The POPI act is based on similar laws and legislation in other countries and now brings South Africa onto equal footing. Included in the provisions of the act is the handling of cross-border transfer and the sharing of data.
Intention of the Act
The POPI act establishes the constitutional right for the protection of personal information being processed by private or public bodies for all citizens of South Africa. The processing of personal information is subjected to justifiable limitations applicable to the context of usage. These limitations bring balance to the right to privacy versus other rights, and especially the right to access of information. It also protects important interests such as the free flow of information locally as well as internationally.
The act puts specified conditions into place within which the protection of personal information must be regulated. These conditions are in accordance with international standards which prescribe the minimum thresholds for the lawful processing of personal information.
The intended and required actions, together with the establishment of a regulatory body is to make sure that the rights protected by this act are respected, promoted, enforced and fulfilled.
Examples of what the act intends to protect include, for example, the data subject’s name, surname, and identity number or address. What needs to be remembered is that the name or surname on its own does not uniquely identify the data subject. However, a combination of the aforementioned data entities, or a specific data entity like an identity number, can uniquely identify the data subject. The act thus defines the "unique identifier" as "the data that uniquely identifies that data subject in relation to that responsible party."
Possible examples of personal information entities are:
1. Identity and/or passport number, gender, race, ethnic orientation, date of birth and age.
2. Physical address, phone number (all types), email, online/instant messaging identifiers.
3. Photos, voice and video recordings, biometric data, private correspondence.
4. Marital/Relationship status and family relations.
5. Religious or philosophical beliefs, personal and political opinions, membership(s) and affiliations.
6. Education information, financial information, employment history, salary information, criminal record.
7. Physical and mental health information including medical history, blood type, medical conditions and /or illnesses.
The first condition of accountability focuses on awareness and responsibility so we ensure that everyone within the company structure is trained on the Protection of Personal Information Act, and our IT policies are in keeping with this. All new policies and procedures are in line with ongoing compliance.
Our verification and consent procedures have been created to comply with the Data Subject/Responsible Party relationship as set out in the POPI act.
The 8 conditions of Compliance
The responsible party undertakes to ensure compliance. Accountability also requires the responsible party to regard certain types of personal information as especially sensitive and subject these types of information to more rigorous controls. The responsible party remains accountable even if the collection of data is entrusted to a third party. The sensitive data type category that is especially important for our consideration is Health. In Clause 32 it permits, amongst others, employers or institutions working for the responsible party to access personal information concerning a person’s health and sexual life, if such processing is necessary for the treatment and care of the data subject, or for the administration of the care giver.
2. PROCESSING LIMITATION
The first concept to consider when complying with the condition of processing limitation is that the processing of personal information must be lawful and not excessive. This means that any personal information made available (processed) is the minimum required for the purpose, and that the data subject gives consent for the particular use of it (collected directly from the data subject). The burden for proof of consent by the data subject or competent person remains with the responsible party.
3. PURPOSE SPECIFICATION
Personal information that is collected by the responsible party must be for a specified purpose only. Data is not allowed to be collected for one purpose and then used either for another purpose or processed in a way that is inconsistent with the purpose for which the data subject has given consent. The retention period of the personal information must not exceed the purpose for which the information was collected. If the data needs to be kept for historical, statistical or research purposes, the responsible party must establish appropriate safeguards to prevent the records being used for any other purpose. The records must be destroyed or de-identified in a manner that prevents the reconstruction of the data in an intelligible fashion.
4. FURTHER PROCESSING LIMITATION
The POPI act prohibits data from being processed in a way that is contrary to the purpose for which it was collected. However, if the data subject or competent person in the case of a child, extends consent to the responsible party for further processing, this condition will not prohibit further processing of the data. There are several other absolutions to this condition stated in the act that the responsible party needs to evaluate when considering further processing of the data. This includes the further processing of personal information by a third party. The agreement to use the data for historical, statistical or research purposes can be agreed to if the responsible party ensures that the further processing of the data will be carried out for this reason only and the data is made unidentifiable.
5. INFORMATION QUALITY
The data must be relevant, accurate and up-to- date and consistent with the intended purpose for collection or processing. It must be updated where required and not be misleading in the representation of its intended purpose.
This condition ensures that the data subject is notified whenever the data is being processed. The notification must state the reasons for use and be in line with the original purposes for which the data subject has given consent.
7. SECURITY SAFEGUARDS
Compliance with this condition requires the responsible party to make sure that reasonable security safeguards are put in place. These protective measures may include, but are not limited to, protection against risks such as loss, unauthorised access, destruction, use, modification or disclosure of personal information of the subject. On becoming aware of any security breach, the responsible party must notify, within a reasonable timeframe, the regulator and the data subject, unless the identity of the data subject cannot be identified.
8. DATA SUBJECT PARTICIPATION
It is the right of the data subject to request the responsible party to disclose what personal information is held and who has access to the data. The data subject has full rights to request that any or all of the personal information held by the responsible party be amended, rectified or destroyed.
The purposes of the Protection of Personal Information Act are in concurrence with the international legislation provided to counter the growing threat of identity theft and malicious use of personal information, and we maintain ongoing efforts to remain compliant.