POPIA Principle 6 - Openness
Today’s topic, Openness covers a lot so this
post will be a little longer. It is however important to know what disclosures
you have to make in order to legally collect the personal information of a data
subject.
MYTH: AS LONG AS I HAVE CONSENT
I DON’T HAVE ANY FURTHER REQUIREMENTS WHEN PROCESSING PERSONAL INFORMATION
RESPONSE: THERE IS A LARGE AMOUNT OF
INFORMATION THAT HAS TO BE DISCLOSED TO THE DATA SUBJECT WHEN PROCESSING
PERSONAL INFORMATION
POPIA states that a responsible party is
obliged to ensure that the data subject is aware of:
1. The information being collected and
if not from a data subject, the source from which it is collected. We have seen
this before in POPIA under purpose specification, but here it is again. The
data subject must know that the information is being collected in the first
place and if not from the data subject itself, it has to be disclosed from
where. How many times have your received a phone call from a completed random
company trying to sell you something and
when you question where they got your information from, they were either unable
to answer, or they would say the National Consumer Database or a database. This
is not good enough. They must be able to identify the exact source of their
information, if they did not get it from the data subject.
2. The name and address of the
responsible party. This one can be overcome by having this kind of information
freely available on your website and other sources if you are the responsible
party. See our tip below for another way how to deal with this requirement
3. The purpose of collection. Again this is nothing new and we saw this under Purpose
Specification. Just to recap though, the data subject must be made aware of the
exact purpose for which the information is being collected.
4. Whether the supply of information by
the data subject is voluntary or mandatory. We have discussed instances where
the supply of personal information does not need consent, such as when there is
a legal obligation or when the parties are involved in a contract. There is
still a duty on the responsible party to disclose whether the provision of the
personal information is mandatory or voluntary
5. The consequences of failure to
provide information. One very important aspect of POPIA is that it is a
two-edged sword. In instances where the provision of personal information is
voluntary, there is no obligation on the data subject to provide the personal
information. But there is equally no duty on the responsible party to proceed
with the delivery or the contract where the responsible party is not willing to
provide their personal information. It creates a balance of power, but in some
instances the responsible party will have more power because ultimately the
data subject wants their product and would provide personal information, just
to get the product. Whether consent was obtained willingly in such a case is up
for debate, but not within the ambit of this post.
6. Law authorising or requiring the
collection of information. Where the collection of the information is required
by law, the data subject cannot really object, but the responsible party has to
inform the data subject of the applicable law. Where there is a law authorising
the collection of data subject, it means that the responsible party can collect
the information, but must still inform the data subject
7. If to be transferred to a third
country or international organisation, the level of protection afforded
to the information. Many people will have objections to their personal
information being transferred out of South Africa, not knowing that they do so
daily by using email services such Gmail and storing data on Drop Box and
Google Drive. Despite this, it is still important when considering transporting
personal information outside of South Africa to make sure that there are some
security measures in place because you need to be able to give the data subject
comfort that their information will be protected. This is a very sensitive
point for many people so make sure that you are prepared to answer questions
about the security of the personal information if you transfer it outside local
borders. We will come back to this point when we talk about Security Safeguards
8. In addition, the responsible party
must also furnish any further relevant information, which is
necessary when you look at the specific context in which the information is or
is not to be processed to ensure that processing is reasonable. These
considerations include:
a.
The
category or category of recipients of the information
b.
The
nature or category of the information
c.
The
existence of the right of access to and the right to rectify the information
collected. This one is quite important and links back to Information Quality.
The rights to access and rectification are fundamental to POPIA and many
businesses are not prepared for this. If a customer of your
were to ask you today to provide them with all the personal information of
theirs in your possession, would you be able to do so? How easy would it be for
you to correct address or other information?
d. Existence
of the right to object to the processing of personal information. While every
data subject has the right to object to the processing of their personal
information there will be instances where they will not be successful. Examples
would be where there is a legal obligation to process the personal information
and where the legitimate interest of the responsible party outweighs that of
the data subject and of course when there is a contract in place. It is very
important though to ensure that all access requests and objects are documented
and that records of those requests and the responses thereto are kept and
easily accessible, in case of an enquiry or investigation by the Information
Regulator.
e. The
right to lodge a complaint to the Information Regulator and the contact details
of the Information Regulator. Every data subject has the right to lodge a complaint
to the Information Regulator and even if the responsible party believes that
there is no basis for the complaint they must still
make the contact information of the Information Regulator available to data
subjects. Refer to the ‘TIP’ at the bottom of this post and include this
information in that document.
But wait, there’s more:
The steps referred to in points 1 to 8 above
must be taken -
i.
if
the personal information is collected directly from the data subject, before
the information is collected, unless the data subject is already aware of the
information. This is a very important point. When it comes to the collection of
personal information from the data subject it is very important that they are
made aware of all these requirements before the collection starts, not during
and not after, as a courtesy. Many responsible parties believe that they can
obtain consent retrospectively or as they go along, but POPIA is very clear on
this point and the consent has to be obtained upfront.
ii.
in
any other case before the information is collected or as soon as reasonably
practicable after it has been collected. This would be the instance where the
information is collected from third-parties such as
databases. First prize here would also be to inform the data subjects that the
collection is going to take place, but it is obviously not practical when you
don’t know upfront what information you will be receiving from the third party.
It is however very important that the data subject must be notified before any
further processing takes place (refer to our post on Further Processing
Limitation).
Reusing the Information:
As you can see, there is a lot of information
that has to be disclosed and a number of conditions that have to be met before
the information can be collected. POPIA provides some respite here for the
responsible party in that, if they were compliant with steps 1 to 8 the do not
have to go through this process again, every time they want to process the
personal information of the data subject as long as it is the same information
and for the same purpose.
From a practical standpoint this makes sense,
but if the reason for the processing changes at all, the responsible party will
have to inform the data subject and obtain their consent to use the information
for this purpose. It follows that the responsible party will already be in
possession of the personal information, so it will not have to go through the
entire process again, because the disclosure would also already have been made.
Exceptions:
Because of the large amount of work involved in
all the steps above, POPIA does contain a few exceptions where a responsible
party will not have to comply with the provisions of points 1 to 8. They are:
a. The data subject has provided
consent for the non-compliance. This consent will have to be a positive act by
the data subject and the responsible party must keep the evidence of this
consent
b. Non-compliance would not prejudice
the legitimate interest of the data subject. Again, this brings us to a value
judgment and again it is important to document the reasons why you believe it
would not prejudice the legitimate interests of the data subjects.
c.
Non-compliance
is necessary
i. to avoid prejudice to the maintenance of the law
by a public body such as crime prevention or detection
ii. to comply with an obligation imposed by law or
in order for SARS to be able to collect revenue
iii.
for the conduct of proceedings in a court
d.
Compliance
would prejudice a lawful purpose of the collection
e.
Compliance
is not necessary or practicable in the circumstances of the case. This one is
very wide open and there is a risk of responsible parties using this as
justification for not complying. If this is you, then make sure that you
document the reasons why it would not be practicable.
f.
The information will
i.
not be used in a form where the data subject may
be identified. De-identified information is information that cannot be linked
to a specific individual. It is important when you rely on this exception that
you de-identify the information in such a way that it cannot be reconstructed
to link to a specific individual
ii. be used for historical or statistical research
purposes. The key here is research, so the use of the information is unlikely
to have an impact on the data subject. Again this is a
slippery slope and should not be used as an excuse for circumventing the
requirements of this Condition, when the information is not actually used for
research purposes.
TIP: One easy way to ensure
compliance with your notification requirements under the Openness principle in
POPIA is to create a disclosure document or disclosure pack where you make all
the information your are required to available and
that includes all the statements. Create a fillable PDF so that you can easily
complete the changeable information on a case by case basis.
- Adv. Rian Schoeman