Processing of personal information is widely defined in section 1 of the Protection of Personal Information Act 4 of 2013 (POPI) to include almost any activity in relation to personal information from the point of collection to the dissemination and destruction of such information.
The conditions of lawful processing are stipulated in Chapter 3 of the Act. In the second condition, various limitations are placed on the processing of personal information premised on the following:
Processing must be reasonable and lawful.
Processing must not be excessive and minimal.
Processing is subject to the consent of the data subject – the person, or company, whose information is being processed –and his, her, or its ability to object against such processing.
Data must be obtained directly from the person to whom the information belongs (subject to certain exceptions).
The requirements should not be read in isolation and must be considered holistically. This article only deals with certain aspects of processing and not with the exclusions from the processing limitation.
To reiterate: processing of personal information has to be lawful and reasonable and done in a manner that does not infringe on the privacy of the data subject. It is thus, for example, permissible for an organisation as a responsible party to obtain the voluntary consent of a customer to keep his or her name and email address in the organisation’s record management system for the purpose of sending emails to that customer for promotional purposes during a specific period. The storage of the personal name and email address under these circumstances will be lawful and reasonable provided that consent has been obtained for that specific purpose and the organisation acts within the parameters of the consent.
Consider, however, a scenario where the organisation also stored the cellphone number of the same customer, which was obtained from another source without the knowledge of the customer. Sending an SMS to this customer once a week inviting him or her to enter a competition will constitute unlawful processing. The mere storage of the cellphone number without knowledge and consent will also be unlawful. The customer could argue that the company is in contravention of the second POPI condition on the basis that processing of his or her cellphone number is unlawful as consent was limited to the storage of his or her name and email address. Contacting a customer by SMS once a week possibly also infringes on the privacy of the customer and is unreasonable given the limitations of the consent obtained by the organisation.
If, for argument’s sake, the time period for which the consent was provided has expired, the organisation will have to destroy the name and email information of the customer or obtain new consent. Organisations should therefore consider drafting contractual clauses or consent clauses in a way that covers most scenarios for which consent is sought but at the same time protects the rights of the data subject and enables him or her to be sufficiently informed of the details of the processing and its purpose.
The above scenario also holds implications in terms of other legislation. Readers should be aware that unsolicited electronic communication is not only regulated in POPI, but also in the Consumer Protection Act 68 of 2008 (CPA), the National Credit Act 34 of 2005 (NCA), and the Electronic Communications and Transactions Act 25 of 2002 (ECTA). POPI, the NCA, the CPA and ECTA obligate responsible parties, credit providers and direct marketers to give data subjects opportunities to object to the processing of personal information and to unsolicited electronic communications.
Also consider the position where the data subject did consent that the organisation may keep his or her personal information but the information is actually stored on the systems of a third-party outsourced service provider (OSP). The organisation must inform its customers of this fact and obtain the express consent of the data subject to transfer the information to the servers of an OSP. If the OSP is situated in another country, specific consent must be obtained from the data subject for cross-border transfer. Under these circumstances the organisation should preferably enter into an agreement with the OSP in terms of which the latter may only deal with the personal information on instruction and on the mandate of the organisation.
These agreements are often referred to as operator or processor agreements. The OSP will be considered an operator and the organisation a responsible party as defined in the Act. Organisations in a group structure should be especially mindful of the potential contractual impact of the above scenario as intra-group agreements may be necessary where information is stored by other companies or structures in the group.
From the above it is evident that a consequence of the POPI second condition is that consent obtained from a client must be very specific in relation to the processing purpose and that operator agreements may be advisable depending on the organisation’s processing operations. Organisations would have to keep record of the consents obtained from customers to ensure that they are well aware of the parameters within which they are allowed to operate when processing personal information. It may prove challenging to keep track of what may and may not be done in relation to specific clients. The customer is also well within his or her right to withdraw the processing permissions at any time. Once this has happened, processing will be unlawful and unreasonable and will infringe on the privacy of the data subject.
Organisations should also consider their obligations in terms of other personal information under their control, as the requirements apply to all personal information as defined in the Act. This would include the personal information of not only customers but also that of personnel, suppliers, visitors and consultants. The information of juristic persons is also included. A consequence of this is that organisations should include in their contracts with personnel, suppliers and consultants appropriate clauses that will ensure that the necessary processing permissions are obtained. These may extend to website terms and conditions and automated terms of use in certain instances.
Processing must be adequate, relevant and not excessive. In other words, organisations should only collect the minimum information required for the specific purpose. It should not collect excessive information. The less personal information an organisation collects, the less effort will be required to protect it. For example, when, in the above scenario, the organisation also keeps the vehicle registration number of a customer, it is questionable whether this information is relevant and necessary for contacting the client telephonically. The name and cellphone number of the client would probably satisfy the minimality requirement contained in the second condition of POPI.
POPI furthermore gives data subjects the right to request an organisation to delete his or her record or object to processing. Such requests from data subjects may be difficult to entertain from an operational perspective. In a situation where a professional service provider such as an accountant obtains the identity numbers of the personnel of his or her private company client, in terms of a legitimate contract, the accountant should ensure that his or her client obtain consents from its personnel. The data subject is seldom a party to such a contract. In the circumstances it may be advisable to sign an additional data-processing contract with the service provider in terms of which data may only be processed by the service provider in terms of the instructions of the company. Organisations should obtain legal advice where necessary.
POPI in effect requires organisations to delete personal information that is no longer required unless it needs to be retained by law, for the purposes of a contract between the organisation and the data subject or if the data subject has given his or her consent to the information to be retained. Deletion of information no longer required may present organisations with many challenges in light of the vast amount of legislation that requires records to be kept for differing periods of time. Where no retention periods are specified by legislation it will be prudent for organisations to consider keeping information for a minimum period in which legal action may be potentially instituted, as outlined in the Prescription Act 68 of 1969. This period constitutes a minimum period of three years depending on the course of action and falls within the scope of the legitimate business interests of an organisation.
From the above it is evident that organisations need to consider the implications of the Act in greater detail. Only certain sections of the Act relating to the establishment of the regulator and the drafting of regulations are currently operative, but organisations should nevertheless proactively consider the impact of the Act if they haven’t previously done so.
Author: Carla Budricks is Legal Compliance Officer at PwC