The deadline for full compliance with the Protection of Personal Information Act, 2013 (“POPI“) is around the corner, and it certainly has caused a recent spike in emails from concerned clients wondering if it is too late. Although ensuring compliance may seem like a daunting task, the good news is that it is not too late; the better news is that you may be further along than you think.
Over the next few weeks, we will be briefly unpacking POPI’s minimum requirements for the processing of personal information. These requirements are set out in Part A of Chapter 3 of POPI, and incorporate the following conditions:
1) Accountability of the Responsible Party
2) Processing Limitation
3) Purpose Specification
4) Further Processing Limitation
5) Information Quality
7) Security Safeguards
8) Data Subject Participation
This article addresses the first two conditions, namely, the accountability of the responsible party, and the limitations placed on processing.
Condition 1: Accountability of the responsible party:
In terms of POPI, the responsible party must take necessary measures to ensure, amongst other things, the security, integrity and safety of information processed, including by adopting appropriate, reasonable technical and organisational measures to prevent loss, damage, or unlawful access to data in its possession or under its control. An organisation that collects the names, identity numbers and financial information of its clients will, of course, be held to a higher standard of care that an organisation that only collects email addresses. Practically speaking, you need to make sure that the personal information you collect is safe and secure. If it is stored digitally, you must ensure appropriate firewalls, antivirus software and anti-spyware packages are installed. If you are using a third-party sever, ensure that you are using a trusted provider that has its own security measures in place. You need to make sure that you use complex passwords. If you have personal information accessible in hard copy form, these need to be securely stored and not lying around on a desk in an open-plan office. Invest in a paper shredder. Your employees need to be educated about their responsibilities under POPI.
Another feature of accountability is the requirement for every organisation to have an ‘information officer’. This individual is responsible for:
- encouraging compliance with the conditions for lawful processing of personal information;
- attending to any POPI-related requests or queries;
- ensuring that the organisation is POPI compliant; and
- assisting the regulator with any investigation relating to the organisation’s POPI compliance.
Where the details of an alternative individual aren’t registered with the regulator, the default position is that this role is assigned to the head of the organisation.
Although the information officer is the custodian of activity relating to the processing of personal information (and may ultimately be held accountable), it is the responsibility of the organisation as a whole to ensure compliance with POPI. It is accordingly important that each member of an organisation that handles personal information is adequately educated in respect of the organisation’s data protection policies.
Condition 2: Processing limitations:
In addition to the condition relating to accountability, POPI imposes limits on the way personal information may be processed, by requiring that the processing of personal information be lawful and reasonable, meet the requirement of minimality, and that the consent of the data subject be obtained.
In processing personal information, you must ensure that the information is only processed to the extent that it is adequate, relevant and not excessive, given the purpose for which it is processed. Put simply, an organisation should never collect or keep more personal information than it needs.
In order to process personal information, the voluntary, specific and informed consent of the relevant data subject (or competent person, in the case of a minor) must be obtained. This can easily be achieved by providing data subjects with access to an accurate privacy notice which they must actively consent to by, for example, utilising a tick-box. This privacy notice must be clear and concise so that the data subject understands exactly what information is being processed and why. It is important to note that POPI provides that a data subject may withdraw its consent at any time and/or request that its personal information be deleted, so the personal information relating to each specific data subject should be easily accessible so requests can be complied with timeously.