This week’s article on the Protection of Personal Information bill addresses the sixth condition which is Openness. There are two elements to this condition: 1 – Notification to the Regulator and 2 – Notification to the Data Subject.
The 8 Conditions listed in Chapter 3 are as follows:
Accountability
Processing limitation
Purpose specification
Further processing limitation
Information quality
Openness
Security safeguards
Data subject participation
Notification to the regulator
The condition requires that a responsible party, as defined in this bill, must inform the Regulator of its intention to process personal information before commencing with the processing of personal information intended to serve a single or different related purposes .
However, compliance is not required if the responsible party compiles, or has compiled, a PAIA (Process of Access to Information Act) manual which includes the information as stipulated in section 58 of this bill and summarized as follows:
• the name and address of the responsible party
• the purpose of processing
• a description of the categories of recipients to whom the personal information may be supplied
• planned trans-border flows of personal information
• a general description of the information security measures to be implemented by the responsible party to ensure the confidentiality, integrity and availability of information which is to be processed
It should be noted that at this time the Regulator has not yet been established. This will take place once the bill has been approved.
Notification to the Data Subject
When personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of:
• the information being collected and if not directly from the data subject, the source from which it is collected
• the name and address of the responsible party
• the purpose for which the information is being collected
• whether or not supply of this information by the data subject is voluntary or mandatory
• the consequences of failure to provide such information
• any particular law which authorizes or requires the collection of the information
• the intention of the responsible party to transfer the information to a third country or international organization and the level of protection provided to this information by that country or organization
• any further information necessary to enable processing in respect of the data subject to be reasonable, taking into account the specific circumstances in which the information is to be (or not to be). For example:
o recipient or category of recipients of the information
o nature or category of the information
o existence of the right of access to and right to rectify the personal information collected
o the existence of the right to object to the processing of the information
o the right to lodge a complaint to the Information Regulator and contact details.
The data subject should be made aware of the above information prior to collection or in the instance where the information is collected from a source other than the data subject, as soon as reasonably practicable after the personal information is collected.
The responsible party is exempted in the following circumstances:
• the data subject has provided consent for the non-compliance of the notification requirement
• non-compliance does not prejudice the legitimate interests of the data subject in terms of this Act
• non-compliance is necessary for reasons pertaining to the law, any court proceedings or national security
• compliance would prejudice a lawful purpose of the collection
• it is not reasonably practicable to comply in the circumstances of a particular case
• the information will
o not be used in a way in which the data subject can be identified
o be used for historical, statistical or research purposes.
On the practical side, the question begs how to implement this. Insofar the notification to the regulator concerns, once the regulator is established, it may be possible that some means for registering with the regulator might be provided for by the regulator. If not, the most practical way is probably to create or adjust the firm’s PAIA manual to include the required conditions.
As for openness to the data subject, this condition further highlights the need for an information asset register, as any changes to the information collected, must be communicated to the data subject. The firm therefore needs to be aware of the information it possesses and for what purpose, so that in the event of any changes it will raise a flag to notify the data subject.
For a full description of this condition, refer to this link: http://keyphase.co.za/popibill_condition6
Contributed by:
Keyphase Technologies was founded in 2010, with specific focus on Information Security Management. The ComplianC Software from Keyphase is targeted at PoPI, enabling law firms to comply with the least amount of effort. Dedicated to helping our clients to comply with legislation, we design, implement and automate the business processes required for compliance. Read more at keyphase.co.za, or send an email to info@keyphase.co.za