By Lize de la Harpe, Legal Adviser
In this edition we will move on to the next condition, namely Purpose Specification which covers both the collection for specific purpose, as well as the retention and restriction of such records.
As explained in the last edition, POPIA requires the responsible party to process personal information lawfully and in a manner that does not infringe on the privacy of data subjects.
In order for such processing to be “lawful” it must comply with the conditions as set out in the act.
Section 4 of POPI lists eight conditions for the lawful processing of personal information, namely:
- Accountability (as referred to in section 8);
- Processing Limitation (as referred to in sections 9 to 12);
- Purpose specification (as referred to in sections 13 and 14)
- Further processing limitation (as referred to in section 15);
- Information Quality (as referred to in section 16);
- Openness (as referred to in sections 17 and 18);
- Security safeguards (as referred to in sections 19 to 22); and
- Data subject participation (as referred to in sections 23 to 25).
Let’s look at Condition 3 (Purpose specification) in more detail.
Purpose specification – collection for specific purpose (section 13) and retention and restriction of records (section 14)
Collection for specific purpose – section 13
Personal information must be collected for a specific, explicitly defined and lawful purpose related to the function or activity of the responsible party.
To put it simply:
- responsible parties must specify the purpose for which the personal information is collected;
- the purpose must be specified in such a way that the data subject can reasonably understand why the personal information is being collected and how it will be used or disclosed – the purpose cannot be worded broadly, for example “to serve you better” or “for your benefit”; and
- responsible parties may only process information for the specific purpose it was collected for (*PS: we will get back to this important aspect in the next edition when discussing Further Processing).
The aim of this section is to ensure that responsible parties are open about their reasons for obtaining personal information and that what they will do with the information is in line with the reasonable expectations of the data subject.
Responsible parties are also required to notify the data subjects of the purposes of collection, unless one of the exemptions applies. (*PS: we will deal with this in more detail in a later edition when discussing Condition 6 – being Openness – which covers notification to data subject when collecting personal information.)
Retention and restriction of records – section 14
Section 14 then goes on to set the requirements for the retention and restriction of records. (*PS: the term “record” is defined and refers to any recorded personal information in the possession or under the control of the responsible party, whether or not it was created by a responsible party and regardless of when it came into existence or the format or medium in which it is kept.)
It states that records of personal information may not be retained for any longer than is necessary for the achieving the purpose for which the information was collected UNLESS:
- the retention of the record is required or authorised by law (*for example, FAIS requires records to be kept for five years); OR
- the responsible reasonably requires the record for lawful purposes related to its functions or activities (*for example, where a product provider needs to keep personal information about a customer so that they can deal with possible complaints about the services or to defend possible future legal claims); OR
- retention of the record is required by a contract between the parties; OR
- the data subject (or a competent person where the data subject is a child) has consented to such retention (*PS: we will come back to the concept of consent in a later edition).
In addition to the above, records of personal information may also be kept for longer than the purpose if kept for historical, statistical or research purposes, provided that the responsible party has established appropriate safeguards against the information being used for any other purposes (*PS: we will discuss these safeguards in a later edition).
If a responsible party has used the data to make a decision about a data subject, the information must be kept for a period as may be required by law or a code of conduct, or if there is no law or code of conduct, for a period which will afford the data subject a reasonable opportunity to request access to the record (*for example, where decisions are made in respect of FICA or for underwriting purposes).
Once a responsible party may no longer hold personal information, the responsible party must destroy, delete or de-identify (*which is a specifically defined term as set out in section 1 of the act) the information as soon as reasonably possible (*PS: remember, destruction or deletion must be such that the personal information cannot be reconstructed in an intelligible form afterwards).
Processing must be restricted if:
- the accuracy is contested by the data subject (for the period enabling the responsible party to verify accuracy);
- the responsible party no longer needs the personal information for achieving the purpose for which it was collected (or subsequently processed), but must be maintained for purposes of proof;
- the processing is unlawful and the data subject opposes its destruction or deletion and requests the restriction of its use instead; or
- the data subject requests the transmission of the personal information to another automated processing system.
Where processing is restricted as above, it may (with the exception of storage!) only be processed for purposes of proof or with the data subject’s consent or for protection of the rights of another natural or legal person or if such processing is in the public interest. Once restricted, the responsible party must inform the data subject before lifting the restriction on the processing.
Data retention policies
Having due regard to the stringent requirements which apply to the retention and restriction of records as summarised above, it is advisable for businesses to adopt a formal policy on the retention and destruction of records.
Such retention policies should balance legal and privacy concerns against economics and need-to-know concerns to determine the appropriate retention periods, archival rules, data formats, the permissible means of storage, access and encryption.
Data retention policies should also deal with:
- best practice for the key types of records as identified therein;
- the different purposes for which the business holds personal information and the length of time that such information should be retained for those purposes;
- classification of records, document management processes, special safeguarding capabilities;
- applicable regulatory requirements relevant to retention;
- the procedure for archiving the information, guidelines for destroying the information when the time limit has been exceeded;
- the safe storing/archiving of information which does not need to be accessed regularly but still needs to be retained;
- special mechanisms for handling the information when under litigation; and
- auditing of the policy.
The type of records kept may vary from business to business. Each business should therefore carefully consider its own retention and destruction requirements and consult with their legal departments in formulating their approach to the retention and destruction of records.
We have now covered the Condition 3, namely Purpose specification – in the next edition we will discuss the next condition, being Further processing limitation (as referred to in section 15).