For anyone who is not familiar with the PoPI Act and what it entails, here is a brief summary along with some guidelines on how your business will need to comply.
Firstly some background, the PoPI Act sets out the conditions on how you can legally process a ‘data subject’s’ (persons) personal information. The Act provides for the protection of personal information, through the processing of personal information by public and private bodies in a manner that recognises an individuals’ right to privacy.
The PoPI Act does not prohibit you from processing or require you to obtain permission from a person to process their personal information. If you are going to process, use or facilitate someone’s personal information however, it is up to you to comply with the conditions set out in the Act.
The Act sets out and individuals’ right to know:
- What is done with your information
- How your information is processed or shared
- Who receives your information or with whom it is shared
- What type of information is processed and shared; and
- Why your information is processed or shared
The conditions of these rights are as follows:
- Processing limitation
- Purpose specification
- Further processing limitation
- Information quality
- Security safeguards
- Data subject participation
The Act applies to anyone who keeps any database or type of record relating to a persons’ personal information. The Act regulates the processing or sharing of personal information and includes those records already in your possession.
We are all familiar with those painful, unsolicited text messages and phone calls offering you a ‘can’t-be-missed’ opportunity to join a time-share offer or take up a mobile phone contract with an out-of-this-world free data package included.
Apart from the intrusion and inconvenience we often find ourselves wondering where on earth these institutions got our information and who granted them permission to approach us.
The PoPI Act has altered how consent is regarded for direct marketing purposes and is regulated through an ‘opt-in’ or ‘out’ mechanism for consumers.
This means that the processing of a persons’ personal information for the purpose of direct marketing by any means of electronic communication is prohibited unless that person has specifically consented to the processing, or is a customer of the party conducting the marketing.
It is helpful to note that a responsible party may approach a person (who has not previously withheld consent) only once to request consent for the processing of their personal information for direct marketing purposes. The consent must be obtained in the prescribed manner.
Compliance with the PoPI Act will impact your organisation’s processes, technology and the manner in which employee’s process personal information.
It is advisable that organisations follow the following steps in order to comply with the Act.
- Raise awareness of the PoPI Act with all data management professionals in your organisation
- Review the rules governing data requests
- Implement security controls to protect personal information
- Adopt a compliance culture to instil the importance of the Act
- Align your policies, processes and procedures to the Act
- Include POPI Act compliance in the key performance areas and contracts of those who handle the data.
- Ensure all governance documents complement each other when relating to the Act
It is imperative that you and your organisation include all terms and conditions related to the use of a person’s personal information in your standard terms and conditions.
This could be set out in a separate Annexure to your standard terms and conditions or attached as your Personal Information Protection Policy which will be required to be signed by both parties.
This could also be in the form of a consent form attached to your contract, agreement or terms and conditions. How you incorporate this is up to you but it must be incorporated to ensure your business complies.