The Protection of Personal Information bill, soon to be enacted, will define the conditions under which personal information is lawfully processed. As the business of lawyers involves working with personal information on a daily basis the impact is obvious. We look at Data subject participation this week.
The 8 Conditions listed in Chapter 3 are as follows:
- Processing limitation
- Purpose specification
- Further processing limitation
- Information quality
- Security safeguards
- Data subject participation
We have reached the final condition for lawful processing of personal information, Condition 8 which deals with Data Subject Participation. This condition simply states that the responsible party needs to facilitate data subject interaction with the personal information they hold.
The bill also again refers to the Promotion of Access to Information Act (PAIA), and it basically means the firm needs to follow the guidelines as per the PAIA Manual.
Let’s view this again in a practical light. What does this mean in my firm? On a macro level, it means you’ll have to be able to allow for a data subject to interact with the personal information you possess. The data subjected interaction is in the form of a request; a request to either access-, corrects- or destroys -the information. The bill states conditions relating charges, estimates of charges and also estimated timelines to complete the request.
In order to fulfill any of these requests, as a minimum the firm needs to know:
- What information it possesses
- Where that information resides
- How to retrieve or destroy it
These conditions again point to the need for an up to date information register. This register need to be accessible by any person who is acting on a request, in order to be able to know what information exists and where it resides. In addition, any person in the firm who updates or processes information also needs access to this register to update any changes in the information record. Also keep in mind that automated processes, as example an automated backup, need to feed information into the register, as an automated backup means that a copy of the personal information record now exists in the backup set as well, and this occurred without the interaction of any person.
Another key point of this clause is the destruction of information. The bill states:
“Correction of personal information:
24. (1) A data subject may, in the prescribed manner, request a responsible party to—
a) correct or delete personal information about the data subject…
b) destroy or delete a record of personal information about the data subject…
(2) On receipt of a request in terms of subsection
(1) a responsible party must—
(a) correct the information;
(b) destroy or delete the information;
(c) provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or…”
The key point is that it is your responsibility to provide proof of your actions. This identifies the requirement to keep an audit trail of all actions that were done on the information. This will enable the firm to provide the proof that information as example was destroyed. Keep in mind, this information exists in various places and various forms. Proof of destruction therefor includes proof of destruction of paper, destruction of digital information when a PC or Laptop was put out of service, and so on.
Keeping track of all information might sound like a ridiculous request. The good news again is that it’s not that difficult to do. If your firm keeps a sound register of information, and have the supporting business processes to keep the register updated, referring to the register at any point will enable you to answer to these requests. In the end compliance to PoPI boils down to sound management practice in your firm.
Contributed by Keyphase Technologies.