you are collecting the information – for example, identifying and contact information to create and manage an account with the data subject, address to deliver the goods that the data subject is ordering, consent records for purposes of sending marketing communications, etc.  

The responsible party also needs to inform the data subject whether the information that is being supplied is being provided voluntarily or whether it is mandatory to provide that information, and what the consequences are for not providing the information. 

Disclosure of personal information. Many responsible parties will need to disclose personal information of their customers to third parties for various purposes, and a privacy policy can be used to inform the data subject of the general reasons why their information might be shared. For example, an online retailer might make use of a third party delivery service to deliver goods, and will need to share contact information and address with the delivery service. Our view is that a privacy policy need not set out the specific third parties with whom information is shared and what information is shared with each party, but it should inform the data subject the general reasons why information might need to be shared. The privacy policy should also inform data subjects when information is shared cross border (i.e. outside of SA) and ensure the data subject that the recipient of the information complies with the minimum POPIA requirements.  

Data subject rights. The responsible party will also need to inform the data subject about his/her/its rights in respect of the personal information. These rights include the right to object to or restrict processing, right to erasure of personal information, right to request that information is corrected or updated and to request access to the personal information held by the responsible party. 

Complaints. Data subjects have the right to lodge a complaint about the processing of their personal information with the Information Regulator, and a privacy policy should set out the contact details of the Information Regulator. This section of the privacy policy can also be used to request that data subjects first approach you with any complaints that they may have before approaching the Regulator. 

Conclusion. Please get in touch with us if you have questions regarding your POPIA compliance in general, whether your privacy policy is POPIA compliant or if you require a privacy policy, and whether you may also need to comply with data protection laws prescribed in other jurisdictions (such as the GDPR).

Interested to find out more?