Litigation Update, Protection of Personal Information Bill ("POPI")
In late August this year, Parliament approved the Protection of Personal Information Bill ("POPI"). The only remaining step for it to become an Act is for it to be assented to by President Zuma.
POPI is a "personal information protection statute" and its enactment will see South Africa keeping abreast with international developments in this regard. As the world has got smaller with the Internet it has become easier to find out personal information about someone without their knowledge and/or consent. As it has become easier to access personal information about people, the need to protect their personal information has increased.
POPI creates obligations on the way that you gather, process, store and destroy information. It will not apply to personal information processed for purely personal or household activities and journalistic, literary and artistic purposes purposes are also excluded.Failures to comply have serious consequences. POPI applies not only to the personal information of natural persons but also to a juristic or corporate entity.
The definition of ‘‘personal information’’ is very wide and includes almost any information that you may have about someone as well as information relating to their personal opinions and views and private or confidential correspondence sent by the person.
POPI sets out 8 Conditions for the lawful processing of personal information. These conditions are important and must be met otherwise your processing of information will be unlawful for which there are serious consequences and substantial penalties.
Personal information can only be processed in certain circumstances, such as if the person consents, the processing is necessary to carry out actions for the conclusion or performance of a contract to which the person is a party, the processing complies with an obligation of law, the processing protects a legitimate interest of that person or for pursuing the legitimate interests of the responsible party.
For those in credit management and control, more often than not, these are the reasons that they are processing personal information. If you have the person’s consent to process the information that will entitle you to process their information. The information would still need to be relevant for the purpose for which it is being processed; however consent from the person will provide you with permission to process the information. It is prudent to include a consent to process information in terms of POPI in trading terms and conditions or in credit application forms.
POPI will have a substantial impact on direct marketing. POPI will change direct marketing from an “Opt Out” scenario to an “Opt In” one. In the future, you can be approached and asked once if you are prepared to receive marketing materials. If you say no or opt out the marketer may not approach you again without falling foul of the Act. If you agree to receive marketing material then it may be sent to you but you must be given the option on every bit of marketing material received.
Personal information must be collected directly from the person whose information it is except where it is contained in or derived from a public record or has been made public by that person. Personal information may be obtained from another source if the person consents. Such a consent can, and should, be included in credit terms or terms and conditions.
Personal information may not be retained for longer than necessary to achieve the purpose for which was obtained unless that retention is authorised by law. It may be retained for statistical purposes but there must be safeguards that this all it will be used for. POPI requires the destruction or deletion of personal information as soon as it is no longer required. Destruction or deletion must be done in such a manner as to prevent it from being re-created in respect of both physical and digital records.
POPI also requires that a responsible person must secure the integrity and confidentiality of personal information and take steps to prevent loss of, damage and unauthorised destruction of personal information as well as unlawful access to or processing of information. In other words not only must you keep the information safe, but also ensure that no one else can access it.
A breach of POPI can give rise to a civil action for damages as well as criminal sanction. Certain breaches constitute an offence with the possibility of serious penalties and fines including being sentenced to imprisonment of up to 10 years and/or a fine of up to R10 million.
Judy von Klemperer, Partner
Contact: 031 575 7509 and email@example.com