Blog

Topic 4 - Cybersecurity Awareness Month

Oct 14, 2020, 07:51 AM by Rian Schoeman

POPIA Principle 4 - Further Processing Limitation

Any further processing must be aligned with the original purpose for which the information was collected

MYTH: WHEN I AM AN OPERATOR I CAN PROCESS THE PERSONAL INFORMATION I GET FROM THE RESPONSIBLE PARTY AND USE IT FOR MY OWN PURPOSES SUCH AS MARKETING

RESPONSE: NO, YOU CANNOT. ANY FURTHER PROCESSING MUST ALWAYS BE IN LINE WITH THE ORIGINAL PURPOSE FOR WHICH THE INFORMATION WAS COLLECTED IN THE FIRST PLACE

As you read through today’s post you will see why we elected to keep processing limitation and further processing limitation together. To refresh you memory, you may want to go back and read over Condition 3 – Processing Limitation in our Blog again and as you read through this post you will see how similar the two conditions are.

Further processing limitation is governed by Section 15 of POPIA and it requires any further processing to be compatible with the original reason for processing as defined in section 13 of POPIA.

POPIA provides a test to determine whether the further processing is compatible with the original processing and requires the responsible party to take account of:

Test to determine if further processing is in accordance with the original purpose

  • The relationship between the purpose of the intended further processing and the purpose for which the information was originally collected. So again, we can mention the example of an insurance company that collects certain personal information for underwriting purpose and then outsources that data to another company to create statistical risk models. This would be in line with the original purpose of collection, because it is still used for insurance purposes. If however the information is processed so that the insurance company can sell the data set to data brokers then the further processing is not compatible with the original purpose of the collection
  • The nature of the information. There is no further guidance in POPIA on this, but one should assume that this may refer to special personal information as defined in the definitions.
  • The consequences of the intended further processing for the data subject. Because POPIA is principles-based legislation (which basically allows you to decide how you are going to comply instead of prescribing this), the value judgement comes into play here again. You should consider what impact this processing will have on the data subject to determine whether the further processing would be fair.
  • The manner in which the information has been collected. Again there is no further clarification and our assumption is that this refers to whether the information was obtained directly from the data subject or through other means. If the information was obtained through other means such as a public record, the further processing should be allowed. If the information was obtain directly from the data subject, the specific purpose for the processing would had to have been declared and as such further processing would be much more restricted.
  • Any contractual rights and obligations between the parties. We discussed contractual obligations in some depth in our previous post, but if there is a contractual right or duty for further processing then the contract would trump the provisions of POPIA in as far as they are lawful. It is also very important to consider confidentiality clauses in contracts. Most of them contain confidentiality clauses and if those clauses include personal information and prevents sharing of any kind, you should adhere to those terms.

In addition to the test, POPIA also provides some direct examples of when further processing will not be incompatible with the original purpose of the processing.

Instances where further processing is not incompatible with the original purpose

  • If the data subject (or a competent person in the case of a child) has consented to the further processing. Remember it is important to record this consent somewhere. You need to be able to prove that you have obtained the consent of the data subject through a positive action on their side
  • The information is made available in a public record or has deliberately been made public by the data subject. This is exactly the same one of the instance in which you don’t need consent to process the personal information.
  • Further processing is necessary for SAPS, the courts or a public body to do their work, or it is required by law. It is obvious that there are certain instances in which consent cannot be withheld or where there is no need to obtain consent. The courts, SARS, SAPS etc. are by law entitled to access your personal information. Again, there are instances where a new piece of legislation might necessitate this, such as the reporting requirements on COVID-19 symptoms for employers. Here the employer has a legal duty to comply and does not need consent.
  • Where the further processing is necessary to prevent a further imminent threat to public health or safety (COVID-19) or the life or health of the data subject or a third party. This one is pretty self-evident, but the threat must be imminent, not just possible in the future.
  • The information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form. This brings us to the topic of de-identification. Any party is allowed to process as much and do whatever they want to with de-identified personal information. Information is de-identified when it cannot be linked to a specific individual. If you are processing personal information and all you know is that the information relates to females of a certain age in a certain province, it will not be specific enough to identify an individual. However, the moment you are able to add other information such as an ID number, phone number or address, the individual immediately becomes identifiable. It is therefore very important that the aggregation of all our data cannot build a clear enough picture to identify a specific individual for the information to be considered as de-identified.
  • There may be instances where the Information Regulator may grant an exemption to a responsible party even if that processing is a breach of the a condition of POPIA if it is in the public interest or to the clear benefit of the data subject.

TIP: If you can do all the processing yourself without outsourcing it, do so. The more parties that get involved in processing the more difficult it becomes to comply and the more parties the responsible party will become responsible for.

An easy way to obtain consent and to prove that you have received it is to get customers to sign a consent form with a digital signature. To learn more about LAWtrust's digital signing solution, called SigningHub, click here

Adv. Rian Schoeman

Load more comments
comment-avatar