Much has been written about the Protection of Personal Information Act (POPI), its effect on direct marketing and the consequences of unlawful use and processing by responsible parties. Despite this, in the case of MiWay v King Goodwill Zwelithini, MiWay found itself under the scrutiny of the Information Regulator when a telephonic conversation between one of its sales agents and King Goodwill Zwelithini was leaked on social media. The telephone call in question was made by the sales agent to the King for the purpose of touting short-term insurance to him. The content of the conversation itself could not be described as bearing much personal information and is therefore not the issue in contention for the purpose of this article, however, MiWay will be required to address the following:
- How its representative obtained the King’s personal contact details.
- How the recording of the conversation was leaked on social media.
Notwithstanding the legal remedies which may be sought by the King against MiWay, the security leak was brought to the attention of the Information Regulator who issued a statement highlighting the following:
- Data subjects must consent to the processing of their personal information.
It will, therefore, have to be determined how MiWay obtained the King’s private contact details and whether they had the King’s permission to process it. If the element of consent is absent, the processing by MiWay will be deemed to be unlawful.
- Personal Information must be collected directly from data subjects
If the information was not obtained directly from the King, MiWay will be required to identify the source of the information. The King, however, has the right of recourse to object to the processing of his information and may request MiWay to refrain from contacting him for direct marketing purposes.
- The Responsible Parties obligation in securing the confidentiality of personal information under its control.
The fact that the recording was leaked on social media is an indication that MiWay does not have sufficient measures in place to prevent the unlawful access or processing of personal information. In order to comply with the above, the responsible parties must ensure that reasonable technical and organisational measures are in place to:
- Identify and document all reasonably predictable internal and external risks to personal information in its possession or under its control.
- Establish and maintain appropriate safeguards against identified risks.
- Verify that the safeguards are effectively implemented.
- Ensure that the safeguards are continuously updated in accordance with newly identified risks or deficiencies that may influence the current safeguards.
The Information Regulator reiterated that if POPI had been fully operational, the King would have been in a position to lodge a complaint against MiWay. Despite the fact that POPI is not fully operational as yet, responsible parties should note that this does not preclude the Information Regulator from engaging a responsible party as it now seeks to do with MiWay.
In spite of the above, members of the public may seek relief afforded in terms of Section 51 of the Electronic Transactions and Communications Act (ECTA), which sets out the minimum requirements when processing personal information electronically and the recourse afforded to data subjects. Responsible parties must, therefore, note that they cannot simply wait for POPI to become fully operational before moving towards compliance as data subjects already have recourse in terms of existing legislation and may exercise same. It is therefore recommended that responsible parties initiate processes and policies in order to commence the road to compliance if they have not done so as yet.
ABOUT THE AUTHOR
Mariam Allie obtained her BA LLB degree from the University of the Western Cape. She is a registered attorney, notary, and conveyancer. She is currently a SEESA Consumer Protection and POPI Legal Advisor at our Cape Town office.