Whilst the Protection of Personal Information Act (“POPIA”) was enacted as far back as 2013, its enforcement has largely been “waiting in the wings” until now. On the 1st of July 2020, the majority of the Sections of POPIA have become operational. The implication of this development is that public and private institutions who process personal information within the parameters defined in the POPIA will need to comply with its provisions and will be held accountable for non-compliance.
“Processing” of information is defined in the POPIA as:
“any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –
- The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- Dissemination by means of transmission, distribution or making available in any other form; or
- Merging, linking, as well as restriction, degradation, erasure or destruction of information.”
What constitutes “lawful” processing?
POPIA has clearly defined conditions or parameters for the lawful processing of personal information, some of which will be traversed in this article.
Firstly, it is important to note that each entity processing personal information will be accountable for compliance with the provisions of the POPIA (Section 8) and must ensure that information is processed in a lawful and reasonable manner (Section 9) having consideration for the interests of the data subject. It is also important to note that personal information may only be processed if it is adequate, relevant and not excessive having regard for the purpose of its processing (Section10).
Some of the core conditions of lawful processing are contained in Section 11 of the POPIA which stipulates that personal information may only be processed if:
- The data subject consents to the processing, (where the data subject of a child/ minor, a competent person must provide consent);
- The processing protects the legitimate interests of the data subject;
- The processing is necessary for the conclusion of a contract to which the data subject is a party;
- The processing is performed in compliance with an obligation imposed by law;
- The processing is necessary for the performance of a public law duty; or
- The processing is essential for pursuing the legitimate interests of the business, or a third party to whom the information is supplied.
It is important to note that the onus will be on the processing party/ responsible party to prove that the necessary consent has been obtained from the data subject or competent person prior to the information being processed, or further processed, alternatively that any of the other provisions above have been adequately satisfied.
With the emphasis being placed on consent – whilst express written consent to processing is not required by the POPIA, it is always advisable for consent to be obtained in writing as this will assist the responsible party in discharging their burden of proof in this regard.
It is also important to take heed that consent must be voluntary and informed; meaning that the data subject furnishing the said consent must be adequately informed of the purpose of the collection of the information, the type of personal information that is being collected and where necessary disclosure in respect of the personal information possibly being transferred to a third party in the ordinary course and scope of business.
A further consideration to take into account with regard to consent is that it is revocable, meaning that the data subject has the right according to the POPIA with withdrawing their/ its consent at any given time provided that the lawfulness of the processing before such withdrawal as contemplated in Section 11 will not be adversely affected.
It is becoming clear that the POPI Act will have far-reaching implications for public and private entities when it comes to the processing of personal information and for this reason, it is important for those entities who are still unsure to seek the necessary qualified assistance with regard to compliance.
Should you feel that your business requires Consumer or POPIA related assistance please contact your nearest SEESA office.
About the author:
Carmen Ronne started her career at SEESA in 2011 and is currently a Legal Advisor in the Consumer Protection and POPI department at SEESA’s Durban office. She obtained her LLB degree from the University of Kwazulu-Natal in 2003.