This week’s article addresses Condition 4 of the 8 listed in Chapter 3 of the Protection of Personal Information Bill , titled Further Processing limitation. The fundamental principle underlying this condition is that the purpose for the further processing must be compatible with the original specified purpose.
The 8 Conditions listed in Chapter 3 are as follows:
Further processing limitation
Data subject participation
Further processing limitation
The responsible party must determine whether there is alignment and in doing so should consider the following factors:
· the relationship between the purpose of the further processing and the purpose for which the information was originally collected
· the nature of the information collected
· the consequences that further processing will have for the data subject
· the manner in which the information has been collected and
· any contractual rights and obligations between the parties
In addition to the considerations above, there are circumstances under which further processing will be considered to be “not incompatible”:
· the data subject has consented to the further processing of the information;
· the information is available in or derived from a public record or has deliberately been made public by the data subject;
· further processing is necessary due to reasons relating to other legal processes, SARS, national security
· the further processing of the information is necessary to prevent or mitigate a serious and imminent threat to
(i) public health or public safety; or
(ii) the life or health of the data subject or another individual;
· the information is used for historical, statistical or research purposes (with consent) and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form; or
· the further processing of the information is in accordance with an exemption granted
under section 37.
For the full text of this condition in the bill, click this link; http://keyphase.co.za/popibill_condition4
From a practical perspective, the first step for firms is to have complete clarity on the original purpose for which the information was collected from the data subject. This purpose definition needs to be understood and made available across the organization to any individual who may work with the information. This is particularly relevant to firms where more than one department works with personal information as the risk is that much greater that further or subsequent processing is not aligned with the original purpose. The onus rests on the responsible party (the firm) to prove that all processing is compatible with the original purpose and it is therefore crucial that all staff working with personal information are informed on how to ensure this is the case.
In the previous weeks’ articles the implementation of an information record register was touched on. The presence of such a register will also assist in ensuring compliance with this condition, providing one confirmed source to all relevant staff within the organization which clearly states the purpose for which the information was originally collected so that all those working with this information can responsibly gauge compatibility.
Contributed by Keyphase Technologies.
Keyphase Technologies was founded in 2010, with specific focus on Information Security Management. The ComplianC Software from Keyphase is targeted at PoPI, enabling law firms to comply with the least amount of effort. Dedicated to helping our clients to comply with legislation, we design, implement and automate the business processes required for compliance. Read more at keyphase.co.za, or send an email to email@example.com