We are all data subjects. From the moment you are born (maybe even before then), you have personal information (PI) that is processed by someone, somewhere. The Protection of Personal Information Act, 2013, commonly known as POPIA, is a piece of legislation designed to ensure that every South African citizen’s constitutional right to privacy is upheld through the protection of PI. Lize de la Harpe, legal adviser at Glacier by Sanlam, helps us understand some of the key provisions contained in POPIA and why we need to pay attention.
Conditions for lawful processing
As an intermediary, if you process any PI (for example, ID numbers, contact or bank details, wills etc.) or documents containing PI, of your employees, clients, or suppliers, you act in the capacity of a responsible party.
Processing refers to all of the activities that could relate to handling PI – including, but not limited to, collection, receipt, collation, storage, updating, retrieval, use, destruction and the alteration or distribution of a record which contains PI. POPIA requires the responsible party to process PI lawfully and in a manner that does not infringe on the privacy of data subjects. In order for processing to be “lawful” it must comply with the minimum requirements as set out in the act. There are eight conditions for lawful processing:
- Accountability – as a responsible party, you’re accountable for compliance with POPIA.
- Processing limitation – you may only process the minimum information needed to fulfill the purpose for which the PI was collected.
- Purpose specification – PI must be collected for a specific, explicitly defined and lawful purpose related to the responsible party’s function or activity.
- Further processing limitation - further processing of PI must be compatible with the original purpose of collection of the PI.
- Information quality – the PI must be complete, accurate, not misleading and up-to-date, having regard to the purpose for which the PI is collected or further processed.
- Openness – you have to be transparent about your reasons for obtaining PI and ensure that what you do with the information is in line with the reasonable expectations of the data subject.
- Security safeguards – you must secure the integrity and confidentiality of PI by taking appropriate, reasonable, technical and organisational measures to prevent loss, damage, unauthorised destruction of, and unlawful access to, or processing of PI.
- Data subject participation – the data subject has the right to request you to confirm what PI you hold and with whom you have shared it, as well as to request you to correct, update or delete their PI.
Retention of records
You may not retain records of PI for longer than is necessary for achieving your purpose for collecting the information, unless:
- retaining the record is lawful (for example, FAIS requires records to be kept for five years after termination); or
- the responsible party needs the record for lawful purposes related to its functions or activities (*for example, where a product provider needs to keep personal information about a customer so that they can deal with possible complaints about the services or to defend possible future legal claims); or
- retaining the record is required by a contract between the parties; or
- the data subject (or a competent person where the data subject is a child) has consented to you retaining the record.
Additionally, you must establish appropriate safeguards against the PI being used for any other purpose.
Breach
PI has become a currency for cyber crooks. Hacking and cyber attempts to access PI have become commonplace and even seemingly secure systems have borne the brunt of this criminal activity. Therefore, it has become incumbent on all responsible parties to ensure that PI is handled with due care and integrity, and to employ every possible means to ensure that PI is adequately protected.
Consequences of non-compliance
Non-compliance with POPIA can result in legal action, administrative fines and even jail time. In addition, the resultant reputational and brand damage couldn’t be quantified. And not to mention the trust relationship that would be broken between you and the data subject, your client.
POPIA implementation at Glacier
Our POPIA analysis is available here.