Friday, 21 September 2012

How to comply with POPI (Protection of Personal Information Bill)?

How to comply with POPI?

The Protection of Personal Information Bill 2 of 2009 (POPI) has taken Parliament’s Portfolio Committee for Justice and Constitutional Development some eight years to properly research and draft. It is the next step in the current climate of Parliamentary law creation focussed on the credit and consumer markets and the strength of protection available to the consumer. In a capitalist system hallmarked by consumer and supplier interaction on a particularly unequal footing, favouring the supplier, the proposed Bill enjoys much support and is being referred to as the "POPI Act bringing privacy" as it seeks to enshrine the constitutional right to privacy.

The exact date of enactment is still unclear. It was expected, following public hearings conducted in October 2009, to be finalised within the 2010 Parliamentary session with the resultant Act to be promulgated later that same year. This never materialised. The latest update provided on the promulgation of the Bill is that this will not occur until late 2012, if not 2013. (Update: 2013 at the earliest). 

The main concern with the POPI Act derive from cost of compliance with the many compulsory  provisions.   The POPI Act prescribes serious penalties in the event of non-compliance and sets out in rather useful fashion the 8 Information Protection Principles. We will discuss the most important of these principles:

i.                    Principle 1 - Accountability:

Section 7 of the Bill deals with the principle of Accountability and states that a responsible party, defined in the Bill’s definition section as “a public or private body or any other person which alone, or in conjunction with others, determines the purpose of and means for processing personal information”, must ensure that the principles set out in the Bill and the measures that give effect to these principles are complied with. Data security and privacy are key.  The POPI Act seeks to empower the consumer, insofar as rights are concerned and insofar as protection of personal information and data security is concerned. 

ii.                  Principle 2 – Processing Limitation:

The principle of Processing is dealt with or governed by the provisions of sections 8 to 11 of the Bill and in short contains the following important considerations:

·         Personal information must be processed lawfully and in a reasonable manner that does not infringe on the privacy of the data subject (section 8);

·     Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive (section 9);

·     Consent from the individual will be required before any personal information may be processed;

·        Such information must consistently be updated to ensure its accuracy and completeness;

·    Processing of personal information for the purposes of direct-marketing is expressly prohibited unless those seeking to process the information as such obtains the individual’s consent;

·        An individual’s personal information may only be sent beyond the boundaries of the RSA if its purpose is to fulfil a contract between the individual and the firm concerned, is required by law or proper consent has been obtained;

·     Individuals have the right to request the confirmation if their personal information is being accessed from a firm/company and may in addition to this make corrections to this personal information.

iii.                Principle 3 – Purpose Specification:

The principle of Purpose Specification is set out in sections 12 to 14 and states the following in short:

·       Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party (section 12). In other words if the responsible party is, for example, a banking institution it must ensure that the information obtained from an individual must be collected for a purpose related to the functioning of the Bank as such an entity;

·       In order to fulfil the aforementioned requirement steps must be taken in accordance with section 17(2) of the Bill to ensure that the individual is aware of the purpose of the collection (section 17(2) sets out a list of factors that the responsible party must take into account when assessing whether processing is compatible with the purpose for the collection) – (section 13);

·       Information cannot be retained for longer than necessary and will have to be destroyed but such information may be held longer for historical, statistical or research purposes if the responsible party has established adequate safeguards against these records being used for any other purpose (section 14).

iv.                 Principle 5 – Quality of Information:

The principle of Quality of Information is contained in section 16 of the Bill and states the following:

·       The responsible party must take reasonable practicable steps to ensure that personal information is complete, accurate, not misleading and updated where necessary;

·       In taking these steps the responsible party must have regard to the purpose for which the personal information is collected or further processed.

v.                   Principle 7 – Security Safeguards:

The principle of Security Safeguards is set out in sections 18 to 21 as follows:

·       A responsible party must secure the integrity of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of or damage to personal information in its possession and unlawful access to such information. The section further requires that a responsible party take reasonable measures to ensure the above;

·       Where there are reasonable grounds to believe that the personal information of an individual has been acquired by a person lacking the necessary authority, the responsible party must notify the Regulator and the individual as soon as reasonably possible after the discovery of the compromise;

·       This notification may only be delayed if the SAPS, NIA or the Regulator determines that such a notice will serve as a hindrance to criminal investigation;

·       The notice must be in writing and can be provided to the individual via post, electronic mail, placed on a prominent place on the responsible person’s website, published in the news media or as may be directed by the Regulator;

·       Finally, this notice must contain sufficient information to allow the individual to take the necessary protective measures.

Above we have set out and summarised the most relevant provisions and principles of POPI relating to compliance. To become fully compliant with the relevant provisions of POPI could well cost most relevant business entities both time and money but with the impending promulgation of the Bill it is recommended that such compliance is ensured sooner rather than later.

Peter Turner