Addressing compliance with the Protection of Personal Information Act, 2013 (“POPI“) may seem like a daunting task. The good news is that it is not too late; the better news is that you may be further along than you think.
Over the next few weeks, we will be briefly unpacking POPI’s minimum requirements for the processing of personal information. These requirements are set out in Part A of Chapter 3 of POPI, and incorporate the following conditions:
1) Accountability of the Responsible Party
2) Processing Limitation
3) Purpose Specification
4) Further Processing Limitation
5) Information Quality
6) Openness
7) Security Safeguards
8) Data Subject Participation
Our previous two articles looked at conditions 1 through 4. This article addresses the 5th and 6th conditions, namely, information quality, and openness.
Condition 5: Information Quality
In terms of POPI, a responsible party must take reasonably practicable steps to ensure that the personal information it processes is complete, accurate, not misleading and updated where necessary. This is applicable to information collected both electronically and manually.
In doing so, the responsible party must have regard to the purpose for which personal information is collected or further processed. In other words, the purpose for collecting personal information must be considered in deciding on the mechanisms to keep information updated. In this regard, compliance with condition 3 (purpose specification) is essential to compliance with condition 5 (information quality).
POPI does not specify what constitutes “reasonably practicable steps”. Accordingly, each business must consider its own operations to ensure that personal information is correct and updated as and when required.
Data subjects must be informed of and reminded of their duty to provide personal information that is up-to-date and to notify the responsible party where any such information requires correction.
Practically, in dealing with the processing of personal information belonging to your customers, for example, you may use your customer terms and conditions as the mechanism to draw attention to the customer’s duty to notify you of any changes to their personal information.
It has been stated, in the context of the European Union’s data protection laws, that personal information utilised merely as a historical record of a transaction does not require updating as its purpose is to record information at the time of the relevant transaction.
Condition 6: Openness
The condition of openness relates to transparency, and has two primary elements, namely maintaining documentation relating to processing operations, and notifying data subjects of the collection and processing of their personal information.
Documentation:
In terms of section 17 of POPI, a responsible party must maintain documentation of all processing activities. Furthermore, where applicable to the responsible party, a manual must be developed in terms of the Promotion of Access to Information Act, 2000 and made available to data subjects.
Notifying data subjects:
When personal information is collected from a data subject, the responsible party must take reasonably practical steps to ensure the data subject is kept notified of such collection each time personal information is collected from the data subject.
These steps include ensuring that the data subject is aware of:
- The fact that the information is being collected.
- The name and address of the responsible party.
- The purpose for which the information is collected.
- Whether is collection of the information is voluntary of mandatory.
- The consequences of failing to provide the information.
- Any laws that authorise the collection of the information.
- Where applicable, that the responsible party intends transferring the information to another country.
Data subjects should be notified before their personal information has been collected (or as soon thereafter as possible). You may use a privacy notice displayed on your website to achieve compliance with the above, provided the privacy notice is easily accessible and sufficient attention is drawn to its existence.
There are certain exclusions to the general rule of having to notify data subjects. It is important to consider these exclusions carefully so that, if relying on any such exclusions, you don’t fall foul of POPI.
Read Part I here. Read Part II here.
Contact us here.