Blog

Topic 6 – Cybersecurity Awareness Month

Oct 21, 2020, 10:00 AM by Riaan De Villiers
POPIA Principle 6 - Openness Today’s topic, Openness covers a lot so this post will be a little longer. It is however important to know what disclosures you have to make in order to legally collect the personal information of a data subject.

POPIA Principle 6 - Openness

Today’s topic, Openness covers a lot so this post will be a little longer. It is however important to know what disclosures you have to make in order to legally collect the personal information of a data subject.

MYTH: AS LONG AS I HAVE CONSENT I DON’T HAVE ANY FURTHER REQUIREMENTS WHEN PROCESSING PERSONAL INFORMATION

RESPONSE: THERE IS A LARGE AMOUNT OF INFORMATION THAT HAS TO BE DISCLOSED TO THE DATA SUBJECT WHEN PROCESSING PERSONAL INFORMATION

POPIA states that a responsible party is obliged to ensure that the data subject is aware of:

1.      The information being collected and if not from a data subject, the source from which it is collected. We have seen this before in POPIA under purpose specification, but here it is again. The data subject must know that the information is being collected in the first place and if not from the data subject itself, it has to be disclosed from where. How many times have your received a phone call from a completed random company  trying to sell you something and when you question where they got your information from, they were either unable to answer, or they would say the National Consumer Database or a database. This is not good enough. They must be able to identify the exact source of their information, if they did not get it from the data subject.

2.   The name and address of the responsible party. This one can be overcome by having this kind of information freely available on your website and other sources if you are the responsible party. See our tip below for another way how to deal with this requirement

3.  The purpose of collection. Again this is nothing new and we saw this under Purpose Specification. Just to recap though, the data subject must be made aware of the exact purpose for which the information is being collected.

4.     Whether the supply of information by the data subject is voluntary or mandatory. We have discussed instances where the supply of personal information does not need consent, such as when there is a legal obligation or when the parties are involved in a contract. There is still a duty on the responsible party to disclose whether the provision of the personal information is mandatory or voluntary

5.     The consequences of failure to provide information. One very important aspect of POPIA is that it is a two-edged sword. In instances where the provision of personal information is voluntary, there is no obligation on the data subject to provide the personal information. But there is equally no duty on the responsible party to proceed with the delivery or the contract where the responsible party is not willing to provide their personal information. It creates a balance of power, but in some instances the responsible party will have more power because ultimately the data subject wants their product and would provide personal information, just to get the product. Whether consent was obtained willingly in such a case is up for debate, but not within the ambit of this post.

6.     Law authorising or requiring the collection of information. Where the collection of the information is required by law, the data subject cannot really object, but the responsible party has to inform the data subject of the applicable law. Where there is a law authorising the collection of data subject, it means that the responsible party can collect the information, but must still inform the data subject

7.   If to be transferred to a third country or international organisation, the level of protection afforded to the information. Many people will have objections to their personal information being transferred out of South Africa, not knowing that they do so daily by using email services such Gmail and storing data on Drop Box and Google Drive. Despite this, it is still important when considering transporting personal information outside of South Africa to make sure that there are some security measures in place because you need to be able to give the data subject comfort that their information will be protected. This is a very sensitive point for many people so make sure that you are prepared to answer questions about the security of the personal information if you transfer it outside local borders. We will come back to this point when we talk about Security Safeguards

8.  In addition, the responsible party must also furnish any further relevant information, which is necessary when you look at the specific context in which the information is or is not to be processed to ensure that processing is reasonable. These considerations include:

a.      The category or category of recipients of the information

b.      The nature or category of the information

c.      The existence of the right of access to and the right to rectify the information collected. This one is quite important and links back to Information Quality. The rights to access and rectification are fundamental to POPIA and many businesses are not prepared for this. If a customer of your were to ask you today to provide them with all the personal information of theirs in your possession, would you be able to do so? How easy would it be for you to correct address or other information?

d.   Existence of the right to object to the processing of personal information. While every data subject has the right to object to the processing of their personal information there will be instances where they will not be successful. Examples would be where there is a legal obligation to process the personal information and where the legitimate interest of the responsible party outweighs that of the data subject and of course when there is a contract in place. It is very important though to ensure that all access requests and objects are documented and that records of those requests and the responses thereto are kept and easily accessible, in case of an enquiry or investigation by the Information Regulator.

 

e.    The right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator. Every data subject has the right to lodge a complaint to the Information Regulator and even if the responsible party believes that there is no basis for the complaint they must still make the contact information of the Information Regulator available to data subjects. Refer to the ‘TIP’ at the bottom of this post and include this information in that document.

But wait, there’s more:

The steps referred to in points 1 to 8 above must be taken -

       i.          if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information. This is a very important point. When it comes to the collection of personal information from the data subject it is very important that they are made aware of all these requirements before the collection starts, not during and not after, as a courtesy. Many responsible parties believe that they can obtain consent retrospectively or as they go along, but POPIA is very clear on this point and the consent has to be obtained upfront.

      ii.          in any other case before the information is collected or as soon as reasonably practicable after it has been collected. This would be the instance where the information is collected from third-parties such as databases. First prize here would also be to inform the data subjects that the collection is going to take place, but it is obviously not practical when you don’t know upfront what information you will be receiving from the third party. It is however very important that the data subject must be notified before any further processing takes place (refer to our post on Further Processing Limitation).

Reusing the Information:

As you can see, there is a lot of information that has to be disclosed and a number of conditions that have to be met before the information can be collected. POPIA provides some respite here for the responsible party in that, if they were compliant with steps 1 to 8 the do not have to go through this process again, every time they want to process the personal information of the data subject as long as it is the same information and for the same purpose.

From a practical standpoint this makes sense, but if the reason for the processing changes at all, the responsible party will have to inform the data subject and obtain their consent to use the information for this purpose. It follows that the responsible party will already be in possession of the personal information, so it will not have to go through the entire process again, because the disclosure would also already have been made.

Exceptions:

Because of the large amount of work involved in all the steps above, POPIA does contain a few exceptions where a responsible party will not have to comply with the provisions of points 1 to 8. They are:

a.      The data subject has provided consent for the non-compliance. This consent will have to be a positive act by the data subject and the responsible party must keep the evidence of this consent

b.      Non-compliance would not prejudice the legitimate interest of the data subject. Again, this brings us to a value judgment and again it is important to document the reasons why you believe it would not prejudice the legitimate interests of the data subjects.

c.      Non-compliance is necessary

         i.    to avoid prejudice to the maintenance of the law by a public body such as crime prevention or detection

       ii.        to comply with an obligation imposed by law or in order for SARS to be able to collect revenue

      iii.          for the conduct of proceedings in a court

d.      Compliance would prejudice a lawful purpose of the collection

e.      Compliance is not necessary or practicable in the circumstances of the case. This one is very wide open and there is a risk of responsible parties using this as justification for not complying. If this is you, then make sure that you document the reasons why it would not be practicable.

f.       The information will

       i.          not be used in a form where the data subject may be identified. De-identified information is information that cannot be linked to a specific individual. It is important when you rely on this exception that you de-identify the information in such a way that it cannot be reconstructed to link to a specific individual

      ii.        be used for historical or statistical research purposes. The key here is research, so the use of the information is unlikely to have an impact on the data subject. Again this is a slippery slope and should not be used as an excuse for circumventing the requirements of this Condition, when the information is not actually used for research purposes.

TIP: One easy way to ensure compliance with your notification requirements under the Openness principle in POPIA is to create a disclosure document or disclosure pack where you make all the information your are required to available and that includes all the statements. Create a fillable PDF so that you can easily complete the changeable information on a case by case basis.

- Adv. Rian Schoeman

Load more comments
comment-avatar