If you have been on the receiving end of those endless phone calls in the evening, offering insurance or “free holidays”; or if your email inbox is at least fifty percent spam; or if you have “won $300 million” in some lottery, then you will understand why there has been a worldwide movement to protect the consumer from unsolicited or malicious contact. This is becoming an increasing concern in light of the huge increase in technology-based fraud and identity theft. The Protection of Personal Information Act 4 of 2013 (PoPI) addresses the issue of unsolicited contact, but it goes a lot further in insisting on a high level of care in maintaining personal privacy and holding organizations accountable for any non-compliance.
The purpose of the Act is to ensure that all businesses and organizations are responsible and ethical when collecting, processing, storing, sharing and deleting personal information. It does this by holding organizations accountable should they misuse, exploit or accidentally compromise personal information in any way, irrespective of any intent or negligence. PoPI legislation has effectively placed a high Rand value on personal information and therefore confers on the owner of this information (the data subject) similar rights and obligations as if this were a physical property.
PoPI is extremely far-reaching and unless you have reviewed every policy and procedure against its draconian requirements, you can assume that your business is in contravention. Even then, you may still fall foul of the law through the careless or inadvertent act of a staff member or third party. Ignorance is not an excuse and there is a case of “guilty until proven innocent’’. As the director of a business found to have seriously contravened the spirit and letter of the law, you may face a fine of up to R10 million or even ten years in jail! Like it or not, PoPI compliance is now an integral part of your job as a small business owner/manager.
Who is a “data subject”?
It is important to note that this right to protection of "personal information" is not just applicable to a natural person (i.e. homo sapiens) but any juristic person (e.g. companies and other organizations). All these persons are considered to be "data subjects" and are afforded the same protection in terms of the Act. A company is considered a “responsible party” and therefore is obliged to protect information about employees, suppliers, business partners, vendors, service providers, etc. This responsibility does not end if a third party has access to the information e.g. an outsourced administration or HR function.
What is “personal information”?
The PoPI Act defines a "unique identifier" to be data that "uniquely identifies that data subject in relation to the responsible party". Information that does not in any way identify a person (e.g. a telephone number without a name) cannot be classified as personal, neither is information that is in the public domain. A data subject cannot cry wolf if the information in question is freely accessible on social media or public directories. The key to deciding if the information is personal lies in the combination of a person’s name and email address or mobile number. This clearly identifies the person and provides a means of contact. A rule of thumb is that if Information falls under the categories below and is linked to a name or other identifier, then it should be treated with special care:
Contact details (telephone or mobile numbers; physical, email or postal address, social media addresses)
Demographics (age, gender, race, birth date, ethnicity)
Personal history (Identity and/or passport number, employment, financial, educational, criminal, marital, educational, medical history, membership to organizations/unions
Biometric and physical (photos, voice recordings, video (also CCTV))
Religious, philosophical or political beliefs
To become and to remain compliant is going to take a concerted effort to edit policies, educate staff, amend contracts with third parties and to identify possible vulnerable areas such as data storage and email services based offshore. While PoPI has been enacted, there has been a slow implementation by the government in terms of the regulation and enforcement thereof, but this is a temporary reprieve. It would be wise to get your house in order lest you pay a heavy price.
Key Take Out: PoPI has made you and your business responsible for the way you collect, store and use personal information. It is highly likely that you are in contravention of the Act and you may face serious penalties. Take the time to become familiar with your obligations and adjust your business practices accordingly.
Author: Janet Askew