The Protection of Personal Information Bill 2009 (POPI or the Bill*) aims to bring South Africa in line with international data protection laws. The impact of this legislation will be far-reaching and will significantly affect the way companies collect, store and disseminate personal information. Members of our Information Law and Data Protection Group provide some insight into the implications of POPI in this series of Snapshots.
Previous Snapshots have highlighted that the Bill sets out eight conditions that responsible parties will need to consider for the processing of personal information to be lawful. In this Snapshot Information Quality and Openness, being the fifth and sixth of the eight conditions, are considered.
Condition 5: Information Quality
A Responsible Party must ensure that any personal information in its possession is complete, accurate, not misleading, and updated when necessary. In so doing, the responsible party must have regard to the purpose for which the personal information is collected or further processed.
The purpose for which the information was collected will inform an assessment of compliance with this condition. It will, for example, be essential to update a person's contact details when the purpose of holding this information is to periodically invoice a client. When the contact details are held for record purposes only, the need to update information will be less pressing. An assessment of whether there has been compliance with Condition 5 will therefore likely take this into account.
Condition 6: Openness
A responsible party must compile a manual that contains stipulated information as required by the Promotion of Access to Information Act, including detail on the information that it holds.
Notification to data subject when collecting personal information
Before personal information is collected directly from the data subject, or before/ as soon as is practical after collection when information is collected from another source, the responsible party must take steps to ensure that the data subject is aware of:
- the information being collected and the source of such information;
- the name and address of the responsible party;
- the purpose for which the information is being collected;
- whether the supply of the information by that data subject is voluntary or mandatory;
- consequences of failure to provide the information;
- any law authorising or requiring the collection of the information;
- whether the responsible party intends to transfer the information to a third party (country or organisation) and the level of protection afforded to the information by that third party;
- any additional information necessary to enable the processing to be reasonable; including the recipients of the information, the nature or category of the information, the right of access to and the right to rectify the information, the right to object to the processing of the information, the right to lodge a complaint to and the contact details of the Information Regulator.
Where there has been compliance in the first instance, the subsequent collection of the same information or information of the same kind will also constitute compliance if the purpose remains the same.
It is not necessary for a responsible party to comply with the requirements when:
- the data subject has consented to the non-compliance;
- non-compliance would not prejudice the legitimate interests of the data subject;
- non-compliance is necessary to avoid prejudice to the maintenance of the law, to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue by SARS, for the conduct of proceedings in any court or tribunal, or in the interests of national security;
- compliance would prejudice a lawful purpose of the collection;
- compliance is not practical in the circumstances; or
- the information will be used in a form in which the data subject will be de-identified, or used for historical, statistical or research purposes.
Click here to read clauses 16, 17 and 18 of the Bill.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.