In this week’s article we continue to look at the conditions governing the lawful processing of personal information, as stated in Chapter 3 of the Protection of Personal Information Bill, and how this will practically affect your organization.
The 8 Conditions listed in Chapter 3 are as follows:
• Processing limitation
• Purpose specification
• Further processing limitation
• Information quality
• Security safeguards
• Data subject participation
Under the magnifying glass this week is the 3rd condition; Purpose Specification. The key elements of this condition are:
1. Collection for specific purpose
2. Retention and restriction of records
1. Personal information should only be collected to fulfill a specific purpose. As a simple example; say a client uses your firm for both litigation and registration of a bond. Per PoPI, you may only collect the relevant information for each transaction at the time the specific transaction commences irrespective of whether your firm is aware of both transactions. As mentioned in our previous article, if you don’t require the information for the specific task then don’t collect it.
In addition to this, and barring the special conditions set in section 18 (4), the data subject must be made aware of the purpose for which the information is to be collected and processed, and of course just what this information encompasses.
2. Section 14 of the bill provides the detail around the conditions for retention and restriction of records. As a general rule, the information collected should only be retained for as long as it is required for the completion of the task, however, records can be kept for statistical, historical or research purposes. In such instances, the onus rests on the responsible party to have appropriate safeguards in place to protect the information.
At the time when the information is no longer required the information must be de-identified or destroyed. Again this will require rigorous controls in the law firm to ensure that the firm is clear on a) the information it possesses, b) where that information resides and c) how to provide proof that information was destroyed. Keep in mind that a lot of the information exists in paper format.
For the full text of this condition in the bill, click this link; http://keyphase.co.za/popibill_condition3
Condition 2 of the bill discusses the issue of Consent. Firms will need to implement mechanisms for obtaining consent from data subjects, in writing, and maintaining a record of such consent. It makes sense that the consent also includes the requirements included under Condition 3. With regard to deleting data, firms need to implement various processes and means to do this effectively. On a practical level this might mean firms need to review their existing procedures to enable the destruction of information. The compliance aspect for collection of information is probably the easy part, compliance in getting rid of information, and be able to prove it, might be the problem.