As more fully set out in our January 2014 website article, the Protection of Personal Information Act or “POPI” (hereafter referred to as either “POPI” or the “Act”) regulates the manner in which personal information is collected, kept, treated and stored. These actions are collectively described as processing personal information. Thus, in order for businesses to comply with the provisions of the Act, personal information must be processed in terms thereof.
Businesses are in essence (and simply put) about people (including employees, stakeholders and owners), processes and systems. As such it is unarguably clear that all business (with only a few exceptions) will be impacted by this Act.
It is therefore of the utmost importance that businesses gain a clear understanding of the considerations involved before the effective date of the Act in November 2014.
The lawful processing of personal information
On the basis that the term personal information (“information”) is defined widely in the Act and as such includes a person’s name (including a juristic person such as a company), contact details, religion, sexual orientation, personal views, private correspondence, health records, employment records, financial records, it is fundamentally important that a clear understanding of processing the information is reached.
Moreover, the ‘processing’’ of information is defined in section 1 of the Act as:
“any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
(a) The collection, receipt, recording, organisation, collation, storage, updating or
modification, retrieval, alteration, consultation or use;
(b) Dissemination by means of transmission, distribution or making available in
any other form; or
(c) Merging, linking, as well as blocking, degradation, erasure or destruction of
Information.”
Lawful processing - the limitations on processing information
In terms of chapter 3 – specifically principle 2 (“processing limitation“) thereof POPI sets certain limitations on processing information:
Broadly speaking, this centres on the balancing of the rights of privacy and lawful processing of information in terms of POPI.
The Act states inter alia that processing has to be done with the person’s consent, in a lawful and reasonable manner which does not infringe on the right to privacy. The right to privacy is a fundamental human right and is even protected by the Constitution in chapter 2 (bill of rights).
Moreover, the right to privacy from a consumer’s perspective has also been acknowledged and as such is protected by the provisions related to consent for direct marketing or communications (Consumer Protection Act 68 of 2008 inter alia sections 11 and 12). Now POPI also regulates these aspects in relation to the collection and processing of information in a wider context.
Importantly, information must be collected from the person directly save where it could be collected from another party in terms of law (section 11 elaborates on this). Moreover, according to section 10, it may only be processed where:
1. The consent of the person has been obtained,
2. Processing is necessary,
3. Processing complies or is otherwise required by law,
4. Processing protects a legitimate interest of the person,
5. Processing is necessary in compliance of a public law duty, or
6. Processing is necessary for pursuing the legitimate interests of the person to whom it is supplied / third party.
Moreover, personal information so collected / processed must be compatible with the purpose of its collection. The responsible party has to therefore be aware of numerous aspects including the nature of the information, the manner in which the information was collected and its purpose.
Conclusion
From this it is clear that affected businesses should establish what information is truly required for collection and processing in their businesses. To then advise customers, stakeholders and employees why this is required and to ensure that proper standards protecting privacy are in place. Accordingly implementing preventative strategy and best practice is key.
Written by Nicolene Schoeman-Louw, Schoeman Tshaka Attorneys (Cape Town)
EMAIL THIS ARTICLE SAVE THIS ARTICLE
To subscribe email subscriptions@creamermedia.co.za or click here
To advertise email advertising@creamermedia.co.za or click here