
What to expect at your first Debt Counselling Consultation?
March 29, 2023
NATIONAL CREDIT REGULATOR – CONTACT LIST
April 24, 2023POPIA AND PAIA COMPLIANCE
In practical terms, POPIA sets conditions for the lawful processing of personal information in order to protect the public from harm, to stop our money being stolen, to stop our identity being stolen, and generally to protect our privacy. Every single private and public body of business has to be POPIA and PAIA compliant. Even if the business is so small, that it employs only one person, the business has to be POPIA and PAIA compliant.
The Act defines personal information as information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to information relating to listed grounds such as race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person.
The Responsible Party, is the company or business that collects the data. Section 1 of the Act defines the ‘data subject’ as; the person to whom the personal information relates.
The first step in the process is to register an information officer. The information officer should take responsibility for the POPIA and PAIA compliance of the entire business, therefore it would not be advisable to appoint an admin person as information officer. A deputy information officer can be registered to assist the information officer with their duties.
CONSENT is the most important factor to consider when POPIA and PAIA compliance is determined. A data subject should consent to their data being collected for the purpose set out in the POPIA manual. The POPIA manual sets out in very clear terms what the Responsible Party is collecting the data for, how long it is going to be retained and which third parties it is going to be shared with.
Once a data subject has consented to the Responsible Party dealing with their data in a certain way, then the Responsible Party is in compliance with the POPIA Act. The consent needs to be very clear and detailed in order for there to be no misconception from the side of the data subject as to how the Responsible Party is going to deal with the collected data.
Every public and private body needs to comply with the following eight conditions that prescribe the minimum threshold for lawful processing of personal information in South Africa. Public and private companies should be mindful of the rights and remedies of persons to protect their personal information from processing that is not in accordance with the Protection of Information Act.
- Accountability
The responsible party (the party that collects the personal information), must ensure that the conditions for lawful processing of personal information set out in the Act, and all of the requirements, are complied with.
- Processing limitations
- The responsible party sets out the purpose for the collection of the data in its privacy statement/POPIA manual.
- The collection must be proportionate to the purpose.
- Data subjects MUST provide the responsible party with consent
- Collection of data should be directly from the data subject, unless it is contained in public record.
- All third party service providers, with whom the data is going to be shared, should be disclosed by the responsible party.
- Data subjects should be able to object to the use of their personal data, in the prescribed manner.
- Purpose Specification
- The collection of personal information should be for a specifically defined, lawful purpose related to a function of the responsible party.
- The data subject should be informed, as per the consent and the privacy manual of the responsible party of the purpose.
- The purpose should be very clearly set out in the privacy statement/ POPIA manual of the responsible party.
- The retention of the records should NOT be for longer than necessary for the responsible party to carry out the mandate given to him by the data subject, OR unless required by law, OR unless the data subject has consented to the data being retained.
- The data should be deleted or destroyed as soon as practically possible
- Destruction should occur in such a manner that prevents reconstruction of the data in any form.
- Further Processing Limitation
- Any further processing must be compatible with the original purpose or which the data has been collected.
- Be aware of the potential consequences of any further processing that is not in line with the original purpose.
- Always take note of contractual rights and obligations
- Information Quality
The accuracy of the collected data should always be maintained. The responsible party should at all times ensure that the personal data is not misleading and up to date.
- Openness
Personal data should ONLY be processed after the PAIA manual has been updated. The PAIA manual contains all of the information of the responsible party. The data subject should at all times be completely aware of the name, address and other contact details of the responsible party. All of this information is included in the PAIA manual. All laws authorising the collection of the data by the responsible party, should also be contained in the PAIA manual.
There are, however, the following exceptions to the rule:
- When the data subject consents to non-compliance
- When information will be used without identifying the data subject
- Personal information is already in the public domain
- Data Subject Participation
There should at all times be a clear communication process in place in which to communicate with the data subject. Data subjects have to be provided access to their personal information and they also have to be able to request correction of their personal information. The manner in which the information should be accessed, is defined within the PAIA manual.
- Data Subject Participation
The following security safeguards should be in place at all times:
- All personal data should be clearly identified in all of the business processes
- The responsible person should do all in their power to prevent any leakage of data
- The responsible party should maintain the capability to detect security breaches
- The responsible party should regularly review the contractual obligations of third parties
The POPIA manual has to be drawn up to the specifications of every business and has to contain the purposes for which data is collected, as well as the third parties with whom the data is being shared. The PAIA manual contains the details of the responsible party, as well as the types of data that is being collected and the way in which it can be accessed. These manuals have to be updated by the Information Officer on a regular basis.
All third parties also have to be POPIA compliant. The Responsible Party needs to obtain proof in writing of the third party’s compliance, or the third party should enter into an Operator Agreement with the Responsible Party.
Any breach of data should be reported to the Information Regulator immediately. The Information Regulator will then assess the situation and determine whether the Responsible Person is to blame for the breach or not. Non-compliance of the POPI Act may, upon conviction of certain offences, lead to imprisonment, a fine, or both. If a company laptop or cell phone has been stolen or lost, a breach could occur. If hard copies of files are lost or stolen, a data breach could also occur. All of these breaches need to be reported to the Information Regulator immediately.
A common misconception is that POPIA applies to all social media posts but this is not true, as the data has to be collected for the purpose of business. However, this does not mean that anyone may use your personal information or post pictures, videos, posts without your consent. If this is the case, you will have recourse, as you have a right as per the Constitution, to privacy.
In conclusion, PAIA and POPIA compliance are compulsory for every single business entity in the country, no matter how big or small the company is. A breach of the Act could have serious repercussions for the Responsible Party should they not have all of the requirements in place to comply with both Acts. Failure to comply with the Acts is also punishable by law and could lead to fines or imprisonment or even both. It would be advisable to become compliant with both the POPI and PAI Acts immediately! – written by Judy Knoetze (Daleen van der Westhuizen Attorneys) http://vdwattorney.co.za/