It was with a
bit of irony that Facebook users all over the world reacted with outrage over
recent privacy scandals. [https://www.theguardian.com/commentisfree/2018/mar/21/cambridge-analytica-facebook-data-users-profit]
It seems like
the more selfies, intimate family pictures, personal movements and travels,
dietary activities and opinions we share with the entire world, the more we
become aware of our right to be left alone, and, in extreme cases, the right to
be forgotten. (“The Facebook memorial page may stay, but only the good pictures”,
one can hear some say.)
The Facebook
furore was, of course, not frivolous. Millions of users had their personal
information handed over to a UK-based research company without permission to
influence the elections in the United States.
South Africans,
albeit in relatively small numbers, were also affected. Advocate Pansy Tlakula,
the local Information Regulator, wrote to Facebook demanding answers on how the
data scandal occurred and how it would be prevented in future [https://www.iol.co.za/saturday-star/news/sa-facebook-users-among-those-zuckered-14488382].
Advocate Tlakula’s
move may have been confusing to some. How could a South African official take
on a US-based company? And who is the Information Regulator anyway?
The answer lies
in the Protection of Personal Information Act, commonly referred to by its acronym,
POPI, which was passed as law in 2013. The majority of the provisions of the Act
are not yet in effect and this may be the only saving grace for hundreds of
businesses in South Africa.
“POPI will
change everything about the way we deal with information. People must be aware
of what lies ahead,” says PR de Wet,
a Director at VDT Attorneys, who practices in this area.
“Essentially,
POPI will regulate every aspect of how one collects, captures, stores and
destroys personal information.”
Due to the very
wide definitions used in POPI, it will affect almost all businesses in some obvious
and other more surprising ways. Telemarketers and businesses with call centres
may be affected disproportionately (more about that in a future article), but
many businesses may not even realise that they are processing personal
information in terms of POPI.
Do you have a
website where people may contact you? Do you send promotional material or
newsletters to clients? Or do you simply have a spreadsheet which details past transactions
with your clients? All of these are
relevant in terms of POPI.
“Personal information” is defined broadly.
Apart from names, it entails everything from age, sex, marital status, race,
personal views or beliefs, place of birth, addresses, phone numbers, ID
numbers, biometric information, educational background and IP addresses, amongst
others. The list is endless.
“Processing”
means any activity or process – whether it is automatic or not – where you
receive, collect, record, update, retrieve, organise, store, modify or consult
any personal information. Sharing information with a third party – even within
the same organisation – constitutes processing and the Act even regulates the
destruction of personal information. As
soon as you process any personal information, you have to comply with POPI.
A pool cleaning
business will collect personal information when a client calls, disseminate
information to the technician who will be sent out to the house, capture
information for the invoice and possibly have a database of clients. This
culminates in sending out the actual invoice which will contain personal
information.
Once your activity falls within the ambit of POPI,
you have to comply with eight conditions set by the Act:
- Accountability. The responsible
party, such as the owner of a business, takes full responsibility for how
employees process personal information.
- Processing limitation. This
condition prescribes how personal information may be lawfully obtained and processed.
- Purpose specifications. People
must give informed consent to process information for a very specific purpose.
- Further processing limitation.
There are restrictions on distributing information to anyone else or to use it
for any other purpose.
- Information quality. POPI
places an obligation on a business to ensure that the information remains
correct and up to date.
- Openness. The responsible party
must inform all affected parties if their personal information was compromised,
like Facebook did.
- Security safeguards. Physical
and digital security measures to protect personal information.
- Data subject participation.
Respecting the right of people to have access to their own information and
challenge it.
POPI is no poppie. It has punch.
Non-compliance
with the Act may lead to criminal sanctions such as a fine of R10 million, 10
years imprisonment or both in the most extreme circumstances. This would be for
offences such as compromising financial information.
The Act brought
about the establishment of the Information Regulator [http://www.justice.gov.za/inforeg/],
currently headed by Advocate Tlakula, where members of the public may complain
about the processing of their personal information. Affected people will also
be able to institute civil actions against those who processed their
information.
However, the
reputational damage to any business should be reason enough to take note of and
prepare for POPI. Just ask Facebook.
Don’t be fooled
by what seems like the increasing comfortability of people to share personal
information. The exhibitionists will likely be the first to insist on their
right to be left alone – and possibly tell others all about it.
Copyright @ VDT Attorneys® October 2018