With the Protection of Personal Information Act (POPI) having come into operation last year, 1 July 2020, many organisations are finding themselves at odds trying to put measures in place in order to comply with the provisions of POPI and some are still trying to understand this new piece of legislation and what organisational duties and obligations are required in order to be compliant.
In their implementation processes, organisations must ensure that strict measures are in place to protect personal information against any unauthorised use or dissemination. Some of the basic factors that organisations should consider in their POPI implementation are that:
1) the organisation must determine what personal information being collected is for and what its intended use is. In terms of the POPI Act, information has to be collected for a specific purpose and must be used as such for that purpose. The purpose for the collection of the information that the company intends to use must be lawful, explicitly defined and solely used for the normal business operations or scope of the organisation. Organisations must ensure that the person whose personal information is being collected is accordingly informed of all the purposes that the personal information is being collected;
2) once an organisation has made a determination on the intended purpose of the collected personal information, they need to determine and do an assessment on how the personal information is to be collected, recorded, stored and destroyed. In so doing, the organisation must ensure that optimum measures are put in place for the protection of personal information to prevent any unauthorised access by third parties. This obligation shall extend to the destruction of personal information in that it must be destroyed in such a manner that any third party will not be able to identify such destroyed personal information. Where information has been shared with a third party, it must not be shared for any reason that is not compatible with the intended collection of the information;
3) an obligation is placed on the organisation who is collecting the personal information to readily notify and inform persons of the reasons why their personal information is being collected, what it will be used for, details of the organisation intending to process the information and whether such information is being collected on a voluntary or mandatory basis. Furthermore, where information is to be shared or disseminated to third parties, the data subject must be informed of such intention and must have given their consent for the information to be shared. The obligation is on the organisation to further ensure that third parties have sufficient mechanisms in place to protect the shared personal information. The data subject must be informed that they have the right to lodge a complaint with the Information Regulator should they feel that there has been a breach in the protection of their personal information and non compliance with the provisions of the POPI Act;
4) consent from the data subject or person whose information is being collected is always of paramount importance and organisations must make sure that consent has been given for the collection, use or dissemination of the personal information. Consent may either be implied or may be explicitly or expressly given by the data subject and may be withdrawn at anytime;
5) the information being collected is processed in a legal manner and for a legal purpose. These may include information that is being being collected in pursuance of a contract or an agreement, is required by law, is in the interest of the data subject, for the enforcement of law or combating criminal activities or is necessary for the business operations of the organisation etc.;
6) a data subject or person whose information is being collected may, at anytime, request disclosure of the information collected which includes what the information was used for, how it was stored, what measures are in place to protect the information, which third parties have access to the information etc. Organisations must be mindful that POPI Act does not create a procedure on how the request for information by a data subject is to be handled, but such request must be done in compliance with the provisions of the Promotion of Access to Information Act; and
7) that once the purpose for the use of the personal information has been achieved by the organisation, the information must be destroyed and the organisation must ensure that the destruction of the information is in such a manner that the information cannot be reconstructed again.
It must be remembered that the above is not a closed list of obligations and organisations are encouraged to familiarise themselves with all the provisions of the POPI Act and ensure that adequate measures are put in place in or to reach strict compliance with POPI.
Contact us for more information on our POPI Act Presentations and Workshops.