PROTECTION OF PERSONAL INFORMATION ACT 4 of 2013
GUIDELINES FOR THE IMPLEMENTATION OF COMPLIANT INFORMATION PROCESSING
The Protection of Personal Information Act 4 of 2013 (“the Act”) was published on 26 November 2013. Certain of the provisions were suspended. The date that the entire Act shall become applicable is 1 July 2021.
The Act recognizes that the Constitution (section 14) provides that everyone has the right to privacy. In line with this right, individuals also have the right to protection against the unlawful collection, retention, dissemination and use of personal information.
The Act also recognizes the fact that these rights and protections must not become unnecessary impediments to the free flow of information within the public i.e. there must be a balancing of the respective interests of all parties.
This guideline is not intended to be an exhaustive and complete guide on the compliance of the reader’s respective business. The drafter of this opinion is not as familiar with the reader’s business as the reader would tend to be. As such, the purpose of this guideline is to provide an overview and explanation of the contents of the Act so that its provisions can be promoted and upheld within the reader’s business, using the business’s own resources.
For an in-depth discussion of specific applications of the Act to various processes, such queries may
be directed to the writer to obtain clarity on the Act’s application to such processes.
The user of this guide must identify all areas of information processing so that proper measures may be implemented at all required points in the processing cycle.
Before one can understand the implications of any legislation, it is important to understand the meaning of the terms used therein. The following terms are important to remember when making use of the Act and this guide:
|Data Subject||This is the person to whom any information relates.|
|Responsible Party||This is a public or private body or any other person who determines the purpose of and means for processing information.|
|Operator||This is a person (juristic or natural) who processes information on behalf of a Responsible Party.|
|Competent Person||This is any person who is legally competent to consent to any action or decision being taken in respect of any matter relating to a child.|
This means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. A large host of information is included in this definition, but essentially it is any information related to the person whatsoever.
|Processing||This means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information. The definition includes, but is not limited to, collection, receipt, organization, collation, storage, updating, modifying, dissemination, distribution, merging, linking etc.|
CONDITIONS FOR LAWFUL PROCESSING OF INFORMATION
All businesses gather personal information from their customers/clients, whether the business operates a “brick and mortar” store or only has an online “remote” operation. In the current age of online shopping and work being conducted from home and by means of telecommunications, the Act has never been more applicable as it is today. From security of employee’s equipment at home to the recording of meetings held on platforms such as Zoom and Microsoft Teams, the Act now applies to all facets of daily life.
The Act sets out eight conditions for the lawful processing of personal information. Bearing in mind the definitions of personal information and processing above, the conditions shall each be set out and discussed separately. The conditions are as follows:
- Processing limitation
- Purpose specification
- Further processing limitation
- Information quality
- Security safeguards
- Data subject participation
CONDITION 1: ACCOUNTABILITY (SECTION 8)
This condition essentially states that Responsible Parties must ensure that the conditions in the Act and all measures giving effect thereto are complied with at the time of the determination of the purpose and means of the processing and during the processing itself. The reader will recall that
“processing” here refers to collection, storage, dissemination, amendment and any other “use” of
This condition is essentially the condition which “sets the stage” and informs Responsible Parties of
their obligations in terms of the Act and sets out that all conditions must be met at all times.
CONDITION 2: PROCESSING LIMITATION (SECTIONS 9-12)
This condition is separated into several sections, each dealing with a different aspect of the condition.
First and foremost, information must be processed lawfully and in a reasonable manner which does not infringe the privacy of the Data Subject.
This expresses the requirement that personal information may only be processed if it is adequate, relevant and not excessive i.e. only the information which is necessary for the purpose of the processing should be processed. Any additional information which is irrelevant or excessive must not be processed.
Consent, justification and objection
This expresses the requirement that personal information only be processed with the consent of the Data Subject or a Competent Person, in respect of a child. Some exceptions apply to this requirement.
If the processing is required to carry out actions or to perform in terms of a contract to which the Data Subject is a party, the processing may take place.
If the processing is required for the Responsible Party to comply with an obligation imposed by law, the processing may take place.
If the processing would protect the legitimate interests of the Data Subject, the processing may take place.
If the processing is necessary for a public body to perform a public function, the processing may take place.
If the processing is necessary for the pursuing of the legitimate interests of the Responsible Party or of a third party to whom the information is supplied.
A Data Subject is entitled to withdraw their consent.
A Data Subject is entitled to object to the processing of personal information.
If the Data Subject objects or withdraws consent, the Responsible Party may no longer process their information.
Personal information must be collected directly from the Data Subject unless certain exemptions apply, the most common being that the Data Subject consents to its collection from another source.
CONDITION 3: PURPOSE SPECIFICATION (SECTIONS 13-14)
This condition is extremely important to bear in mind. Essentially, all information must be collected for a specific and explicitly defined purpose, which purpose is lawful, related to the function or activity of the Responsible Party. For instance, if your business collects information such as the cellular telephone number of a person for the purposes of sending One Time Pins to a client, that cellular telephone number cannot be used for any other purpose. All purposes must be expressly stated and agreed to by the Data Subject.
In addition to the foregoing, the information which is collected must not be retained for any longer than is necessary for achieving the purpose of its collection unless certain restrictions apply, including a legal obligation to retain such information for a longer period, a reasonable requirement by the Responsible Party for lawful purposes related to its functions and activities or required in terms of a contract or the Data Subject has consented to its retention.
After authorization has been rescinded, information must be deleted or destroyed as soon as reasonably practicable. The deletion and destruction must be done in a manner which prevents its reconstruction in an intelligible form.
CONDITION 4: FURTHER PROCESSING LIMITATION (SECTION 15)
Further processing of information must be in accordance or compatible with the purpose for which it was initially collected, unless the consent of the Data Subject has been obtained or certain exceptions apply.
CONDITION 5: INFORMATION QUALITY (SECTION 16)
This condition specifies that personal information must be complete, accurate, not misleading and updated where necessary. The Responsible Party must take reasonable steps to ensure that this is the case.
CONDITION 6: OPENNESS (SECTIONS 17-18)
The Responsible Party must ensure, when collecting personal information, that the Data Subject is aware of:
- The information being collected as well as its source, if collected from another source.
- The name and address of the Responsible Party.
- The purpose for which the information is being collected.
- Whether or not the supply of the information is voluntary or mandatory.
- The consequences of a failure to provide the information.
- Any particular law authorizing or requiring the collection of the information.
7. Whether the information will be transmitted to another country and the level of protection of personal information in that country.
- Certain further information if applicable.
These steps must be taken before the collection of the information from the Data Subject. In order to achieve this purpose, consent forms should be provided to all Data Subjects setting out the above information and obtaining the requisite consent to process their information.
CONDITION 7: SECURITY SAFEGUARDS (SECTIONS 19-22)
This condition sets out the fact that Responsible Parties must take all reasonable steps to ensure that the information that they have collected and processed is protected. These steps include technical and organizational measures.
Technical measures include electronic systems designed to protect information contained on computers and on servers such as anti-virus software, firewalls and phishing protection.
Organizational measures include measures aimed at the human resource factor of the organization. This, essentially, refers to the organizing of staff access to and ability to make use of information of Data Subjects to, as far as reasonably possible, prevent human error or malign motives from causing the compromise of the information.
This section provides specific instructions for Responsible Parties. Responsible Parties must take reasonable measures to:
- Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control.
- Establish and maintain appropriate safeguards against the risks identified.
- Regularly verify that the safeguards are being effectively implemented.
- Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
In the event of any security compromises, the Responsible Party must inform the Data Subject as soon as reasonably practicable of the compromise and do everything reasonably possible to restore the integrity of the information.
CONDITION 8: DATA SUBJECT PARTICIPATION (SECTIONS 23-25)
In all matters regarding the personal information of Data Subjects, the Data Subjects must be able to participate. This means that the Data Subject is entitled to know whether the Responsible Party holds personal information related to the Data Subject and, if so, the contents of that information as well as the format thereof and whether any third parties have or have had access to such information.
The Data Subject also has the right to request the correction or updating of their personal information as well as its deletion or destruction.
SPECIAL PERSONAL INFORMATION
This is a category of information which is protected even more so than general personal information. This information relates to the following:
- Religious or philosophical beliefs;
- Race or ethnic origin;
- Trade union membership;
- Political persuasion;
- Health or sex life;
- Biometric information;
- Criminal behaviour.
This special information may not be processed unless:
- Consent is obtained from the Data Subject
- It is necessary for the establishment, exercise or defense of a right or obligation in law;
- It is necessary to comply with an obligation of international public law;
- It is necessary for historical, statistical or research purposes;
- It has been deliberately made public by the Data Subject.
DIRECT MARKETING (SECTION 69)
Direct marketing has been significantly impacted by the Act. It is no longer legally permissible to contact people who do not give their consent to direct marketing by electronic means. Consent must be obtained before a person can be contacted in order to market a product to them. In the event that a person has not specifically refused their consent, they may be contacted once to obtain such consent. If that consent is not forthcoming, they cannot be contacted again.
This does not mean that direct marketing is outlawed entirely. This simply regulates the direct marketing industry to ensure that it is done in a way that respects the decisions of the individuals being targeted with such marketing efforts.
This also includes items such as email chains that are sent to a large group of customers such as newsletters and promotional material. For current clients who have not opted-out, they may be contacted with these materials, but they must be made expressly aware that they are entitled to opt-out at any point.
For all new customers or potential people to which marketing material may be sent, the new policy is to adopt an “opt-in” approach, rather than an “opt-out” approach. What this means is that the individuals need to expressly consent to receive that material. If they do not give that express consent, they cannot be contacted.
The advisable course of action is to send out an email to all current clients/customers informing them of the fact that the business is POPIA compliant and informing them of their rights in respect of their personal information and their right to opt out and manage their personal information.
APPOINTMENT OF AN INFORMATION OFFICER (SECTIONS 55-56)
Every Responsible Party is required to appoint an information officer. The information officer must be registered with the Regulator. This can be done using the online portal of the Information Regulator and any other method prescribed by the Regulator.
The duties of the information officer are as follows:
- Encouragement of compliance, by the body, with the conditions for the lawful processing of personal information.
- Dealing with requests made to the body in terms of the Act.
- Working with the Regulator in relation to any investigations related to the body.
- Otherwise ensuring compliance by the body with the provisions of the Act.
- Any other duties as prescribed.
It is very important that the information officer is well-versed in the provisions and requirements of the Act and that the information officer properly ensures compliance. The use of this guide is not recommended as the sole document on all compliance-related matters. The Act must be used in conjunction with this guide by the information officer to ensure that they are both properly applied to the running of the reader’s business.
THE READER’S BUSINESS
The business of the reader will involve diverse areas. Currently, two of the entities within the larger group are operating. These entities operate within the IT and recruitment fields.
The IT field is obviously a large user of information. IT companies will possess vast and varied quantities of information about their clients as well as users of their products and websites. The Act and all its conditions apply to all information received and stored by the business at all levels.
IT has revolutionized the way that information is shared and the speed at which it can be shared. This obviously brings with it certain dangers. Many IT companies, such as Facebook and Google and other “tech giants” have made it their business to collect, both conspicuously and inconspicuously, certain personal information of users of their services. The such collection allows the company to target users of the services with adverts that are more likely to succeed based on known previous browsing, searching, and purchasing history. The level of information obtained is on a scale most people do not even think twice about but remains disturbing. This is one of the reasons that POPIA came to be: information was being accessed and stored without the knowledge of the data subject and there was no real recourse for that data subject.
IT companies which provide hosting services, remote assistance, support services and develop software will all collect information of their clients, in one form or another. At all times, the collection, storage and use of such information must be in accordance with the conditions set forth in the Act.
Recruitment offers several areas of information collection and processing. The collection of lists job applicants and their personal information as well as job posters and their personal information and the storage thereof raise some interesting questions in the field of POPIA.
Recruiters often receive CV’s from individuals for job postings and, while the applicant may not be suited to the specifically advertised position, they will often phone the applicant for a separate
position which is a better fit. This sort of practice is prohibited unless consent is granted. Once the information is provided to the recruiter, this does not entitle the recruiter to simply make use thereof as the recruiter sees fit.
SPECIFIC APPLICATION TO THE READER’S BUSINESS
It is far easier for those involved in the day-to-day operations of a business to understand where, when and how information is collected, stored and used within their business. The reader must always be aware that this guide is intended to educate them on their obligations so that the reader can identify the areas where consent will be required.
Where software is developed, the users would likely be required to input certain information and supply certain information on an ongoing basis to make proper use of the software. Before the entity allows the user to install and run such software, for instance, the user should be required to consent to the collection of their information upon initial registration. The user should also consent to the storage of such information for the full period of their registration, or as long as is necessary for the purposes, as well as to the ongoing collection of information, such as usage information, if this is required.
It is important to identify all such areas of information collection. Further examples include “cookies”
and other similar tracking tools, website usage, online shopping, credit card payment systems etc.
The number of different IT-related information processing systems is impossible to estimate. As such, each entity which provides IT-related services will need to evaluate each service individually and on a fundamental level to ensure that the entity is aware of every piece of information which will be collected along the way, how it will be stored, for how long it will be stored, how it will be kept secure and the purposes for which it will be used. Once this information is known, the business is able to request the necessary consent before processing the information.
Before taking on clients, it is imperative that consent be obtained, even if in broad terms, to the collection of personal information for the purposes of providing the relevant services. This will ensure initial compliance. Thereafter, and once it has become clear exactly what services the client will be making use of, further instances of consent may be required. This will depend on the circumstances of each client and their requirements.
Recruitment provides many instances where POPIA compliance is important. At its most fundamental level, recruiting involves the collection of personal information from individuals and companies and matching the requirements and expectations of each.
Every CV contains at least some very sensitive personal information, including name, age, identity number, address, race, gender, religion, and other identifiers. This information is incredibly sensitive, and it is this sort of information that POPIA seeks to protect from abuse. If this information were obtained by an unauthorized person, the damage that could be caused is immeasurable.
A popular method adopted by recruiters, to increase their chances of success in respect of matching suitable candidates to certain positions, is the collection of CV’s and storage thereof in a large database to be consulted whenever a new job is posted. This allows recruiters to access a massive number of CV’s instantly, and filter for only those which meet certain screening criteria for the position. This prevents the recruiter from having to constantly find new CV’s for every single advert that is posted for a job.
A database of CV’s may be maintained, but before this can be done, each person who provides a CV must consent for the CV to be specifically stored for such purpose. If a CV is submitted for a specific job application, for instance, the recruiter would not be entitled to, without consent, retain the CV and the personal information of the job seeker for later potential use. In any online or physical application, specific consent must be obtained by the database manager to allow the business to gather the information and store it for specific purposes.
A database of CVs may be maintained, but before this can be done, each person who provides a CV must consent for the CV to be specifically stored for such purpose. If a CV is submitted for a specific job application, for instance, the recruiter would not be entitled to, without consent, retain the CV and the personal information of the job seeker for later potential use. In any online or physical application, specific consent must be obtained by the database manager to allow the business to gather the information and store it for specific purposes.
If the recruiter intends to hold onto the CV and the information it contains to potentially use for future job matches, any client “take-on” form must include a consent provision which specifically grants consent to the recruiter doing this. The client must be given the option not to allow the recruiter to do this.
In every instance, whether it is in IT or recruitment, users are always entitled to know what information an entity currently holds about them. Users are also always entitled to demand that that information be deleted or otherwise destroyed. If a user is required to provide certain information to use certain services, they must be informed of the requirement and the consequences of not providing the information i.e. they will not be allowed to use the services.
POINTS TO BEAR IN MIND IN RELATION TO THE READER’S BUSINESS
Including a contractual provision setting out that consent is granted to the collection of specific types of information and setting out the purpose for that collection would go a long way to ensuring compliance with the Act. The contractual documents should also set out the conditions stated above and refer the Data Subjects to the Act, making the Act available on the website for ease of reference for Data Subjects, thus ensuring that the business has taken all reasonable steps to ensure that the Data Subject is aware of their rights and how to enforce them. The same applies to any suppliers of the business.
When sharing information with any other party, the business should ensure that it obtains a warranty, whether in its contractual documents or otherwise, which warrants that the third party is compliant with the Act and indemnifying the business from compromises to the information which arises out of the fault of the third party. This will offer some protection to the business in the event that it is necessary for the business to entrust any information collected to any third party. A similar clause should be included in contracts with clients/customers to inform them that the information they supplied may be supplied to third parties insofar as is necessary to achieve the purpose for which it
was collected in the first place. This clause would include an indemnity granted by the clients/customers setting out that the business shall not be responsible for compromises due to the fault of the third party.
If users of the website are not required to sign a physical document, it is imperative that they complete an online form whereby they grant the necessary consent in terms of the Act, including consent to “cookies”, consent to their information being processed and shared with third parties and informing them of their rights in terms of the Act. The answers to these questions must be mandatory and answer not providing consent must immediately end the registration process. Setting a standard policy of retaining information of users who are registered until such time as they cancel their registration would be beneficial.
Compliance with the Act is mandatory for all businesses that process information. The most important thing to bear in mind is the purpose of the Act. This Act serves not to prohibit the processing of information, but to limit its processing and to ensure, at every point, that the Data Subject has given their consent to their information being processed. If consent is obtained at every point of collection and processing, most of the compliance requirements would be met already.
Users of this guide are encouraged to read it together with the Act to ensure that they are fully acquainted with the contents and requirements thereof as well as its applications to their specific enterprise.