This is the second of three articles dealing with the Protection of Personal Information Bill (POPI). In the first article I discussed the fact that POPI regulates the processing of much of the personal information that’s processed in South Africa, and I made brief mention of the various ways in which it does that. In this article I’ll look at POPI’s most important mechanism, the eight Information Protection Principles (the Principles) that all companies and public bodies that process personal information (Responsible Parties) need to observe.
If you are a Responsible Party (and I’d like to think that every reader of this article is) you need to understand the following principles. It’s also worth noting that, as onerous as some of the Principles may seem, the exceptions often create a fair degree of wiggle room:
- You must be accountable, in other words you must comply with the Principles.
There must be limits to your processing of information. There are a number of aspects to this:
- The processing must be lawful.
- The processing must not be excessive.
- You must have the consent of the person or company whose information is being processed (the Data Subject), alternatively the processing must be justified on the basis of one or more of a number of particular reasons, including the fact that the processing: is necessary for performing a contract; complies with a legal obligation; protects a legitimate interest of the Data Subject; is necessary for the performance of a public law duty of a public body; is necessary to pursue the ‘legitimate interests’ of those to whom the information is supplied. The Data Subject can, however, object to processing based on some of these justifications, in which case you must stop.
- The information must be collected directly from the Data Subject. This does not apply, however, in certain circumstances, for example: if the information’s contained in a public record; if the Data Subject has consented to its collection from another source; if collection from another source is necessary in the interests of law and order, national security, tax collection or to maintain the ‘legitimate interests’ of the party to whom it is supplied; if compliance would ‘prejudice a lawful purpose of the collection’; if ‘compliance is not reasonably practicable’. Some pretty vague terms there!
- The information must be collected for a specific and lawful purpose, and you must take steps to ensure that the Data Subject knows that purpose. In addition, you must keep a record for no longer than is necessary for achieving the purpose for which it was obtained. Again there are exceptions, for example: you can retain information for longer than necessary if retention is required by law; if you require the record ‘for lawful purposes related to ... (your) functions or activities’; if retention is required by a contract; if the Data Subject has consented to retention.
- Any further processing of information must be compatible with the purpose for which it was collected. It will be compatible in various circumstances, for example: if the Data Subject has consented to the processing; if the information is available in a public record; if further processing is needed in the interests of law and order, national security, national health or tax collection; if the information is used for historical, statistical or research purposes.
- You must make sure that the information is accurate.
There must be openness. This requires you to give two separate notifications:
- The first is a notification to the Information Protection Regulator (Regulator). This notification must occur before the information is processed, but only one general notification is required. The processing will then be noted in a register. The notification must set out various things, such as: the purpose of the processing; descriptions of the categories of Data Subject and information to be processed; the recipients or categories of recipients to whom the information may be supplied; any planned trans-border flows of information; details of the security measures. The Regulator has the power to exempt certain categories of information processing from notification if they are unlikely to infringe the legitimate interests of Data Subjects. It is an offence not to comply with the notification requirement.
- The second is notification to the Data Subject. If you are collecting information, you must take ‘reasonably practicable steps’ to ensure that the Data Subject is aware of the fact that you are collecting information about them, and that they know certain things: your name and address; the purpose of the collection; the nature of the information; the identities of those who will receive the information; and the fact that they have a right of access to the information. In cases where you collect the information directly from the Data Subject, you must give notice before the information is collected. In all other cases, you must do so ‘as soon as reasonably practicable’ after collection. Once again, there are exceptions, for example: you do not need to comply with this notification requirement if you have made a manual available under the Promotion of Access to Information Act; nor do you need to do so if compliance would ‘prejudice a lawful purpose of the collection’; or if compliance is ‘not reasonably practicable in the circumstances of the case’. Plenty of room for manoeuvre!
- You must secure the integrity of the information, and you must prevent loss or damage and unlawful access to it. If you use a third party to process the information, that party must treat the information as confidential and it must have security measures in place. Where there are security breaches, you must notify the Regulator and the Data Subject.
- The Data Subject has a right to ask you for, and be given free of charge, details of any information that you have about them, including details of parties who have had access to it. The Data Subject can also ask that wrong information be corrected, and they can demand that you destroy information that you are no longer authorised to keep.
In the third article I’ll look at the other measures created for regulating the processing of personal information.