Blog

Topic 2 - Cybersecurity Awareness Month

Oct 7, 2020, 12:22 PM by Riaan De Villiers
For today's topic we will be discussing the POPI Act Principle of Purpose Specification.

POPIA Principle 2 – Purpose Specification

This is actually the 3rd principle in the Act, but because we will be dealing with processing limitation and further processing limitation together, we are dealing with this principle as the second one.

This principle requires that personal information must be collected for a specific reason and that the reason must be made known to the data subject. The collection must be limited to what was disclosed and a general purpose specification is not sufficient. It must be specific.

MYTH: ONCE I HAVE COLLECTED THE INFORMATION I CAN USE IT FOR WHATEVER PURPOSES, BECAUSE THAT INFORMTION NOW BELONGS TO ME.

RESPONSE: PERSONAL INFORMATION ALWAYS BELONGS TO THE DATA SUBJECT AND IF YOU WANT TO USE THE DATA FOR ANOTHER PURPOSE THAN WHAT WAS INITIALLY DISCLOSED, YOU NEED TO INFORM THE DATA SUBJECT THEREOF

Section 13 of POPIA requires that information must be collected for a specific, explicitly defined and lawful purpose. It further states that the collection must be related to a function or activity of the Responsible Party.

So this means that a Responsible Party cannot willy-nilly collect personal information, it has the duty to set out in detail what the reason for the collection is and how it relates to something that the Responsible Party has to do with that information. An example of this would be where information is being collected to underwrite someone for care insurance. The Responsible Party will have to disclose that the information is being collected to underwrite the Data Subject (the person whose personal information is being collected) for car insurance and the information it then collects must related to that stated purpose.

It will be legitimate to ask where the car is parked at night, whether there is security and if the car has a tracking system, but questions such as the HIV status of the Data Subject are not related to underwriting for car insurance and that information may not be collected.

The second part under this principle, which is not apparent from the principle’s name is retention duties and records of the Responsible Party.

Section 14 states that records of personal information must only be kept for as long as they are need in order to achieve the purpose for which they were collected initially. There are some exclusions here such as

1. The retention is required or allowed by law

2. The Responsible Party reasonably requires the information for lawful purposes relating to its activities

3. The retention is required by contract between the Parties

4. The data subject has consented to the retention of the records, or in the case of a minor, a competent person has consented on their behalf.

A point to note under 4 is that a company should really ask themselves if they need the information, even if they have consent to keep it. Remember the golden principle under POPIA – the more information you have, the bigger your risk is. So, if there is no good reason to retain the information, then don’t!

When the information is no longer required, the Responsible Party either has to de-identify it (meaning it cannot be traced back to a specific individual) if they want to use it for statistical or other purposes or destroy it.

TIP:

A practical tip related to document retention and destruction is to conduct an exercise as to which laws apply to your company. You will obviously know which legislation regulates your industry, but consider things such as HR legislation, tax and the companies act, as legislation that will also apply.

Once you have compiled your list of applicable legislation, do an analysis of retention requirements under these laws. Some laws such as FAIS will have specific retention requirements and if it is possible to draw a link between the specific personal information and the Act, you can classify all that information under the longest statutory retention requirement. Not all personal information will be governed by the same legislation though, so you will likely end up with groups of destruction dates that will make governance easier.

There is no doubt that this is one of the tougher requirements under POPIA, but it is still required and we have to start with this exercise. You can find a comprehensive list of South African legislation at this link https://www.gov.za/documents/acts

- Adv. Rian Schoeman

Infographic for the POPI Act Principle - Purpose Specification