Oct 12, 2020, 08:06 AM
Processing must be lawful! Today we take a look at the third principle of the POPI Act as part of our Cybersecurity Awareness campaign for October.
POPIA Principle 3 – Processing Limitation
This topic covers a lot, so this blog post is a little longer. It is however one of the most important principles for any business, so please take a few minutes and read the entire entry.
MYTH: I CAN GET A GENERAL CONSENT, SO I DON’T HAVE TO BE SPECIFIC ABOUT THE PURPOSE FOR THE COLLECTION OF PERSONAL INFORMATION
RESPONSE: YOU NEED TO BE SPECIFIC. IF YOU ARE COLLECTING THE INFORMATION TO SELL CAR INSURANCE, IT DOES NOT MEAN YOU CAN USE THAT SAME INFORMATION FOR LIFE INSURANCE. YOU WILL HAVE TO DECLARE AGAIN THAT YOU ARE ALSO PROCESSING THE INFORMATION FOR LIFE INSURANCE PURPOSES
Firstly your processing must be lawful. This means that you must either have obtained consent from the data subject or there must be another lawful reason for processing the information, such as to deliver something in terms of a contract or acting in the data subject’s best interest. Let’s first look at consent though
Consent must be voluntary, specific and informed, which basically means that you
- Cannot force someone to give consent. Consent must be given willingly.
- Specific means that the data subject must give consent related to the product being marketed, so if the information is being collected for marketing an insurance product, it cannot be used for marketing carpet cleaning for example.
- Informed means that data subject must know what is being collected, why it is being collected and who is collecting it. Many times we will find that we get a call from a call centre and they are not actually the company in question. So if LAWtrust uses a call centre to contact customers, the call centre will have to identify themselves and that they are acting on behalf of LAWtrust.
Minimality means that the responsible party is only allowed to collect what information they need. If the aim is to do email marketing to a customer, the responsible party would typically only need to ask for a name, surname and email address. Additional information such as address and phone number is not required. Remember, the more you collect the bigger your accountability and responsibility is. In this case, really only collect what you need.
The data subject will also have the ability to object to the information being collect, to ask for correction and for deletion of the information. Remember, if you still have a need to keep the information, you don’t need to delete the information.
In POPIA a lot centres around consent, which means you must have the permission of the data subject (the person whose information you are processing) and typically this is the easiest way to get ensure that you are lawfully processing someone’s personal information.
But it may not always be possible to obtain consent or there may be another reason that you do not want to obtain consent. POPIA provides a few exceptions to the consent rule and we will quickly take look at each of these.
- Processing is necessary to carry out action for the conclusion or performance of a contract, to which the data subject is a party. This simply means that where you have a contract with a data subject you do not need their consent to process the personal information required for the performance of that contract.A good example is a cell phone contract. These contracts typically span two or more years and the mobile service provider does not need consent to process banking details for the monthly bill or to process address details to send you your monthly invoice.
- Processing complies with an obligation imposed by law on the responsible party. Whenever there is a piece of legislation that requires the processing of personal information a data subject will not have the right to object to or refuse processing of their personal information. The COVID-19 pandemic has provided us with a good example whereby employers now have a legal duty to submit the health questionnaires completed by their employees together with other personal information to the Department of Health. While those regulations require that employees must be informed, there is no need to obtain their consent.
- Procession protects the legitimate interests of the data subject. There is no further guidance on what the application of this requirement is, so this one will come down to a value judgment. You have to ask the question whether this processing is in the best interests of the data subject. Some examples may be where a person was in a car accident and you look through their wallet to look for any health or contact information. There has also been an argument that in the life insurance industry, where there is a pay-out due to someone that processing their personal information without consent would be justified. What this one comes down to is asking yourself if you reasonably believe that you can justify the processing without consent.
- Processing is necessary for the proper performance of a public law duty by a public body. This one is pretty self-evident. It would include things such as the Department of Home Affairs processing your personal information or SAPS processing personal information in the scope of their duties
- Processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom information is supplied. This is a tricky one and one that many companies will attempt to abuse. If we look at the international legislation (the Information Regulator has to look at the best international practices) it is clear that processing for direct marketing purposes is not considered to be a legitimate interest of the responsible party. This will again come down to a value judgement and if you claim that you have a legitimate interest for processing for your own purposes without consent, you will have to be able to substantiate the claim.
It is very important to note that the responsible party has the duty to prove the legitimate interest or that consent was obtained. So make sure that you document why there is a legitimate interest at the time you make the call that there is one or that you record that consent was obtained. This is a physical action, such as the recording of a phone call or someone signing a consent form or when online ticking a consent box and being able to demonstrate that the data subject was the one who ticked the box.
Rights of the data subject
Despite the rights indicated above the data subject has the following rights in terms of the processing of their personal information
- To withdraw any consent given at any time. If the processing prior to the withdrawal was lawful there will be no consequences for the responsible party except that they will have to stop the processing now.
- Where processing is conducted in the legitimate interests of the data subject the data subject still has the right to object to this processing, but they cannot object to processing under a piece of legislation that requires the processing
- To object to the processing of their personal information for direct marketing purposes. There is a clear distinction here. A responsible party is not allowed to market directly to a data subject if the consent has not been obtain previously or if the customer was not a customer of the responsible party, prior to the inception of POPIA. So in this instance there as a prior consent or relationship and the data subject now requests the responsible party to stop the processing, based on that consent or relationship.
Collection directly from the Data Subject
Personal information must be collected directly from the data subject. This means that a responsible party is not allowed to buy mass marketing databases and use those for marketing. So the principle here is that if you want to process someone’s personal information you have to obtain that information directly from that person. There are a few exceptions which we will list below
- The information comes from a public record or the data subject has made it public. An example of this would be doing a CIPC search for a company’s details. Since companies also enjoy protection under POPIA they have the same rights and protections, but since CIPC is a public database, it would be legal to obtain a company’s information from CIPC
- Where the data subject has consented to the collection of information from another source. This would typically come into play where there are several parties in the value chain. A good example is when you visit the doctor and they submit the claim to your medical scheme. The doctor is now collecting your personal information on behalf of the medical scheme as well.
- Collection from another source would not prejudice the legitimate interests of the data subject. Again, this will come down to a value judgment weighing up whether the collection from a third party is more important than protecting the data subject’s right to privacy
- To maintain the legitimate interests of the responsible party or a third-party to whom the information is supplied. The same test as in the previous point will have to be applied here.
- Compliance is not reasonably practicable in the circumstances of the particular case. This one is again open to interpretation and there cannot be a closed list of these instances.
- Ottava. Rian Schoeman