Key POPIA takeaways

• The Act applies to all businesses and not only to e-commerce or online businesses.
• The Act applies to personal information obtained from both people and businesses.
• If your business makes use of a third party to process personal information on your behalf, the Act requires that an agreement be entered into between your business and a third party to ensure the confidentiality and integrity of the personal information.
• The Act requires the introduction of a Privacy Policy available to those whose personal information is being processed.
• The Act makes provision for an employer’s vicarious liability and introduces limited defenses.
• The Act necessitates an internal Data Protection Policy / Standard Operating Procedure.
• The Act does not place a general ban on the processing of personal information but introduces limitations on how personal information should be processed.
• There is no absolute right to the protection of personal information and some exceptions apply.

Compliance snapshot 

• Implementation of a Privacy Policy. This is an external document which explains to your customers what you do with their information.
• Implementation of a Data Protection Policy. This is an internal document which guides your organisation on how to implement the Act and ensure processes are in place to comply with the requirements of the Act.
• Introduction of a Data Processing Agreement. This is an external document regulating the relationship between your organisation and a third party you appointed to process personal information on your behalf.
• Updating Employment Agreements with a clause providing the consent required from your employees and an undertaking by your employees to comply with the Act.

Introduction

The Protection of Personal Information Act 4 of 2013 (the Act) was assented to on 19 November 2013 and the important parts of the Act commenced on 1 July 2020. A business processing personal information must fully comply with the Act within 12 months – that is, by the 30^th of June 2021.

The Act’s purpose is to give effect to the constitutional right to privacy by safeguarding personal information when processed by a responsible party. The Act introduces 8 conditions which detail the conditions for the lawful processing of personal information. The 8 conditions set forth the minimum requirements for the processing of personal information.

A common misconception regarding the application of the act is that it only applies to businesses who operate e-commerce stores or other types of online based business. The Act applies to every single business who processes personal information whether received from sources outside of the business (like customers), inside of the business (like employees), electronically (from your website), or manually (from a security guard requesting your sign in details) among many other means.

Many articles and discussions popularly refer to a few important keywords which need understanding first as the terminology used can leave many wondering as to whether the definitions actually include their business and the information processed by their business.

For that reason, let’s firstly pause to consider the meaning of some of the keywords:

The Act applies to you if you are a “responsible party” “processing” “personal information” of a “data subject”.

• A responsible party is defined as a body (businesses and individuals) who determines the purpose of and ways in which personal information is processed. A responsible party is thus a business who gathers, controls and applies information received from both internal and external sources.
• Processing is widely defined and includes any operation or activity (whether automated or non-automated) concerning personal information. The definition is expanded on by including words like the collection, receipt, recording, storage, updating, transmission, merging and destruction of information.
• Personal information is defined as information concerning both people (living) and businesses (existing). The definition is expanded on by including information relating to race, gender, marital status, financial, medical, identifying numbers (like contact numbers), online identifiers (like IP addresses), correspondence from one person to another which is implicitly or explicitly of a private nature and many more.
• Data subject is the person to whom the personal information relates. That is the person or business to whom the personal information belongs.

Below are some examples of the processing of personal information of a data subject by a responsible party:

• the collection of financial information of a company for purposes of granting a credit facility to purchase stock;
• the collection of a name, surname, contact details, address and contact number from a customer;
• the collection of a name, surname, contact details, address, contact number, employment history, qualifications, medical information of an employee;
• the scanning of a driver’s licence before entering an office park;
• video surveillance involving the recording and storage of that recording and the information gathered as a result of the recording.

The Act widely defines personal information, how it is processed and in that way ensures application to almost all activities by businesses relating to the processing of personal information.

The Act requires that a “guide”, effectively a privacy policy be made available to the public in which certain information must be made available regarding the processing of personal information. The Act further requires that a written agreement be entered into between a business and a third party who processes personal information on its behalf, to ensure compliance of the security safeguards provided for by the Act by the third party.

It is important to mention that the Act does not place a ban on the processing of personal information but introduces limitations on the processing thereof which protects a data subject’s rights.

There is also no absolute right to the protection of personal information and some exceptions to compliance with the statutory provisions have been provided for by the legislature.

The Act sets out 8 conditions for the processing of personal information. These conditions provide the minimum requirements for the processing of personal information.

They are:

1. Accountability:

This condition requires the responsible party to ensure that the undermentioned conditions are complied with when the purpose for which the personal information is determined and the means by which it is processed.

2. Processing limitations:

This condition generally limits the ambit of the processing of personal information by requiring the processing to be:

• • Lawful and reasonable.
  • Compliance with the concept of minimality.
  • Compliance with the concept of consent, justification and the lodging of objections.
  • Requiring personal information to be collected directly from the data subject.

3. Purpose specification:

This condition requires that personal information must be collected for a specified and legitimate purposes. It also requires that the collection of the personal information relate to a function or activity of the responsible party. It is important that the responsible party take steps to ensure that the data subject is aware of the purpose of the collection of the personal information.

4. Limitations on further processing:

The personal information collected may not be further processed in a manner that is incompatible with the purposes for which it was initially collected. The Act however makes provision for a number of exceptions to the general rule requiring compatibility of further processing with the original purpose for collection.

5. Information quality:

The responsible party must take reasonable steps to ensure that the personal information is complete, accurate, not misleading and updated.

6. Openness:

This condition can also be referred to as transparency and consist of two requirements. Firstly, that a responsible party must maintain documentation of all processing operations. Secondly, the data subject must be notified of any collection of their personal information. The Act provides detailed steps by which the responsible party can ensure that the data subject is aware of all aspects relating to the processing of their/its personal information.

7. Security safeguards:

A responsible party must ensure the confidentiality and integrity of personal information in its possession or under its control. It is required that the responsible party must take steps to prevent loss, damage and unlawful access to or processing of personal information. The Act provides the measures by which the responsible party can ensure the confidentiality and integrity of personal information. Important here is to note that this requirement extends to personal information processed by a third party on behalf of a responsible party. The Act requires that an agreement be concluded with the third party which must incorporate those measures relating to the integrity and confidentiality of personal information.

8. Data subject participation:

The Act provides a data subject with participatory rights regarding its personal information. These are, amongst others, the right of a data subject to request a responsible party to confirm, free of charge, whether they hold personal information about the data subject and the right  to request the record of the personal information held by the responsible party, including the identity of third parties who have had access to the personal information. This information must be provided within a reasonable time at a prescribed fee.

The Act is comprehensive and its provisions require a thorough reconsideration of the manner in which you conduct business in so far as the processing of personal information is concerned.

The Act has brought into existence the Information Regulator who is the body responsible for the enforcement of the Act. The Act has identified actions that are criminal or unlawful and has made provision for offences, penalties and administrative fines.

Employers are reminded of their vicarious liability in the event that there is a breach of the provisions of the Act by an employee as it specifically states that a data subject may institute a claim for damages irrespective of the presence of intent or negligence on the part of the responsible party.

By approaching the implementation of the Act in a methodical and considered manner, compliance does not have to be the burden that many assume it could be.

We can assist you with:

• The review or Drafting of Privacy Policies. This is an external document which explains to your customers what you do with their information.
• The review or Drafting of a Data Protection Policy. This is an internal document which guides your organisation on how to implement and ensure processes are in place to comply with the requirements of the Act.
• The review or Drafting of a Data Processing Agreement. This is an external document regulating the relationship between your organisation and a third party you appointed to process personal information on your behalf.
• Introducing a clause into your employees’ employment contracts to ensure compliance with the Act.

 

By Neil Jacobs

Partner – Commercial and Business Law