The Protection of Personal Information Act, Act 4 of 2013 (“POPIA”), provides for the protection of Personal Information of a Data Subject which is processed by all natural and juristic Persons.
In this third part of our 5-part series regarding the lawful Processing of Personal Information, we will discuss Further processing limitation (Condition 4), Information quality (Condition 5), and Openness (Condition 6).
Condition 4: Further processing limitation
The further Processing of Personal Information may only be conducted in circumstances where the Processing is consistent with the original purpose for which it was collected, as provided for in section 13 of POPIA.
To establish whether the further Processing is consistent with the purpose of collection, the factors set out in the following test should be considered by the Responsible Party:
- The connection between the intended purpose of the further Processing and the purpose for which the Personal Information was initially collected;
- The nature of Personal Information;
- The potential consequences for the Data Subject;
- The manner in which the Personal Information has been collected; and
- Any contractual rights and obligations between the Data Subject and the Responsible Party.
Condition 4 provides for circumstances where the further Processing will be consistent with the purpose of collection. These are:
- Whether the Data Subject him / herself, or a Competent Person in the case of a minor, consented to the further Processing;
- Whether the Personal Information is a matter of public record or has been made publicly available by the Data Subject;
- Whether it is necessary to uphold or comply with the law, enforce legislation, conducting proceedings in any court or tribunal or whether it is in the interest of national security;
- Whether it is necessary to avoid or mitigate a “serious and imminent threat” to the health and safety of the public, as well as the life or health of the Data Subject or other individuals;
- Whether the Personal Information is used for “historical, statistical or research purposes…”;
- Whether the further Processing is in terms of any exemptions set out in section 37 of POPIA.
Condition 5: Information Quality
It is the Responsible Party’s duty to ensure that any Personal Information collected are complete, accurate, truthful and regularly updated. In order to ensure the quality of Personal Information, the Responsible Party must take any and all steps reasonably possible to ascertain such quality (with due regard to the purpose of collection or why further Processing is necessary). POPIA does not define or elaborate on what will constitute such “steps”.
Condition 6: Openness
All documentation relating to the Processing undertaken by a Responsible Party must be kept / maintained in a manner referred in sections 14 or 51 of the Promotion of Access to Information Act, Act 2 of 2000.
In addition, when Personal Information is collected, the Data Subject needs to be made aware of:
- The Personal Information being collected, or where the information is collected from a third party, the source of such information;
- The name and address of the Responsible Party;
- The purpose of collection;
- Whether the supply of Personal Information is voluntary or compulsory;
- Whether any legislation requires or authorises the collection of Personal Information;
- Whether the Responsible Party plans to transfer the Personal Information to another country or international organisation, and if so, what protection is afforded to the Personal Information by such third country or international organisation; and
- Any other information as may be applicable / necessary.
The above must be taken into account when deciding whether Personal Information should be processed or not, to establish whether the Processing is reasonable.
The steps mentioned above must be taken before Personal Information is directly collected from the Data Subject. In any other case, the steps must be taken before the Personal Information is collected or as soon as possible thereafter.
The steps are not applicable where the Data Subject (or Competent Person) consents to the ‘non-compliance’ with the steps, or where no prejudice is present.
A Responsible Party need not comply if the ‘non-compliance’ will result in the avoidance of prejudice, compliance with the law, or compliance with legislation concerning the collection of revenue. In addition, ‘non-compliance’ with the steps may be necessary to conduct certain tribunal / court proceedings or where it is required in the interest of national security.
Further exemptions apply where it is not possible to conduct the steps or where the use of the Personal Information will not identify the Data Subject.
Do not miss out on the next issue where we will discuss conditions 7 and 8.