At the core of the Protection of Personal Information Act (POPIA) are 8 conditions (also referred to as principles by a number of practitioners) to legal processing of personal information. These conditions form the cornerstone of your privacy programme, and any claims of being POPIA ready means that you need to have hit all of them.
The downside to a principle based law is that there is no checklist as to what you have to do. You have to simply provide evidence that you have complied with the conditions. The upside, however, is that you get a great say in exactly how you comply with them. In privacy law, a behemoth like Facebook will be treated differently to the neighbourhood church handling congregants data. There are vast resource differences between the two and the church would likely not be required to have the firewalls, intrusion detection, and security teams that Facebook would be expected to have. This is where the law speaks about doing what is “reasonably practicable” to you.
So, with the conditions below, you need to look into what is reasonable for you to do, given the resources available to you. This is not to say that you can just claim “it was too expensive” when you didn’t do anything, there are some things that the regulator would look at as non-negotiable, but you can decline to do certain things with reasonable (sometimes considerable) justification.
Condition 1: Accountability
To comply with this at a basic level, is to say that as a business you are going to comply with the 8 conditions. It is being accountable for the personal information that you are processing. At a deeper level, if we look into the GDPR (General Data Protection Regulation – a similar European law to which SA will look for guidance), accountability also includes having records available to prove that you are complying. This includes policies, procedures, and records that show that you have an effective compliance programme in place.
If you think of it from a practical standpoint, the regulator is not going to be able to physically send someone to a business to check that your operations are compliant straight off the bat. The first thing that they will do is likely ask for supporting information to show you comply. If you can’t provide it, that’s certainly a red flag for closer scrutiny, but if you can provide it, it’s more likely going to be an inspection to verify that your operations match your claims in documentation.
Condition 2: Processing Limitation
The first parts of condition 2 are processing lawfully, and with minimality. Lawfully means that you are processing data in accordance with relevant laws (even outside of POPIA), and minimality refers to only processing the information that you need to process in order to meet your defined purpose. So if you need an email address and name for purposes of your newsletter going out, you don’t collect a phone number and postal address “just in case”.
The next part of condition 2 refers to consent and justification. I think this is where a lot of the public read “consent” and stop reading further. There are a number of justified means of which you may process data, above and beyond consent (and there are a lot of cases where you simply would not rely on consent). These may be in terms of a contract, legitimate interest as a business, or to comply with other legal obligations such as Economic Equity laws. More on these in next week’s article!
Condition 3: Purpose Specification
The primary section of condition 3 deals with collection for a specific purpose. In my view, this condition links conditions 2 and 4 into a trifecta that is a vitally important guiding light in terms of data processing across the business. You need to specify a purpose for what and why you are processing information. You can’t limit what data you need (condition 2) if you haven’t specified what the purpose is for which you’re processing.
The second part of condition 3 deals with retention of information. In short, once your purpose is complete, you need to get rid of the information. There are exceptions to this though, in that other regulations (such as the income tax act or requirements from SARS) may require you to keep certain pieces of information for longer. You may also have different retentions specified within a contract.
Condition 4: Further Processing Limitation
Wait, isn’t this condition 2? Nope! This condition ties up 2 and 3 into a neat little bundle. This condition states that you cannot process information you’ve already collected, for a purpose other than what you’ve already stated. If you are changing your purpose for what you’ve collected data for, you will need to gain consent for this. There are other exceptions, such as for legal action, crime prevention, and compliance with tax; but in general you cannot go and use the information for something new without interaction with your data subjects (people to whom the data belongs).
Condition 5: Information Quality
This one is quite simple, your information that you’ve collected needs to be up-to-date, complete, and not misleading. This points to keeping your mailing lists, CRM databases, employee records (and anything else really) clean and current. This may involve allowing customers to update their own information periodically or by sending out regular update requests. It also would involve managing your bounce-lists on marketing mailers!
Condition 6: Openness
Section 17 of POPIA I think is one of the most overlooked lines in the act, particularly with these “silver bullet” service providers. It states that you need to maintain documentation of processing activities in terms of the Promotion of Access to Information Act (PAIA) section 14 (public bodies) and section 52 (private bodies). This includes your PAIA manual, and, I advise, a record of processing activities. The Record of Processing Activities, or ROPA, is also useful in terms of condition 8.
This condition also goes into providing notice to data subjects, to ensure that they are aware of your processing – particularly if you have collected information from a source other than directly from the data subject. This particular section affects a number of industries that are notorious for collecting information from 3rd parties, such as life insurance, marketing agencies, estate agencies, and recruiters. There are exceptions here, as with the other conditions, but they are very specific and would need significant justification.
Condition 7: Security Safeguards
This is the box that most POPIA compliance “silver bullet” solutions fall under – they end up solving (maybe) one eighth of your compliance… This is a big section with a lot of responsibility, let’s dive in.
The first section deals with integrity and confidentiality of information. This means that you need to put in technical safeguards and processes to ensure that information is not leaked (breach of confidentiality) or deleted/modified (breach of integrity). This could be things like firewalls, antivirus tools, safes, strongrooms, access control and more. It is not limited to the IT side of things! I’m yet to find an antivirus package that can ensure that someone’s credenza is locked.
Next, the act talks about making sure that those processing under your authority (outsourced providers such as payroll, IT and so forth) are doing so with your knowledge and under your instruction. They must also treat the information with the same care that you do, and they must have security safeguards in place too. I maintain that you need to ensure by means of contract that your contractors / outsourced providers are obliged to use at least the same security as you when processing data on your behalf.
Lastly it deals with breach notifications, where your outsourced providers need to notify you, and you need to notify the regulator and possibly the public when a breach occurs. It also details how and when you need to notify people whose data has been breached. There are a lot of ifs and buts in this section, which is why you need a defined incident response plan and a well trained Information Officer.
Condition 8: Data Subject Participation
Data subject participation refers to people having access to their information, as well as being allowed to correct their information. Access to the information means you need to be able to tell people what information you have of theirs, what you are doing with it, and who you may have shared it with. This is where a Record of Processing Activities comes in really handy!
It also refers to people being allowed to correct or request the deletion of their information. Under any conditions of information being inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained illegally, the data subject has the right to request correction or deletion. It also becomes your responsibility to ensure that the same request filters down to any subcontractors or outsourced data processors in the chain.
The conditions above may seem daunting, but if you take into account what they are trying to achieve, in essence they are just guidelines of doing good, honest business. There is a lot of work involved in getting your initial compliance going, but once it is in place, it comes down to maintenance. If you’d like assistance in getting your business compliant with the principles, feel free to book a 15-minute enquiry call below.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance and security maturity; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.