Published August 2020
If you answered ‘no’ to even one of these questions then this article will be of value and hopefully help you avoid getting into trouble.
‘POPI’ stands for South Africa’s Protection of Personal Information Act and it is a comprehensive bit of legislation that focuses on data protection and overseeing the way we process people’s data. This law is a work in progress.
World-wide, legislation is being rolled out to ensure information in the digital universe is better managed. In South Africa we have the Constitutional right to privacy and the POPI Act is the vehicle to deliver this right. Each of us are meant to benefit from this Act which offers us some control over those who use our information.
Even though POPI is law, it still has its training wheels on, therefore we can expect teething pains as we come to grips with what is required of us. Big businesses are going to have to improve many of their systems and call on the experts in the fields of privacy, legal, data and even cyber security to ensure compliance.
Married with the POPI Act is a Code of Conduct, issued and managed by the ‘Regulator’. It is an equally important document. Here is a helpful link to see the draft document, I am yet to find a final published version.
I can assist with digital audits, planning and implementation of POPI. If I feel there is substantial risk for a client I can call on my extended legal network to offer extra scrutiny.
Our personal data on file and in context of POPI is called a Data Subject. If a business has information about you, they hold a Data Subject. Any local or foreign organisation doing business in South Africa and in possession of a Data Subject, are subject to regulations of POPI. Everyone has until July 2021 to make sure they have their T’s crossed and I’s dotted.
If you are familiar with the General Data Protection Regulation (international standard) you will come to terms with POPI far quicker.
POPI will be regulated by the Information Regulator of South Africa (https://www.justice.gov.za/inforeg/about.html), who will also be the authority dealing with complaints, resolution process, enforcements and other nasty things like warrants. When dealing with personal information from this point onwards we need to think in three ‘time periods’ of data lifespan:
Each phase name gives us a very good idea already on what logical processes are at play. Let’s unpack some practical concepts of this new ‘mind-set’ we need to adopt, and please bear in mind, I have written this article through the looking glass of a business, and therefore if you run a public office, or some other type of entity, this document will be void of special points for you. Of course, you are always welcome to contact me for information specific to your type of organization.
‘Personal Information’ can be any identifiable information linked to a person (natural or juristic) or entity (sole proprietor, PTY, CC, NPO, NGO, etc) that includes data information such as, but not limited to:
There is a second category of information treated differently, and certainly requires more care with many other processing conditions. This data is called Special Personal Information, covering, but not limited to:
I believe a person’s image, voice, or video could be protected as an identifying data point.
Any of these nuggets of info can form part of a Data Subject and any abuse can perhaps one day lead to Administrative fines of up to 10 million rand or a prison sentence up to 10 years, or both!
Remember a Minors rights need to include participation from a legal guardian.
The POPI Act mentions three Data Subject Rights:
These rights are afforded under certain circumstances. It is very important that your team do not infringe on these rights and if a person requests access to their personal information, and are able to provide proof of their identity, you will have to attend to their request. You must, for free, confirm if you have a Data Subject file on the person.
You can in certain circumstances charge for preparing a report and information pack to hand over to the Data Subject if they make a request. When attending to this sort of matter, you will need to ensure you respond in a reasonable period of time and manner. You may quote for this administrative task to be done and ask for a deposit.
A person can after reviewing the information you provided, request for information to be amended if it is found that the data is:
In some circumstances, refusal to make changes can be made, but then a number of other processes need to be followed. Offer written confirmation once an amendment has been completed.
What ‘Activities’ constitute processing of data?
Today, there are many automated systems in place which gather information without any human participation. For example, cookies on a web browser or Google analytics. Information is gathered and digitally sent all over the place without most business owners having the foggiest idea on the technical processes at play. You will need to learn how your organization gathers information because you cannot plead ignorance as a form of defence should something go wrong.
Take a look at your web forms, storefront purchasing systems, and benefit systems at tills, chatbots and Facebook Messenger. The way we obtain information is just one of the activities a Data Subject is involved with, let me elaborate:
Be ‘proactive’ and insist that internal policies are created and shared with staff and suppliers. No defence will be considered if you have not taken all reasonable measures. There are two sides to the proactive coin: one is precautionary / preparatory steps, and the other is responsive / reactive steps.
Regular training of staff and ensuring policy is in their employment contracts is a very good idea. Failure to do this could be argued as negligence.
‘Actual compliance’. Each business is different, and that is why a 2nd opinion such as a digital audit helps put minds at ease. Here are some absolute essential actions you should take as well as some additional tips of my own.
All entities, public or private, need to designate an Information Officer. This portfolio should be added to their contract and duties should include:
The Information Officer should adopt an ethos which could include:
Accountability. Information is privileged. Show respect for a person’s data and you will almost certainly be compliant with the POPI Act.
Be unambiguous. In decisions and actions. Obtaining excessive information is not legally justifiable and the same goes if you use it for reasons other than stated, for example: if you did not ask permission to share with third parties, don’t. Do what you say you are going to do, nothing more, and nothing less.
Stick to limits. This goes for collecting of information and also for storing data for excessive periods of time, or after the purpose for collection has been concluded.
Strive for quality. Pride and cherish the data you have on file. It is of extreme value to your company and also the person you have obtained it from. Look at it as someone has asked you to take care of their pet for a period of time. If you do, your data will be accurate and of a high quality.
Ensure transparency. The way you conduct your data activities must be glass window clear. Always have a door open to a person so they can engage with you with any aspect of their Data Subject.
Future ‘Marketing’. The POPI Act expands on existing marketing legislation such as the Consumer Protection Act for privacy law. We need to focus on Chapter 8 of the POPI Act which has pertinent points that can help us ensure our marketing activities are permissible. In short, if a person:
… you are on the right path.
It is important to understand ‘consent’ in context of POPI Act. It is defined as a "voluntary, specific and informed expression of will" and this needs a bit of elaboration:
Voluntary means someone must "opt-in" to future communication. They cannot be assumed to have given consent. This prevents the use of pre-checked boxes with statements like "yes, subscribe me."
It is safer that direct marketing consent be made separately to other forms of requests.
You don't need consent to send direct marketing to an existing client if you can prove:
An extra nugget: You may not automatically be allowed to use Data Subject information to request a donation.
‘Lawful’ A business, you can no longer just cut and paste Data Subject information from a website, save it and use it. The excuse of “I got your information off a website, so I added you to my subscribed mail run” is not lawful.
You need to do a self-assessment of absolutely all your data and go back to each person and get their permission.
There are some grey areas. Examples:
‘Digital security’, 19.2 (a) of the POPI Act requires us to identify all reasonable and foreseeable internal and external risks to personal information in our possession or control. Larger organizations should really do a digital security audit and smaller businesses run a workshop. Each organization needs to work through phases of:
Make sure you have firewalls, passwords, two step authentication, virus software and threat notification systems or processes. One of the greatest risks in digital security is staff or people. The more data staff have access to, the greater the risk. A good check list to work through when dealing with human risks are these questions:
Less people + less data + less transfer = less risk.
Revisit your information flow and look at it through the eyes of a criminal, seek out the loopholes. Check hard drives, web servers, cookies and e-mail. Also take a look at information shared outside of your business, like data sent to a marketing company or data provider.
Next, think about the actual data and what can be done to it to further reduce risk.
Data breach. The first thing you are meant to do is implement your reactive / disaster plan. Your entire team needs to be ready for this. Every company will suffer a digital attack at some point, be prepared and also remember that digital crime is still crime, and should be reported to SAPS.
Once your reactive / disaster plan is in motion, it is time to inform the Information Regulator of the data breach. If you feel it is necessary, or you are demanded to by the Information Regulator, you can notify the individuals who have been affected by the breach via post, email and phone. You might not need to take this step if it could hamper a criminal investigation. You may need to make a public announcement on your own platforms if the Information Regulator makes such a request.
Digital crime is ever evolving. No data is 100% protected, and that is why I made a point that your business must keep records of assessments, workshops, plans and actions taken. It is essential for your defence. Learn from the breach.
I hope this article was of value, and if you would like to tackle the Act yourself I have added the link below. Otherwise, I would love to hear from you if you are interested in support for POPI compliance or a keynote talk / workshop on the subject.
Be a Future Thinker!
Published August 2020Read more articles