If you have been following the article series, and have determined that you are the responsible party in terms of the first condition of POPIA, the next step is to assess your compliance with the next two POPIA conditions, which are Process Limitation and Purpose Specification.
These conditions regulate when, where and what personal information is processed.
Compliance with these conditions entails the responsible party ensuring that all personal information processed is done lawfully and in a manner that does not infringe on the privacy of a data subject. This will require that the responsible party processes personal information in a manner that is adequate, relevant and not excessive (a minimality requirement). In order to pass this minimality requirement, you must ask yourself what the purpose is of processing the personal information, or put differently, does your business have a legitimate interest in having this personal information? Collecting or keeping information because you may have a use for it in the future does not pass this test and is not a legitimate purpose argument.
Since both these conditions go hand in hand, the responsible party e must know the purpose for processing in order to assess whether the processing is legitimate or within the required limitations. Determining the purpose of the processing aids in, firstly, identifying what personal information you require, and secondly, understanding any retention requirements and restrictions in respect of records that may be applicable.
The specific purpose for processing personal information must be related to a function or activity of your business and requires you to take certain steps to:
- Bring to the data subject's attention what personal information you require and its rights therein;
- Explain why you require the personal information; and
- Obtain the data subject's informed consent to legitimately process this personal information.
These requirements will be met through the use of a POPIA section 18 consent form. This form will be discussed in a later article, but for now it is important to know that the aim of this consent form is to let the data subject know as much as possible about what you are going to do with its personal information, how long you will retain it, how you will protect and store it, who you will share it with, and how you will destroy it.
Once you have determined the reason why you require each item of personal information, you need to assess whether this reason is legitimate by asking whether it is:
- Relevant to your business operations;
- Adequate to conduct your business or fulfil an obligation;
- Contains only that information which is absolutely necessary; and
- Retained only for as long as needed.
Determining the retention period entails the responsible party understanding that the personal information may only be stored for as long as is needed to achieve the purpose for which it was collected. There are a few exceptions to this rule:
- Where the retention period is dictated by a law such as the Companies Act which stipulates that any documents, accounts, books, notices, resolutions and minutes of shareholder meetings are audited financial statements that are required to be kept for a period of seven years;
- Where the responsible party requires the personal information for a lawful purpose that is related to its business functions or activities (which may not necessarily be the same as the purpose for which it was collected), it is important that you know this purpose before retention;
- Where the retention is required as a result of a contract between the parties or in order to perform an obligation in terms of a contract; and
- When the data subject has consented to the retention.
Note that you may retain personal information for a longer period where the personal information will be used for historical, statistical or research purposes on the condition that you take the appropriate safeguards to ensure that the personal information is used only for these purposes.
Once the retention period has expired, a responsible party must proceed to destroy, delete or de-identify/anonymise the personal information. As destruction is also a form of processing, the responsible party must ensure that it takes the appropriate safeguards when destroying personal information. If a responsible party brought its retention period to the data subject's attention, there is no requirement for the responsible party to request the data subject's consent to destroy the personal information on expiration of the retention period as the responsible party already obtained consent to do so in the beginning and it is merely complying with its responsibility. However, if you intend to retain the personal information for a longer period than was consented to, you will be required to obtain the data subject's consent unless one of the exceptions are applicable.
How to comply with these conditions? It is our recommendation that in preparing the general POPIA policy that dictates what personal information you process, how and why, you should also have the following ancillary documents:
- A POPIA consent form that complies with section 18 of POPIA;
- A Retention and Destruction policy that is in line with your PAIA manual; and
- A procedure for the data subject to object to the processing of its personal information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.