The Protection of Personal Information Bill 2009 (POPI or the
Bill*) aims to bring South Africa in line with international data
protection laws. The impact of this legislation will be
far-reaching and will significantly affect the way companies
collect, store and disseminate personal information. Members of our
Information Law and Data Protection Group provide some insight into
the implications of POPI in this series of Snapshots.
In previous Snapshots we discussed that the Bill sets out eight
conditions that responsible parties will need to consider for the
processing of personal information to be lawful. Accountability,
the first condition, was examined in the previous Snapshot. This
Snapshot considers Processing Limitation, the second of the eight
conditions.
Condition 2: Processing Limitation
Lawfulness of processing
Personal information must be processed lawfully and in a
reasonable manner that does not infringe on a data subject's
privacy. Thus, a responsible party will need to develop procedures
and policies to ensure that personal information is processed in a
"reasonable manner".
Some considerations:
- There must be clarity on the length of time and the reasons for which personal information will be retained. In determining appropriate retention periods, any statutory obligations imposed on a responsible party must be taken into consideration.
- Once the purpose for which the personal information was obtained has ceased and it is no longer required, it may be anonymised, deleted or disposed of in a secure manner. To comply with this requirement, responsible parties are advised to assign specific responsibility and to introduce procedures to ensure that files are regularly purged.
Compliance may vary depending on the reason for which the
information is processed. In time, objective guidelines are
expected to be made available. These will assist responsible
parties to assess whether their information processing is
compliant.
Minimality
Personal information may only be processed in a manner that is
relevant, adequate and not excessive, bearing in mind the purpose
for which it is used.
Consent, justification and objection
Personal information may only be processed if the processing:
- has been consented to by the data subject or a competent person in the case of a minor;
- is necessary to fulfil a contract that the data subject is party to;
- complies with an obligation imposed on the responsible party by law;
- is necessary to protect a data subject's legitimate interest;
- is necessary for a public body to perform a public law duty properly; or
- is necessary to pursue the legitimate interests of the responsible party or a third party to whom the information is given.
The responsible party bears the burden of proof to show that
consent has been given. It is therefore prudent for companies to
obtain such consent in writing. Consent may be withdrawn at any
time, but the lawfulness of processing of personal information done
before the withdrawal of the consent will not be affected.
A data subject may object to the processing of personal
information:
- in a specific manner, on reasonable grounds, unless the law permits that processing;
- for purposes of direct marketing (other than unsolicited electronic communications).
Once a data subject has objected to the processing of personal
information, a responsible party may no longer process this
information.
Collection directly from data subject
Personal information must be collected directly from the data
subject except when:
- the information is obtained from a public record;
- the data subject consents to another means of collection;
- there is no prejudice to a legitimate interest of the data subject;
- collection of information from another source is necessary, for
example:
- criminal investigations and prosecutions;
- the collection of revenue by SARS;
- proceedings in courts and tribunals;
- the interest of national security; or
- to maintain the legitimate interests of the responsible party or third party to whom the information is supplied;
- compliance is not reasonably practicable in a particular instance; or
- compliance would prejudice a lawful purpose of the collection.
Click here to read clauses 9 - 12 - Processing Limitation.
*The Bill has been adopted by the Portfolio Committee on Justice and Constitutional Development and by the National Assembly (NA). This Snapshot has been drafted using the latest version of the Bill as passed by the NA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
