The deadline for full compliance with the Protection of Personal Information Act, 2013 (“POPI“) is around the corner, and it certainly has caused a recent spike in emails from concerned clients wondering if it is too late. Although ensuring compliance may seem like a daunting task, the good news is that it is not too late; the better news is that you may be further along than you think.
Over the next few weeks, we will be briefly unpacking POPI’s minimum requirements for the processing of personal information. These requirements are set out in Part A of Chapter 3 of POPI, and incorporate the following conditions:
1) Accountability of the Responsible Party
2) Processing Limitation
3) Purpose Specification
4) Further Processing Limitation
5) Information Quality
7) Security Safeguards
8) Data Subject Participation
Our first article looked at conditions 1 and 2, namely, the accountability of the responsible party, and the limitations placed on processing. Now that you know that you need to be accountable and impose limitations on processing of information, we will look at conditions 3 and 4: purpose specification and further processing limitation.
Condition 3: Purpose Specification:
When you collect personal information, it must be for a purpose. It cannot be collected on the basis that the information “might be useful” or is “nice to have”. For every piece of personal information that you collect, you need to specifically and explicitly define the purpose for collecting the information. For example, if you collect cookies from website users, you need to articulate why you do so and for what purpose.
Personal information, once collected, must not be kept longer than necessary. Once you have no further need for the personal information, it must be destroyed or permanently deleted. Unless the law requires you to keep certain records, these records should only be kept for so long as it is reasonably required. Records can also be retained for longer than necessary with the consent of the data subject. We recommend that you obtain the consent of data subjects to (securely) retain their personal information for an indeterminate amount of time, unless the data subject requests its deletion sooner. With consent, you do not have to worry about constantly staying on top of retention timelines.
Condition 4: Further Processing limitations:
You might have collected a client’s contact details for purposes of onboarding them as a potential client. Once they have been onboarded as a client, may you use those contact details for another purpose i.e., further processing? That depends. Further processing must be compatible with the original purpose for which it was collected. In the current example, using the contact details to invoice the client for work performed pursuant to the onboarding process would be acceptable. However, using those contact details to contact the client on a matter pertaining to a separate business division, or sharing those contact details with another service provider may not be acceptable. You need to weigh up:
- the relationship between the original purpose of collecting the information and the purpose behind the further processing – how close is the relationship?
- the nature of the information – a personal phone number or email address may need to be treated with more caution than a generic “info” address or telephone number.
- the consequences of the intended further processing for the client – how severe are the consequences?
- the manner in which the information has been collected – was it collected under the guise of a particular purpose, by a particular person, in such a way that an impression could be created that the information would not be used elsewhere?
- any contractual rights and obligations between the parties. If you need to use a client’s contact details to send an invoice to them as per your contract with the client, it is acceptable to use the contact details for that purpose, despite the fact that the details may originally have been collected for a different purpose.
Read Part I here.
Contact Brevity Law here.