What everyone in South Africa must learn from the privacy debacle.
It was with a bit of irony that Facebook users all over the world reacted with outrage over recent privacy scandals. [Read More]
It seems like the more selfies, intimate family pictures, personal movements and travels, dietary activities and opinions we share with the entire world, the more we become aware of our right to be left alone, and, in extreme cases, the right to be forgotten. (“The Facebook memorial page may stay, but only the good pictures”, one can hear some say.)
The Facebook furore was, of course, not frivolous. Millions of users had their personal information handed over to a UK-based research company without permission to influence the elections in the United States.
South Africans, albeit in relatively small numbers, were also affected. Advocate Pansy Tlakula, the local Information Regulator, wrote to Facebook demanding answers on how the data scandal occurred and how it would be prevented in future [Read More].
Advocate Tlakula’s move may have been confusing to some. How could a South African official take on a US-based company? And who is the Information Regulator anyway?
The answer lies in the Protection of Personal Information Act, commonly referred to by its acronym, POPI, which was passed as law in 2013. The majority of the provisions of the Act are not yet in effect and this may be the only saving grace for hundreds of businesses in South Africa.
“POPI will change everything about the way we deal with information. People must be aware of what lies ahead,” says PR de Wet, a Director at VDT Attorneys, who practices in this area.
“Essentially, POPI will regulate every aspect of how one collects, captures, stores and destroys personal information.”
Due to the very wide definitions used in POPI, it will affect almost all businesses in some obvious and other more surprising ways. Telemarketers and businesses with call centres may be affected disproportionately (more about that in a future article), but many businesses may not even realise that they are processing personal information in terms of POPI.
Do you have a website where people may contact you? Do you send promotional material or newsletters to clients? Or do you simply have a spreadsheet which details past transactions with your clients? All of these are relevant in terms of POPI.
“Personal information” is defined broadly. Apart from names, it entails everything from age, sex, marital status, race, personal views or beliefs, place of birth, addresses, phone numbers, ID numbers, biometric information, educational background and IP addresses, amongst others. The list is endless.
“Processing” means any activity or process – whether it is automatic or not – where you receive, collect, record, update, retrieve, organise, store, modify or consult any personal information. Sharing information with a third party – even within the same organisation – constitutes processing and the Act even regulates the destruction of personal information. As soon as you process any personal information, you have to comply with POPI.
A pool cleaning business will collect personal information when a client calls, disseminate information to the technician who will be sent out to the house, capture information for the invoice and possibly have a database of clients. This culminates in sending out the actual invoice which will contain personal information.
Once your activity falls within the ambit of POPI, you have to comply with eight conditions set by the Act:
- Accountability. The responsible party, such as the owner of a business, takes full responsibility for how employees process personal information.
- Processing limitation. This condition prescribes how personal information may be lawfully obtained and processed.
- Purpose specifications. People must give informed consent to process information for a very specific purpose.
- Further processing limitation. There are restrictions on distributing information to anyone else or to use it for any other purpose.
- Information quality. POPI places an obligation on a business to ensure that the information remains correct and up to date.
- Openness. The responsible party must inform all affected parties if their personal information was compromised, like Facebook did.
- Security safeguards. Physical and digital security measures to protect personal information.
- Data subject participation. Respecting the right of people to have access to their own information and challenge it.
POPI is no poppie. It has punch.
Non-compliance with the Act may lead to criminal sanctions such as a fine of R10 million, 10 years imprisonment or both in the most extreme circumstances. This would be for offences such as compromising financial information.
The Act brought about the establishment of the Information Regulator [Read More], currently headed by Advocate Tlakula, where members of the public may complain about the processing of their personal information. Affected people will also be able to institute civil actions against those who processed their information.
However, the reputational damage to any business should be reason enough to take note of and prepare for POPI. Just ask Facebook.
Don’t be fooled by what seems like the increasing comfortability of people to share personal information. The exhibitionists will likely be the first to insist on their right to be left alone – and possibly tell others all about it.