While you may have POPIA fatigue after a year of being assailed for all manner of permissions, this law has far-reaching ramifications for organisations who themselves are data subjects and needs to comply with the requirements of the act. Beyond box-ticking with policies and procedures in place, what’s really important is that the underlying principles are holistically understood and assimilated into ways of working that become habituated in the organisation. Here are some basics, practical definitions and useful everyday guidelines:
What is POPIA?
The South African Protection of Personal Information Act, or POPIA, is a law that aims to protect the personal information of individuals while that information is being used by various organisations.
What is Personal Information?
Personal information is information relating to an individual, including, but not necessarily limited to name, contact details, identity number, bank details, race, gender, age, health status, email address, location, online identifiers, and the like
What is Special Personal Information?
This is sensitive information concerning racial or ethnic origin, political persuasion, health, or sex life, religious or philosophical beliefs, criminal behaviour, or biometric data.
What is a data subject?
A data subject means the person to whom personal information relates. For example, some of the data subjects of an organisation could be its customers and employees. Organisations have obligations in this regard too.
What are the Rights of data subjects?
In order to protect the rights that POPIA grants to data subjects, organisations need to observe the following: The head of any organisation is accountable for complying with POPI
- Personal information must be collected and used only for the specific and lawful purpose for which the organisation is established
- Only the essential amount of personal information must be collected from the data subject
- The personal information of a child may only be collected and used upon consent of a competent person, such as a parent or guardian
- Personal information must, as far as is practicable, be collected directly from a data subject
- Personal information should not be kept for longer than is necessary for the specific purpose for which it was collected
- Where the personal information might be used for a purpose different to the original reason for collection, in most cases, the data subject’s consent must be confirmed
- Organisations must ensure that the personal information remains complete, accurate and up to date
- Communications with data subjects should be transparent
- Personal information should be protected from loss, theft, damage, and unauthorised access
- Where personal information is processed by an external service provider (called an Operator), a company should ensure that contracts are in place which demand that the Operator also complies with these conditions
- Where personal information must be shared, and jointly controlled between Responsible Parties, the company must ensure that the proper consent has been obtained
- A system should be in place to notify data subjects and the Information Regulator of any security compromises
- A system should be in place to allow data subjects to access and manage their personal information You can only market electronically to data subjects if they are your bona fide customers.
- If you plan to approach a prospective customer with the intention of marketing directly, using electronic means, you need the consent of that data subject.
- A data subject should not be contacted more than ONCE for a particular product if you plan to get his or her consent
- Data subjects must be given the option to object to the processing of their personal information. For example, an unsubscribe link in every marketing email.
- Whenever consent is needed and given, the consent should be in writing and the evidence of consent retained
- Consent means any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information
What is a Personal Information Protection Policy?
A Policy is internal to an organisation and demonstrates management’s intent with regards to compliance with legislation such as POPIA
What is a Privacy Notice?
A Privacy Notice is an external facing document that draws special attention to the manner in which the organisation is complying with POPIA. It’s usually displayed at points where personal information is being collected, and informs data subjects as to their rights
How do I play my part in protecting Personal Information in my organisation?
- Understand and respect the rights of data subjects
- All personal information in your organisation should be classified as ‘Confidential’
- Educate your staff around the ‘Acceptable Use’ of company digital systems, including:
- The use of strong passwords and not sharing them with anyone
- Understanding how to recognise suspicious emails and links and thinking twice before clicking on them
- Keeping your workstations clear, especially with regards to sensitive information.
- Practicing discretion when discussing the organisation externally
- Keeping IT equipment safe, especially when you are outside the organisation premises, including being aware of the limitations set with regards to internet access and usage
- Not making personal use of an unreasonable amount of the organisation’s network or other technology resources (e.g., to stream audio or video, download or store large files, or large amounts of printing)
- Not allowing personal use to interfere with productivity
- Not violating copyright, privacy laws, or licensing arrangements (e.g., file sharing of content protected by copyright, such as movies and music)
- Not using the organisation’s IT systems and services to run or support any private organisations or to distribute SPAM or unsolicited advertising.
- Not assuming that the organisation has an obligation to store or recover any personal content saved on organisation IT systems, if lost