This week’s article continues to look at the conditions governing the lawful processing of personal information as stated in Chapter 3 of the Protection of Personal Information Bill and how this will practically affect your organisation.
The 8 Conditions listed in Chapter 3 are as follows:
• Processing limitation
• Purpose specification
• Further processing limitation
• Information quality
• Security safeguards
• Data subject participation
This week’s condition is Processing Limitation and the key elements are:
1. Fit for purpose
2. Collection of information
3. Consent from data subject
4. Sourced directly from the data subject
1. Fit for purpose (referring to “minimality” in the bill) refers to the nature of the information collected and whether this information is specific and relevant for the intended purpose and not excessive. In simple words, if you are not actually using the information you collect then don’t collect it.
2. The method of information collection must be lawful and it should not infringe the privacy of the data subject. Practically this means that law firms need to assess the processes they use for the collection of personal information.
3. The data subject (or competent person in the case of a minor) has to consent to the processing of personal information by the responsible party. The onus rests on the responsible party to provide proof of such consent. Furthermore, the data subject may withdraw consent at any time in which case the responsible party must stop processing this information. The data subject can also request that the responsible party destroy all such personal information. From a practical perspective this clause may have a significant impact since in order for a firm to be able to act on the data subject’s instruction to stop processing or destroy personal information, the firm must know exactly what information it possesses and where this information resides (E.g. the information may exist on more than one computer, in backups and so on). Effective controls will likely require, at a minimum, a register to be maintained. This will be discussed in more detail in next week’s article.
4. The final section of this condition relates to the collection of personal information directly from the data subject. The bill states that personal information must always be collected from the data subject, unless otherwise provided in other subsections of this bill. There will be certain exceptions to the rule as in the case of conveyancing. In this instance law firms will typically receive information pertaining to the bond transaction from the bank rather than the data subject. Law firms will need to be clear of their responsibility in terms of working with the information sourced from the bank.
For the full text of this condition in the bill, click this link; http://keyphase.co.za/popibill
An area that is often neglected is the area of bond origination. Though the banking conditions generally apply less to bond origination, from a PoPI perspective, bond originators process a host of personal information and by all means need to comply with the law. Often firms are involved in bond origination organisations, and though separated from an organisational perspective, they may share the same IT Infrastructure, and more importantly, have the same directors and CEO. This can count in a firm’s favour, as implementing processes for compliance in the main firm’s business; can also ensure compliance for the bond origination organisation. Firms do however need to ensure that both organisations are compliant, as a security breach in either of the organisations, will impact the directors which in turn will impact the other organisation.
The purpose of this article is to summarise the key concepts included under Condition 2. From the above, and the previous two articles, it should start to become clear that rigorous controls are required to ensure effective management of personal information and compliance with the Protection of Personal Information Bill.
Contributed by Keyphase Technologies.