Introduction
The purpose of the Bill, which is likely to be enacted later this year, is to protect the right to privacy with regard to the processing of personal information, and balance the right to privacy against other rights, such as the right of access to information. The Bill makes it mandatory to secure personal information by requiring various security measures to secure the integrity of personal information. A notable change to our law is also a requirement to notify third parties in the event of a breach of security.
Two core concepts in the Bill relate to the definition of “processing” and “personal information” (“PI”). POPI only applies to PI that is processed. Processing includes collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration, use, dissemination, merging. Processing by a “responsible party” (public or private body processing PI) must be done lawfully and in a reasonable manner that does not infringe the privacy of the “data subject” (person whose personal information is being processed).
Purpose for which data is collected and consent of data subject
PI may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive. Thus only PI which is appropriate for the purpose it is being collected, may be collected. Whereas a rule of thumb when a data subject’s consent to processing is obtained, it is likely to be seen as acceptable. We anticipate that much more scrutiny will be placed on companies where they process PI without the data subject’s consent (even though this is in some cases perfectly acceptable).
Acceptable reasons for processing PI without consent include:
- Where the processing of PI is necessary in terms of a contract to which the data subject is a party
- Where the processing of PI it is compliant with law
- Where the processing of PI is protecting a legitimate interest of a data subject
- Where the processing of PI is necessary to fulfill a public law duty, and
- Where the processing of PI is necessary for the legitimate interests of a responsible party or third party to whom information is supplied
The general principle is that the PI must be obtained directly from the data subject, except in the following instances:
- PI is contained in a public record or has deliberately been made public by the data subject
- The data subject has consented to collection of PI from another source
- The legitimate interests of the data subject are not prejudiced by the collection of the PI
- Collection of PI from another source is necessary to avoid the prejudice of the maintenance or enforcement of law, the collection of revenue by SARS, conduct of court proceedings, the legitimate interests of national security or the maintenance of legitimate interests of a responsible party
- Compliance with the POPI collection requirements would be prejudicial to a lawful purpose, or
- Compliance with the POPI collection requirements is not reasonably practical
Type of information
If the information that has been processed does not fall within the definition of “personal information“, it is excluded from POPI and the processing of the information will not be illegal. PI which is processed by non-automated means (e.g. paper and text, photographs, x-rays, etc.) falls under the ambit of the Bill only if the PI forms part of a filing system.
The following are excluded from the application of POPI:
- Information for purely personal of household activity
- Information that has been de-identified
- Information processed on behalf of the State
- Information processed for investigation and prosecution of criminal matters
- Information used exclusively for journalistic purposes
- Information used by the Cabinet, Executive Council of a province and any municipality
- Information about the judicial functions of courts, and
- Information which is exempted by the Regulator in terms of section 34 of POPI
The Bill also creates a particular category of PI called “special personal information” (SPI) which (in terms of Part B of Chapter 3) can only be processed in various special circumstances and requires a higher standard of care. An example of SPI that requires a higher standard of care (or depending on the circumstances may not be processed at all) is information relating to a child (i.e. under the age of 18 years). SPI includes “religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behaviour”.
Compliance with POPI
The responsible party must identify and appoint a person known as the Information Protection Officer (“IPO”) charged with safeguarding the PI. There is a strong overlap between the role of the Information Officer contemplated in the Promotion of Access to Information Act (PAIA) and the IPO as contemplated in POPI. Thus we recommend that the same person in a company should fulfill both roles.
Compliance with the Bill by public and private bodies will require the implementation of sophisticated systems for storing and securing information. For responsible parties who have already established an information security management system, processes should be implemented for continuous and ongoing review of the organisation’s information management and security system.
“Opt In” System
The Bill proposes that the existing provisions relating to unsolicited electronic communication in section 45 of the Electronic Communications and Transactions Act (“ECTA”) be repealed. The provisions of the Consumer Protection Act, which provide specifically for “opt out” mechanisms for the consumer, will be supplemented by POPI as will the provisions of the ECTA (which prohibits electronic access to phone directories for marketing purposes and recognizes the protection of personal data and privacy) and the National Credit Act (which provides for “opt out” options for consumers entering into credit agreements). POPI deals with the inclusion of PI in directories and providing the data subject with the option to object and require withdrawal of such information at any time.
POPI prohibits the processing of PI for the purpose of direct marketing unless the data subject has consented thereto. Where the data subject is a customer of the responsible party, the processing of PI may only take place if the PI was obtained in the context of the sale of the product or service or for the purpose of direct marketing of the responsible party’s similar products or services and where the data subject has been given a reasonable opportunity to object to the use if his/her electronic details, when the details are collected and on each occasion that a communication is directed to the data subject. The general principle is that if a data subject does not respond to a responsible party’s invitation to make use of its direct marketing advances, the responsible party will not be allowed to contact the consumer for a second time.
Automated decision making is also referred to as information matching and profiling. As long as profiling does not trace personal information to any identifiable individual there is no objection to this practice.
Restrictions on transferring information to other countries
The Bill provides that a responsible party may not transfer PI to a third party who is in a foreign country unless the recipient is subject to a law, binding code of conduct or contract which provide protections that are substantially similar to the information protection principles and further prohibits the transfer of PI from a recipient in that foreign country to third parties, subject to certain exemptions.
PI may, however, be transferred to a third party in a foreign country in the following instances:
- If the data subject consents thereto
- Where necessary for the conclusion of the performance of a contract
- If the transfer is for the benefit of the data subject, and
- Where it is not reasonably practical to obtain the data subject’s consent which would be likely to have been given
This reason behind this requirement is that some countries with inadequate legislation may present data havens for persons wishing to escape the protection afforded in POPI and to abuse the PI of data subjects in South Africa.
Regulator
Finally, the Bill provides for the appointment of a Regulator to educate, monitor and enforce compliance with POPI, consult and investigate complaints, research on personal information instruments and report to Parliament thereon, and develop codes of conduct.
Enforcement
The following constitute interference with the protection of PI of a data subject:
- Failure to notify a data subject of a security compromise affecting his/her PI
- Failure to maintain the confidentiality of PI used by or on behalf of the Regulator save where it is lawfully disclosed
- The unlawful processing of PI for the purpose of direct marketing
- Failure to protect PI contained in a public directory
- Subjecting a data subject to a decision which has legal consequences or affects him/her to a substantial degree, solely on the basis of automatic processing of PI
- Transferring PI outside of the Republic without the data subject’s consent or ensuring appropriate protection
- A breach of any code of conduct issued by the Regulator
The Regulator is empowered to assess complaints, issue an enforcement notice requiring the responsible party to take specified steps within a specified period or to stop processing PI. A responsible party may – within 30 days of receiving an enforcement notice – apply to the High Court for the setting aside or variation of the notice.
Where a person hinders or unlawfully influences the Regulator, they may be guilty of an offence and be subject to a fine or imprisonment for a period not exceeding 10 years or both a fine and imprisonment. In all other instances, including a failure to comply with enforcement notices, a person guilty of an offence will be subject to a fine or imprisonment not exceeding 12 months, or both a fine and imprisonment. The magistrate’s court has jurisdiction to impose penalties for offences.
A data subject, or the Regulator at the request of the data subject, may institute a civil action for damages whether or not there was intent or negligence on the part of the responsible party. This echoes the “no fault” requirement found in the Consumer Protection Act and can be far reaching. This demonstrates the importance of compliance with this legislation.
Please feel free to contact us to discuss this further at 021 712 7661 or linda@dingley.co.za.