By Christopher Tucker, Partner and Charlotte Clarke, Candidate Attorney, 26 January 2017
This article examines the rules and requirements of the Protection of Personal Information Act 4 of 2013 (PoPI) and the obligations it places on anyone collecting or holding personal information on behalf of a natural or juristic.
The nature of many businesses mean that they can typically end up processing large amounts of clients’, customers’ and employees’ personal information. This personal information can include anything from name, age and gender to identity numbers and bank account details. Any business with access to any of this information has a legislated duty to protect the subject of this personal information in any way necessary.
The Effect of Digital Processing
Due to the large amount of personal information which will often be provided to a business, certain forms of data processing have come into play. It is no longer practical for this information to be kept in physical form, such as on paper, due to the volumes of information involved, not to mention the pressure to reduce our negative environmental effect.
Digital processing or digital database tools are useful when a large amount of personal information must be processed efficiently. The possible risks in the use of these programs need to be addressed and guarded against.
PoPI prescribes certain “Conditions for Lawful Processing of Personal Information.” One of these conditions is “Accountability.” This condition prescribes that the responsible party (being the party receiving the information) must ensure the protection and confidentiality of personal information. The responsible party must comply with all of the measures put in place
by PoPI to appropriately safeguard confidential personal information against loss, destruction or unlawful access.
Responsible parties must do everything reasonably possible to protect against privacy infringements caused by unlawful activities such as fraud, cyber-crime, phishing and malware. If an infringement does happen as a result of unlawful activities, the responsible person has an obligation to inform the affected person of the possibility of a privacy infringement.
Another condition is that personal information must be processed lawfully and in a reasonable manner. “Reasonable manner” suggests that information should be processed in a manner which does not infringe the privacy of the data subject (being the client or consumer providing the information). Factors which would be considered in determining whether information is processed in a reasonable manner would be the purpose for which information is collected or processed and whether or not the consent of the data subject has been obtained. The condition of reasonableness is likely to be relaxed significantly where the data subject consents to the collection and processing of any personal information.
This condition should also be read with the condition that collection of data must be for a specific purpose and for a specified time, and that the data subject must be aware of the purpose for which their personal information is collected and processed.
As well as obtaining the informed consent of the data subject, it is also necessary in terms of PoPI for the responsible party to be open and transparent with the data subject about what their information may be used for and who their personal details may be provided to. It is also a condition that the data subject may request at any time that any parties disclose to them what personal information they hold and what that information may be used for. This ensures that business, employees and third parties are always held accountable for the correctness of information held by them.
While PoPI prescribes that the responsible party must do everything necessary to protect a data subject’s personal information, it becomes difficult to do this where the disclosure of this information is necessary to provide a service to a consumer or client.
The conditions prescribed in PoPI place emphasis on having a data subject’s consent before collection, processing or passing on any personal information. This consent should be well informed, voluntary and unambiguous. The data subject can revoke consent at any time.
The client should know exactly what personal information is collected from them, what the purpose of the collected information is and who may have access to their personal information. Clients should also be informed of what security measures are in place to protect their personal information.
Data subjects should not be pressured to give consent to their personal information being processed and/or passed on to a third party and should never suffer because they have refused consent.
A comprehensive disclaimer may be the most effective way to protect the responsible parties, as well as a way to inform the data subject what personal information may be processed, the purpose for which their information may be used and to whom their personal information may be disclosed. A responsible party should still inform a data subject if any of their personal information is to be passed on to a third party.
This disclaimer cannot limit or extinguish the liability of a responsible party to adequately protect the personal information of a data subject. It is important to obtain the consent of the data subject before collecting and processing their personal information or passing it on to a third party.
While the consent of the data subject can be obtained to allow for the use and processing of their personal information, the party responsible for the collection, processing and protection of personal information should always be aware of their duty to protect the data subject’s privacy, not only in terms of PoPI, but in terms of the Constitution of the Republic of South Africa, Act 108 of 1996, as amended, and the right to privacy which is protected within.
Responsible parties should be mindful of their duty in terms of the Companies Act 71 of 2008 to perform functions assigned to them in good faith and in the best interests of the company and their consumers. Responsible persons are bound to act with a specific degree of care, skill and diligence. This is especially true when handling and processing confidential personal information.