As someone who deals with business a lot on POPIA, my blog is often focused in this area. Today, I will focus on the consumer side as I have seen a dramatic increase in posts on social media around actions contravening POPIA (that actually don’t). The purpose of POPIA is, among others, to give effect to the right to privacy of the individual. This however, is met with the clause “balancing the right to privacy against other rights” and “protecting important interests including the free flow of information within the Republic”. In this post I’ll be unpacking your rights in a little more detail.
Many people are now jumping on the bandwagon that POPIA is there to protect them and they are quick to call out companies doing things in contravention of the act – sometimes incorrectly. Yes, it’s there to protect you, but it’s important to note that privacy is not an absolute right. There are checks and balances, as well as exclusions to ensure that businesses, the economy, and government can operate effectively while still safeguarding a reasonable (and much needed) right to privacy. In short, it’s a give and take (previously, it was more take than give). I do encourage everyone reading this article to actually read POPIA, it’s pretty easy to understand as far as acts go.
Basically, companies have to process your information according to certain principles, and you have the following rights (summarised):
- To be notified that personal information has been collected about you
- To be notified that personal information of yours has been accessed without authorisation
- To find out whether a company holds information of yours and to give you access to it
- To request correction or deletion of information (the so-called “right to be forgotten” has it’s caveats too, more later)
- To object to your information being processed at any time (T’s & C’s apply)
- To object to and opt-out of direct marketing at any time
- Not have your information processed for marketing you didn’t ask for
- Not to be subjected to purely automated decision making without conditions being met
- To submit complaints to the regulator
- To start legal proceedings in terms of breaches of POPIA
As I mentioned before, the right to privacy is not absolute, and these rights are subject to a number of conditions. The act is over 70 pages, so there’s definitely more to it!
There are a number of exclusions and provisions around your rights that I’ve listed, and we’ll go into a few of the most commonly asked ones here. First, there are a number of exclusions listed directly under the rights in the act, the act does not apply to (summarised):
- Purely personal or household activity
- Data that has been anonymised / de-identified
- Processing on behalf of a public body for national security or public safety
- Prevention or prosecution of criminal activities
- Processing by the Cabinet or Executive Council of a province
- Processing relating to the function of the courts
- Protection against terrorist activities
In addition to the above, there are also exclusions around journalism, literary works, or artistic purposes – though there are conditions and codes of conduct that apply here.
Consent and Contract
Not everything in POPIA relies on consent, contrary to popular belief. There are a number of legal ways that a company (or the government) can process your data without gaining consent. The most common is a contract. If you think about your employment at a company, there is an employment agreement in place. Certain information of yours HAS to be processed in order to fulfil that contract (such as paying your salary). Consent would not be relied on here.
Similarly, when it comes to things like contact tracing for COVID-19, there may be exclusions to consent given that the processing would very well be in line with protecting public safety. In fact, there are already regulations in place for contact tracing in South Africa, over and above the POPIA act.
“The Right to be Forgotten”
I have this heading in inverted commas, because this is not written into the act, and it’s a bit of a confusing concept that we see a lot from Europe and in the media. Yes, under your rights you may request that your information is removed by a company, but if that company would be breaking another law by doing so, they cannot do so (they can only stop processing). Let’s use the employment example again. You can request that a former employer deletes all your information, but if they are still required to hold certain information in terms of the Income Tax Act, they will not legally be able to remove the information. You basically cannot request that a company breaks the law by exercising your privacy rights.
Read the Act
In closing, I know that it’s not really something that’s considered weekend reading, but read through the acts that affect you and learn what your rights are as an individual. You have a number of acts that protect you, it would be in your interest to familiarise yourself with them. Logging complaints with companies and the regulator for infringements of your privacy are a good thing. We all need our data handled responsibly and with care. That said, you do not want to be the person that is logging requests incorrectly only to have them denied because you weren’t aware of the conditions laid out above. I’ve included links below to POPIA and the Consumer Protection Act as some light reading. If you’re part of a company looking to be able to facilitate these requests in a well defined manner, feel free to reach out to me to help implement a privacy programme for your organisation.