Are You Protecting Your Customer’s Data?

Are You Protecting Your Customer’s Data?

SHARE

The collection, usage and sharing of personal information is regulated primarily by the Protection of Personal Information Act 4 of 2013. The Act was recently promulgated and is yet to be implemented. The Act seeks to give expression to the right to privacy provided for in the Constitution.

At the time of writing, the primary enforcement arm contemplated by the Act, the Information Regulator, has yet to be appointed. Once appointed, all businesses will be required to register with the Information Regulator to make public what personal information is being collected, and what it is being used for.

The Information Regulator will be empowered to enforce compliance with the Act, and able to investigate whether an entity is lawfully processing the public’s personal information. 

Related: Protect Your SME From PoPI

How are privacy policies affected?

The Act defines the term ‘processing’ broadly, and includes “the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use of a person’s personal information”. To process a person’s personal information, the prior consent of the person (data subject) is needed.

Personal information includes email addresses, names, identity numbers, phone numbers, the race, gender, religion, marital status of a person, and if applicable, an entity such as a company, to name but a few. One of the purposes of a business’ privacy policy is to obtain such consent, by an indication that the privacy policy has been read and agreed to.


 Recommended by Entrepreneur

Florist-business-insurance

Why Would A Florist Need Insurance For Their Flower Shop?


The primary purpose of a privacy policy is to set out in clear and concise terms what personal information is collected by the company, and exactly what the company will and will not do with that information. It should also set out whether personal information will be shared, and with whom.

The Act restricts a company’s ability to store personal information outside of the country by requiring that it be transferred only to countries in which comparable security laws and data protection measures exist.

A situation such as this arises more easily than expected. Consider the example of the humble contact form: Your website, with its local server situated in Midrand, utilises a plugin to create custom contact forms.

Although your server may be in Midrand, every person who completes the contact form on your website has their personal information transferred and stored on servers in the home jurisdiction of your plugin creator, which may be in the US. But the plugin creator may also make use of third-party service providers based in Vietnam. An in-depth investigation of all third-party plugins and processes of a website is therefore required to ensure that you comply with the Act.

Access by a data subject to personal information

A data subject is entitled to request a full disclosure of any personal information held by the company.

As the procedures governing access to personal information overlap, companies should also ensure compliance with the processes outlined by the Promotion of Access to Information Act 2 of 2000 (‘PAIA’).

Related: Five Tips for Effective Marketing that Complies with the POPI Act

In terms of PAIA, all companies are required to compile a manual that needs to be registered with the South African Human Rights Commission. This manual sets out the company’s contact information, what records are available for inspection, the identity of the leadership of the company, as well as the manner in which a person may request access to information held by the company.

However, the Minister of Justice and Correctional Services has exempted private bodies from complying with this requirement for a period of five years, starting from
1 January 2016.

To ensure compliance with all data protection, privacy, and access to information laws, a privacy policy and a PAIA manual will be required by every business.

Kyle Torrington
Kyle Torrington is the co-founder of LexNove, a company that aims to revolutionise the legal industry through an online platform that allows legal professionals to bid on legal work through a fixed-price proposal system.

Most Read