Data is everywhere. In fact, because of the nifty autosave setting on the word processer used for writing this sentence, new information is being added to the Internet as it is typed. Every day we are engaging in hundreds or even thousands of little data exchanges. When we take stock of these minute transactions, it’s alarming how much of the information being collected, sent, and stored on the internet is personal information.
Whenever you give out personal information (whether in written, oral, digital, or any other form), you’re essentially giving over information about yourself in the hope that whoever is on the receiving end will use your information responsibly, ethically, and lawfully. Without protection for the personal information we use, we would put ourselves at great risk.
While data protection policies had been in place all over the world for a while, South Africa came a little late to the proverbial party. Having passed the Protection of Personal Information Act (POPIA) in November 2013, it has taken almost seven years for it to be put into effect. On the 1st of July 2020, the Act was finally put into effect with a year’s grace period for data-collectors to become compliant.
This means that the information you process regarding data subjects (people whose personal data is being collected and processed) will soon be subject to very strict data protection regulations in order to uphold privacy standards mandated by the Constitution.
POPIA outlines eight general conditions under which personal information may be processed and used as of the 1st of July 2020. These conditions are as follows:
For private information to be adequately protected, there must be someone who takes responsibility for the handling thereof. For this reason, POPIA requires someone to be appointed as responsible party for the collection and processing of information of data subjects. The appointed party must ensure that the conditions outlined in POPIA are complied with as it relates to the purpose and means of collecting, processing, storing, and disposing of personal data.
This condition requires personal information to be processed lawfully and without infringing on the privacy of the data subject. The data may only be processed for the purpose for which it was required. There are also a wide range of other limitations on the protection of data that relate to consent, withdrawals of, and objections to the processing of the data subject’s personal information. Further limitations are given regarding how, and from whom, the data may be collected.
According to POPIA, compliance requires that all data be collected for a specific purpose that is clearly defined and lawful. Not only should the purpose for data collection be specific, the data subject must be made aware of what this purpose is prior to the processing of their data. Additionally, data records may only be kept as long as it is used for achieving its specific purpose, after which the data must be destroyed.
Any further processing of the personal information of the data subject must be similar to, or compatible with, the original purpose for which it was collected.
The party responsible for the protection of personal information must ensure, by all reasonable means, that the data is complete, accurate, not misleading, and up to date. Any changes must be related to the original purpose for which the data was collected.
All processing operations must be documented and maintained by the party responsible for the processing of personal information. The data subject also reserves the right to be notified of any information collected as well as the particulars of the information and those collecting and keeping it.
Personal information must be kept safe from damage or loss as well as unlawful access. The responsible party must inform the data subject of all reasonably foreseeable risks to the collection of information, and must take measures to safeguard the information and maintain and update these measures as is necessary. Further measures must be put in place when the personal information is used by a third-party entity. Furthermore, the data subject must be made aware of any possible security breaches in which their information may have become compromised.
The data subject reserves the right to request access to any information collected about them and have the right to know who has access to the information. They may also request that the responsible party correct or dispose of information under their control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, obtained unlawfully, or that no longer serves its intended purpose. The data subject must be notified of any changes made.
Please note, however, that these conditions outlined above pertain to the most general cases of data collection, processing, storing and disposal. There are a multitude of exceptions to the conditions outlined above that may be relevant to your situation and purpose for processing personal information. So, in order to ensure compliance, it is highly advisable to speak to your attorney regarding the responsible and lawful processing of personal information.
The onus now falls on you to keep your data subjects’ information safe by becoming compliant with POPIA and avoid unnecessary trouble due to the mismanagement of personal information.
This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your adviser for specific and detailed advice. Errors and omissions excepted (E&OE).