Examining the impact of the Protection of Personal Information Bill
The Protection of Personal Information Bill (POPI) imposes eight Information Protection Principles on all companies and public bodies that process personal information. However, while it is crucial that companies and individuals familiarise themselves wit
This is according to Zaid Gardner, Senior Asssociate at ENS (Edward Nathan Sonnenbergs), who outlines the principles below:
Principle 1: You must be accountable.
“In other words you must comply with the Principles,” says Gardner.
Principle 2: There must be limits to your processing of information.
According to Gardner, there are a number of aspects to this. “This means the processing of information must be lawful and not excessive. It’s also necessary to have the consent of the person or company whose information is being processed (the Data Subject),” he says.
Alternatively, according to Gardner, the processing of information must be justified on the basis of one or more of a number of particular reasons, including the fact that the processing: is necessary for performing a contract; complies with a legal obligation; protects a legitimate interest of the Data Subject; is necessary for the performance of a public law duty of a public body; is necessary to pursue the ‘legitimate interests’ of those to whom the information is supplied.
“The Data Subject can, however, object to processing based on some of these justifications, in which case the processing must stop,” he warns.
Furthermore, Gardner says the information must be collected directly from the Data Subject – however this does not apply in all circumstances. “For example, this does not apply: if the information’s contained in a public record; if the Data Subject has consented to its collection from another source; if collection from another source is necessary in the interests of law and order, national security, tax collection or to maintain the ‘legitimate interests’ of the party to whom it is supplied; if compliance would ‘prejudice a lawful purpose of the collection’; if ‘compliance is not reasonably practicable’,” he says.
Principle 3: The information must be collected for a specific and lawful purpose.
In addition to this, steps must be taken to ensure that the Data Subject knows the purpose for which the data is being collected. According to Gardner, a record must also not be kept any longer than is necessary for achieving the purpose for which it was obtained. “Again there are exceptions. For example, you can retain information for longer than necessary if retention is required by law; if you require the record ‘for lawful purposes related to ... (your) functions or activities’; if retention is required by a contract; if the Data Subject has consented to retention,” says Gardner.
Principle 4: Any further processing of information must be compatible with the purpose for which it was collected.
According to Gardner, it may be compatible in various circumstances, for example: if the Data Subject has consented to the processing; if the information is available in a public record; if further processing is needed in the interests of law and order, national security, national health or tax collection; if the information is used for historical, statistical or research purposes.
Principle 5: The information must be accurate.
Principle 6: There must be openness.
Gardner warns that this requires you to give two separate notifications. “The first is a notification to the Information Protection Regulator (Regulator). This must occur before the information is processed, but only one general notification is required.”
The processing will then be noted in a register. According to Gardner, the notification must set out: the purpose of the processing; descriptions of the categories of Data Subject and information to be processed; the recipients or categories of recipients to whom the information may be supplied; any planned trans-border flows of information and details of the security measures.
“The Regulator has the power to exempt certain categories of information processing from notification if they are unlikely to infringe the legitimate interests of Data Subjects. It is an offence not to comply with the notification requirement,” he says.
The second is a notification to the Data Subject. “If a public or private body is collecting information, the law says they must take ‘reasonably practicable steps’ to ensure that the Data Subject is aware of the fact that these entities are collecting information about them, and that they know certain things: your name and address; the purpose of the collection; the nature of the information; the identities of those who will receive the information; and the fact that they have a right of access to the information,” explains Gardner.
In cases where the information is collected directly from the Data Subject, Gardner says it’s necessary to give notice before the information is collected. In all other cases, you must do so ‘as soon as reasonably practicable’ after collection.
However, once again, there are exceptions. “One does not need to comply with this notification requirement if they have made a manual available under the Promotion of Access to Information Act; nor do they need to do so if compliance would ‘prejudice a lawful purpose of the collection’; or if compliance is ‘not reasonably practicable in the circumstances of the case,’” says Gardner.
Principle 7: The integrity of the information must be secured.
“This means preventing loss or damage and unlawful access to it. If a third party is used to process the information, that party must treat the information as confidential and it must have security measures in place. Where there are security breaches, it’s necessary to notify the Regulator and the Data Subject,” says Gardner.
Principle 8: The Data Subject has a right to ask for, and be given free of charge, details of any information that you have about them.
Gardner explains that this includes details of the parties who have had access to the information about a Data Subject. “The Data Subject can also ask that wrong information be corrected, and they can demand that you destroy information that you are no longer authorised to keep,” he says.
