The Protection of Personal Information Act, Act 4 of 2013 (“POPIA”), provides for the protection of Personal Information of a Data Subject which is processed by all natural and juristic Persons.
In this second part of our 5-part series regarding the lawful Processing of Personal Information, we will dive into Accountability (Condition 1), Processing Limitation (Condition 2), and Purpose Specification (Condition 3).
Condition 1: Accountability
A party responsible for the Processing of Personal Information must ensure that the conditions (and measures that give consequence to such conditions) as set out in Chapter 3 of POPIA are complied with. This must be complied with at the time of determining the purpose and method of Processing the Personal Information (and during the Processing itself).
Condition 2: Processing limitation
Personal Information must be processed in a manner which is lawful, reasonable and which does not infringe on the privacy of the Data Subject.
The Processing must also be minimal, meaning that the Processing must be adequate, relevant, and not excessive with regard to the purpose for which the Personal Information is being processed.
The Personal Information may only be processed with the consent of the Data Subject. Where the Data Subject is a minor, the consent of a competent person. Such competent person being “any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child”. The Processing must also be justifiable, by considering whether:
- Is necessary to accomplish the conclusion or performance of an agreement to which the Data Subject is a party;
- Complies with an obligation imposed by law on the Responsible Party;
- Protects legitimate interests of the Data Subject;
- Necessary for the proper performance of a public law duty by a public body; or
- Necessary for pursuing the legitimate interests of the Responsible Party or of a third party to whom the information is supplied.
The burden of proof that proper consent has been obtained is that of the Responsible Party. Consent may also be revoked at any time, but such revocation will not affect the lawfulness of any Processing which may have already taken place.
The Data Subject may object to the Processing of Personal Information unless legislation provides otherwise. Once a Data Subject objects to the Processing of Personal Information, the Responsible Party must cease Processing.
In particular, a Data Subject may object to the Processing of Personal Information for purposes of direct marketing, subject to section 69 of POPIA.
Personal Information must be collected directly from the Data Subject, unless:
- The information is public record;
- The Data Subject or in the case of a minor, a competent person has consented to the collection from another source;
- Collection from another source would not harm a legitimate interest of the Data Subject;
- Collection from another source is necessary;
- Compliance would harm a lawful purpose of collection; or
- Compliance is not reasonably possible in the circumstances.
Condition 3: Purpose specification
Personal Information may only be collected for a specific, specifically defined, and lawful, which purpose the Data Subject must be aware of.
POPIA further makes provision for retention periods and restriction of Records. Records of Personal Information must not be kept for any longer period than is necessary for attaining the purpose for which it was collected or processed, subject to certain exceptions. Where a Responsible Party has used a Record of Personal Information to make a decision regarding the Data Subject, it must retain the Record for such a period as may be required or prescribed by law or code of conduct. Should there be no such law or code of conduct, the Record must be kept for such a period of time to afford the Data Subject access to the Record.
Should the Responsible Party not be authorised to retain the Record, it must destroy or delete the Record as soon as possible. Such destruction or deletion must be carried out in such a way that it cannot be reconstructed in an intelligible form.
The Processing of Personal Information must be restricted by the Responsible Party if its accuracy is contested by the Data Subject; the Responsible Party no longer needs the Personal Information, but has to be maintained as proof; the Processing is unlawful but the Data Subject opposes its destruction or deletion, or the Data Subject has requested for it to be transmitted into another automated processing system. As soon as the Processing of Personal Information is restricted, the Responsible Party must ensure that the Data Subject is informed before any lifting of the restriction of Processing.
From the above, it is clear that there are very strict conditions which need to be complied with when collecting, obtaining consent, Processing, storing, destroying and deleting Personal Information. These conditions are mandatory and should be strictly followed by a Responsible Party. Do not miss out on the next issue where we will discuss conditions 4 through 6.