Tax and Legal Insights | 4 min read

POPIA Explained – Part 6

By Lize de la Harpe, legal adviser

In the last edition we recapped on the eight conditions for the lawful processing of personal information and discussed Further processing limitation in detail.

In this edition we will move on to the next two conditions, namely Information Quality and Openness.

Let’s recap

As explained previously, POPIA requires the responsible party to process personal information lawfully and in a manner that does not infringe on the privacy of data subjects.

In order for such processing to be “lawful” it must comply with the conditions as set out in the act. Section 4 of POPI lists eight conditions for the lawful processing of personal information, namely:

  1. Accountability (as referred to in section 8);
  2. Processing Limitation (as referred to in sections 9 to 12);
  3. Purpose specification (as referred to in sections 13 and 14)
  4. Further processing limitation (as referred to in section 15);
  5. Information quality (as referred to in section 16);
  6. Openness (as referred to in sections 17 and 18);
  7. Security safeguards (as referred to in sections 19 to 22); and
  8. Data subject participation (as referred to in sections 23 to 25).

Let’s look at Condition 5 (Information quality) and Condition 6 (Openness) in more detail.

Information quality – section 16

Responsible parties must take reasonably practical steps to ensure that personal information is complete, accurate, not misleading and updated where necessary, having regard to the purpose for which the personal information is collected or further processed.

(*PS: reasonably practical steps will include requests to clients, as part of usual client communications, to keep their information updated).

Openness – documentation (sections 17) and notification to data subject when collecting personal information (section 18)

Documentation – section 17

Responsible parties must maintain the documentation of all processing operations under their responsibility as referred to in section 51 of the Promotion of Access to Information Act, 2000 (“PAIA”).

As you will recall, PAIA enables people to gain access to information held by organisations. In terms of PAIA, all private- and public bodies must give access to their records where someone requests access to such records in terms of the act.

Take note: you might be wondering why we are discussing PAIA here? The “records” as referred to in PAIA will include the documentation of processing operations as referred to in section 17 of POPIA. Also, remember that (to date) PAIA has been regulated by the SAHRC. This will however change to the Information Regulator once POPI commences in July next year (*PS: we will discuss the Information Regulator in more detail in a later edition).

Notification to data subject when collecting personal information - section 18

Responsible parties must be transparent about their reasons for obtaining personal information and must ensure that what they do with the information is in line with the reasonable expectations of the data subject.

Accordingly, section 18(1) states that, when personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of: 

  1. the information being collected (*and where the information is not collected from the data subject, the source from which it is collected);
  • the name and address of the responsible party;
  • the purpose for which the information is being collected;
  • whether or not the supply of the information by the data subject is voluntary or mandatory;
  • the consequences of a failure to provide the information (*for example where the information is necessary to process a claim);
  • any particular law authorising or requiring the collection of information;
  • the fact that, where applicable, the responsible party intends to transfer the information to a foreign country (or international organization) and the level of protection afforded to the information by that foreign country or international organization (*PS: we will discuss cross border transfer in detail in a separate edition); and
  • any further information which is necessary under the specific circumstances to ensure reasonable processing (*for example: the recipients of the information, the nature/category of the information, the right to access/rectify the information, the right to object to the processing and the right to lodge a complaint with the Information Regulator).

The steps to be taken as summarised above must be taken:

  • if the personal information is collected directly from the data subject: before the personal information is collected, unless the data subject is already aware of the information; or
  • in all other cases (*i.e.: where the information is not collected directly from the data subject): before collection or as soon as reasonably practical.

Take note: where a responsible party has previously taken the steps referred to above, it won’t again have to do so when collecting subsequent information in relation to the same purpose (*see section 18(3)).

There are, however,certain instances whereit will NOT be necessary to notify the data subject before collection. Section 18(4) lists the exclusions:

  1. where the data subject has consented to the non-notification (*PS: remember it must be informed consent – but we will discuss consent in a later edition); OR
  • where it won’t prejudice the legitimate interests of the data subject (*for example, where the responsible party traces a beneficiary); OR
  • where non-compliance is necessary:
  • to avoid prejudice to the maintenance of law by a public body (*including the prevention, investigation or prosecution of offences);
    • to comply with an obligation in law;
    • for court/tribunal proceedings; or
    • in the interest of national security OR
  • where compliance would prejudice a lawful purpose of the collection (*for example, where fraud is suspected); OR
  • where compliance is not reasonably practicable (*having due regard to the circumstances!); OR
  • where the personal information will be de-identified or be used for historical/statistical purposes.

What are the practical implications of this prior notification requirement (as per Condition 6)?

Having regard to the above, it is advisable for responsible parties to have written privacy notices setting out for what purposes personal information is collected and further processed and to ensure that this privacy notice appears on its websites and/or in the documentation where personal information is collected (*for example, in the product application forms or in its claims procedure documents). 

Conclusion

We have now covered Conditions 5 and 6, namely Information Quality and Openness – in the next edition we will discuss the next condition, being Security safeguards (as referred to in sections 19 to 22).

Glacier Financial Solutions (Pty) Ltd and Sanlam Life Insurance Ltd are licensed financial services providers

Your Next Read

Investment Insights | 1 min read
New opportunity to invest in The Glacier Top Brands Return Enhancer
Investment Insights | 1 min read
Wealth Edge Endowment Plan now open for AIFA relationship advice advisers

We use cookies to give you the very best possible online experience. By continuing, you confirm that you’re on board with our privacy policy.

What Glacier Insights is…and isn’t

Glacier Insights provides investment professionals and financial intermediaries with information on the markets in general, Glacier products, and the services we offer. This website is not primarily for private individuals, but we are pretty sure that everyone interested in investing would find the content useful. If you are a private individual, please seek financial advice from a registered financial intermediary before you invest. A trained financial intermediary will help you determine which of our products are most appropriate for your needs. Glacier Insights is not designed to replace the job and expertise of a professional financial intermediary.

Content use and ownership

We love that you want to browse Glacier Insights, and please let us know if there is any more information that you would like us to provide. Also know that the intellectual property rights in the content are protected by local and international laws and agreements. So, our intellectual property may not be used in any way without our consent or the consent of any business that licensed us to use its intellectual property. This includes reproducing, changing, publishing, displaying, distributing, licensing or creating by-products of the content on this site, unless you receive our permission in writing. The website with all its content is owned by or licensed to Glacier by Sanlam, and includes text, graphics, icons, hyperlinks, private information and designs.

I have read the above and understand the purpose of the Glacier Insights website.

No, I do not agree

Receive the latest Glacier Insights delivered to your inbox


Please enabled javascript to view Glacier.