The Protection of Personal Information Act (POPIA) takes effect on 1 July, a move that will compel businesses and organisations to protect personal information and prevent it being exposed and disseminated to unauthorised individuals and entities.
While the Act has raised some concerns, particularly among news media organisations which require access to sensitive information to expose wrongdoing, it has also been welcomed as a measure to safeguard against targeting of children online, cybercrime and barrages of unsolicited communications.
Under the new law, a business will also no longer be allowed to keep a record of personal information once the intended reason for its use has expired, except under certain circumstances.
Accordingly, businesses and individuals are required to adhere to strict regulations in terms of the Act, failing which they may incur penalties such as a fine of up to R10-million, prison terms of between one and 10 years, or both.
Certainly it is a game-changer for data-centred businesses such as marketing and e-commerce ventures, which will need to be clear on what constitutes personal information and how it can be used.
Section 69(1) of the Act, for example, provides that the processing of a data subject’s personal information for direct marketing purposes – whether via automatic calling machines, facsimile machines, SMSes, e-mail or any other electronic medium – is prohibited unless the subject has given consent and is a customer of that party.
Potential customers may be contacted only once to establish if they want to “opt in” to the marketing services, and should they refuse, no further communication may occur.
In the case of existing customers, the personal information can only be processed if it was come by through the sale of a product or service, for the purposes of direct marketing, and the data subject has been given reasonable opportunity to object.
However, becoming compliant with the Act need not be daunting if individuals and company information officers are familiar and compliant with the regulations.
Bianca Neethling has partnered with Sandton-based New Leaf Technologies, a leading provider of learning software and services to corporations, training companies and educational institutions, to design an online POPIA training course that will assist both information officers and employees to attain necessary knowledge of the Act, and implement it effectively.
Neethling, a director of Elysian Compliance and Risk Management, explains that there are eight conditions for lawful processing that need to be met, namely:
* Accountability: Responsible parties and operators must comply with the eight conditions for lawful processing;
* Processing limitation: Personal Information should only be obtained by limited and lawful processing that does not unnecessarily infringe privacy;
* Purpose specification: The purpose for which personal information is collected must be specific, explicitly defined and lawful;
* Further processing limitation: Further processing must be compatible with the purpose for which information is collected;
* Information quality. Reasonably practicable steps must be taken to ensure personal information is complete, accurate, not misleading and updated;
* Openness. Notify the Regulator that the party processes personal information where prior authorisation is required and advise the data subject of certain mandatory information in regard to the collection;
* Security safeguards. The integrity and confidentiality of the personal information must be secured; and
* Data subject participation. The data subject has certain access rights, including a right to request its deletion.
The online course designed by New Leaf and Elysian covers every aspect of the Act, including important definitions, roles and responsibilities of information officers, the importance of prior authorisation, rights of the data subject, practical examples and assessments.
“It is important employees are not just told to protect client information, but also understand the impact of non-compliance. Each employee in the business is also included as a data subject who is offered the same level of protection,” Neethling says.
“Courses like these create awareness of risks with your employees, and ultimately contribute to good governance.
“Online training also achieves the best results at the lowest costs. Workshops, for example, may take employees out of the business for a period of time and decrease productivity. Furthermore, it ensures that every person who is responsible for ensuring that the business complies, understands the POPI Act.”
For Neethling, the importance of acknowledging consumers and other data subjects’ rights cannot be emphasised enough.
“They have every right to be notified that the information about them is being collected or that it has already been accessed or acquired by an unauthorised person. They also have the right to establish whether a responsible party holds their personal information and if so, they have the right to request this information.
“Responsible parties also need to understand that data subjects have the right to object to their personal information being held and processed for direct marketing purposes, and request that their personal information be deleted or destroyed.”
Any person may lodge a complaint with the Regulator, and while the authority may attempt to arrange a settlement, it could also launch an investigation which could see the responsible party being sued in court.
“That is why our course has been developed to suit all levels of employees in the organisation. It can be used as in introduction to the Act before it commences and as a refresher on an annual basis to ensure ongoing risk management,” Neethling says.