This is the third of three articles dealing with the Protection of Personal Information Bill (POPI). In the first article I discussed the fact that POPI regulates the processing of much of the personal information that’s processed in South Africa. In the second I looked at the most important measure created by POPI, the eight conditions for the lawful processing of personal information that those companies and public bodies that process personal information (Responsible Parties) must adhere to. In this article I’ll look at the other measures that POPI creates in relation to the processing of personal information.
POPI places limitations on the processing of certain types of personal information. These provide that you, the Responsible Party, cannot process personal information regarding:
A child, unless the processing is carried out with the prior consent of a person who is legally competent to consent to any action or decision being taken in respect of such child.
A person’s religious of philosophical beliefs, unless you are a spiritual or religious organisation to which such person belongs.
A person’s race or ethnic origin, unless the purpose is to identify the person whose information is being processed (the Data Subject), or to comply with empowerment laws and measures.
A person’s trade union membership, unless you are a trade union or trade union federation to which such person belongs.
A person’s political persuasion, unless you are an organisation 'founded on political principles'.
A person’s health or sex life, unless you are for example: a medical professional or healthcare institution; an insurance company or medical aid scheme and you need the information for assessing risk or performing obligations; a school; a public or private body managing the care of a child; a public body responsible for the implementation of prison sentences; a pension fund.
A person’s criminal behaviour, unless: you are a body responsible for applying criminal law; you are assessing an application by a Data Subject in order to take a decision about whether or not to provide a service to them; you need the information to protect your legitimate interests in relation to criminal offences that have been or may be committed against you or your employees.
POPI provides that, in certain circumstances, the Information Regulator (the Regulator) may grant an exemption to a Responsible Party from the conditions of processing personal information. The Regulator may do so if, for example, it feels that the public interest outweighs the interference with the privacy of the data subject, or if there are reasons of national security, criminal law, or the economic and financial interests of a public body that warrant the processing.
There are certain circumstances where you must obtain prior authorisation from the Regulator before you can process information. These include situations where you want to process information on criminal behaviour or for the purposes of credit reporting, or where you plan to transfer personal information to countries that don’t have adequate information protection laws. In cases like this you cannot do any processing until such time as the prior authorisation has been obtained, however, you will only need to obtain such prior authorisation once. The requirement of a prior authorisation will, however, not apply if an applicable code of conduct (discussed next) has come into force.
codes of conduct
The Regulator may issue codes of conduct that relate to classes of information or to specific industries, and it will keep a register of approved codes. Such codes can be issued at the request of industry players. Once issued, the code becomes binding on every class of information or every company operating in the industry referred to in that code. A code may contain its own procedures for dealing with complaints. A failure to comply with a code will be deemed to be a breach of the conditions for the lawful processing of personal information.
POPI provides that you cannot process personal information for the purposes of direct marketing by way of email, SMS and the like, unless the Data Subject has given his or her consent to the processing, or if the Data Subject is a customer of yours. Importantly, the Data Subject’s consent must be requested (i.e. the Data Subject must opt-in). It also provides that you can only process a customer’s personal information in certain circumstances, namely where: you obtained the contact details in the context of the sale of a product or service; the purpose is to market your own similar products or services; and the Data Subject had a chance to object, free of charge, when the information was collected; and the Data Subject has a chance to object on each communication. All communications that you send to the Data Subject must feature your identity and contact details.
trans-border information flows
POPI provides that you may not transfer personal information abroad unless one or more of a number requirements are met, for example: the recipient is subject to a law, binding corporate rules, binding agreement or memorandum of understanding which provide an adequate level of protection that is substantially similar to the conditions for the processing of personal information as set out in POPI; the Data Subject has consented to the transfer; the transfer is necessary for the performance of a contract; the transfer is for the benefit of the Data Subject and it was not reasonably practicable to get their consent.
Any person may submit a complaint, in writing, about information processing to the Regulator, who can then conduct an investigation. The Regulator may decide to take no action in certain circumstances, for example, if the subject matter of the complaint is trivial, if a long period of time has elapsed, if a complaint is frivolous, vexatious or is not made in good faith, or if the person doing the complaining failed to use a complaints procedure under a code. The Regulator may try to reach a settlement between the parties, or it can conduct a hearing at which it can summon witnesses and receive evidence. The Regulator can even ask a judge or magistrate for a warrant to enter and search premises. If the Regulator finds for the complainant, it may serve a Responsible Party with an enforcement notice, requiring it to take certain steps. There is a right of appeal to the High Court.
A Data Subject, or the Regulator at the request of a Data Subject, may also institute a civil action for damages against a Responsible Party for breach of any provision of POPI relating to interference with the protection of personal information of a Data Subject, irrespective of whether or not there was intent or negligence on the part of the Responsible Party.
offences and penalties
POPI creates various offences. For example: it will be an offence not to comply with an enforcement notice; for any person acting on behalf of the Regulator not to treat the information as confidential; to obstruct the Regulator; to obstruct the execution of a warrant. Any person convicted of an offence in terms of POPI may be liable for a fine or to imprisonment, the term of which will depend on the contravention. Administrative fines up to R10 million may also be applicable in certain cases.
The introduction of dedicated data protection legislation in South Africa is long overdue and it is welcome. Yet it does raise significant compliance issues for all companies and public bodies. They will need to take these issues very seriously, and will need to give time and attention to remaining in compliance with the myriad of data protection law requirements that will now become part and parcel of the corporate regulatory landscape.