The POPI Act
POPIA & Your Website
– Marlon Brando
WHAT PERSONAL INFORMATION MAY A COMPANY COLLECT AND WHY?
You as business and website owner, may collect any personal information as long as it is for a specific purpose and the client is informed. So, collecting personal information to conduct your ordinary business operations is totally within the scope of POPIA, as long as you take reasonable steps to protect the data that you collect. You may not use the data for any other reason outside of the business operations of your company. You must inform the client of all intended uses of their information, how it will be processed and how it will be secured. The client may hold you liable if you use their data outside of your legitimate business purposes, expose their data or lose their data.
You may not sell, rent or lease personal information to others. You may not store personal information outside of South Africa, without client consent. This includes applications such as OneDrive, iCloud, Dropbox. For all these applications, you need client consent.
WE’VE ASKED COMPLIANCE EXPERT AND CONSULTANT, MARTIE SCHOEMAN, TO EXPLAIN IN A NUTSHELL HOW THE NEW DATA PRIVACY LAW (POPIA) IN SOUTH AFRICA WORKS AND MORE SPECIFICALLY HOW IT WILL AFFECT WEBSITE OWNERS…
The Protection of Personal Information Act (POPIA) recently came into effect on 1 July. The Act is designed to protect your personal information and deliver your constitutional right to privacy.
The protection of personal information and data has become the object of global recognition. Also, in South Africa we experience the globalisation of economies, rapid expansion of technology, the convergence of information and communication technology, the expansion of the Internet and its ability to transfer information from one country to another. Now, in South Africa, information, including personal and sensitive information, is open to abuse. The POPIA aims to limit access to personal information as well as the way that it is processed. It is all about the protection of the individual and conforming to world standards of information protection.
In the end POPIA aims to ensure that information is collected, stored, processed, shared, and destroyed in a responsible manner. POPIA sets down eight conditions for lawful processing of personal information:
- Processing limitations
- Purpose specification
- Further processing limitations
- Information quality
- Security safeguards
What is personal information?
Personal information is everything regarding a living person or juristic person. This means that not only living people are included in the Act, but also deceased. Also included as a “data subject” or “person” are other businesses, estates, trusts, or any juristic entity.
Personal information means any of the following:
- Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person.
- Information relating to the education or the medical, financial, criminal or employment history of the person.
- Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier of the person.
- The biometric information of the person.
- The personal opinions, views or preferences of the person.
- Correspondence sent by the person that is of a private or confidential nature. This includes emails, Skype chats, Zoom meetings, WhatsApp messages, SMS’s, letters, notes, anything given to you by that person in confidence. (There are of course exclusions, such as legal prosecutions, etc).
- The views or opinions of another individual about the person.
- The name of the person if it appears with other personal information relating to the person.
If you collect any form of the above information through your website, you need to make sure that you do it in a manner that is in line with POPIA requirements. This affects you as a business and more specifically, a website owner, in the following manner:
Direct MarketingDirect Marketing is process that involves a direct approach to a client by mail or some form of electronic communication. This could include email, automatic calling machines, faxes, SMS’s, text, video, WhatsApp and any manner of spam. The POPIA limits you as business owner in your approach to clients and emphasizes the need for client consent when it comes to direct marketing.
E-commercePOPIA requires from you that you take reasonable security steps to protect personal data, when it comes to e-commerce, or any form of online transaction. First, you must identify possible security risks, that could lead to the exposure, theft or loss of personal data. This means that you have to look at how your website processes and stores data, especially if emails with receipts, order numbers, invoices, bills for services rendered are automatically generated. POPIA requires you to protect the personal information, such as name linked to an email address. You need to make sure that the email sent is either password protected or encrypted. Not only must it be password protected, but the email may not contain the password. An OTP system would be a quick fix to such a problem. Please take note that there may be many more types of exposure risks to information collected by a website (it would differ from site to site), and it is your job, as responsible party, to ensure that you have sufficient security measures in place against possible data breaches.
ProfilingProfiling refers to the automated process of collecting a lot of information from a person from a lot of different places. Google Analytics is a prime example of this. Your online activities are tracked, and a customer profile is automatically generated. However, POPIA specifically states that while tracking is allowed, no decision by you may be made about that person based on automatically generated information only. This includes any decision that has legal consequences such as credit worthiness, reliability, location, health, personal preference or conduct.
MORE ABOUT MARTIE SCHOEMAN…
Martie has been involved in business management, policy and procedure development and compliance facilitation for the past 11 years. In her experience, she found the most "off-the-shelve" policy products and packages were hard to understand and impossible to implement. Therefore, Martie approaches POPIA compliance in a different manner… she believes that we first need to understand what is required from us as small businesses where after if you are provided with a comprehensive and understandable product, and then guided in implementation, the impossible becomes possible. She believes in full business solutions.
084 526 0071