The Protection of Personal Information Bill (POPI) will be signed by the President in the first half of 2013 – but what is it? And how will it affect our businesses, and individual rights?
The intention of POPI is to establish a protection for personal information regime in South African law, and bring us in-line with international standards of protection of personal information.
Once the Bill has passed the National Council of Provinces, and become an Act, we will have one year to become compliant. This period can be extended to a maximum of three years by the Minister. And, in the light of South Africa’s typically lax response to such occasions, I expect that the extension will be required.
What POPI means
POPI protects personal information by restricting how it can be collected and used, and sets out eight principles:
Accountability: The responsible party, those who process the personal information, must ensure that all the principles and the measures are complied with.
Processing limitation: This stipulates that processing must be done lawfully and in a manner that does not infringe the privacy of the individual, and that personal information can only be processed if the processing is adequate, relevant and not excessive, given the purpose for which it is to be used.
Purpose specification: Personal information must only be collected for a specific purpose and the individuals must be aware of the purpose of collection. In addition, records must not be retained for longer than necessary to achieve the purpose for which it was collected or processed for.
Further processing limitation: This is simply stating that further processing must be compatible with the purpose of collection.
Information quality: The holder of the data must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated when necessary. All the while upholding this, taking into account the purpose for which the information was initially collected.
Openness: Steps are required to ensure that the data subject is aware of the personal information being collected and the purpose of collection.
Data subject participation: the data subject can request whether an organisation holds their private information, and what information is held. They may also request the correction or deletion of information which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
Security safeguards: the responsible party must secure the personal information under their possession/control.
The direct marketing angle
Specifically relating to the running of SMS marketing campaigns, direct marketers cannot use personal information for direct marketing unless the consumer has given permission, and in the case or a direct marketing organisation, they must have ‘opted in’.
The consumer can ‘opt-in’ in one of two ways. Firstly, they can give their consent to receive direct marketing. This would ideally be obtained when the information is collected, but you can also approach the consumer for consent later. If doing this, you can only approach the consumer once for consent.
As an aside, direct marketers must obtain a consumer’s contact details in the first place to approach for consent. Unless these contact details were in the public domain, e.g. a telephone directory, merely obtaining the contact details could be an infringement of POPI.
For example, if you received a list of individuals and their contact details from a company that collects and sells marketing information (data vendor), the data vendor would itself have infringed POPI by passing the list on, even if you never use any of the information. Unless the individual specifically consented to their information being passed on.
Secondly, if the consumer is a customer of a direct marketer (and not of anyone else) then they can use the information for direct marketing only if:
- The data was obtained in the context of the sale of a product or service
- The direct marketing will be in respect of the marketer’s own similar goods/services
- The consumer has been given a reasonable opportunity to object to receipt of direct marketing both when the data was first collected AND on each occasion when direct marketing is made to the consumer.
POPI makes provision for enforcement notices to be served on those infringing the data protection principles or the direct marketing provisions of POPI. Failure to comply with an enforcement notice is an offence, and on conviction may lead to a fine, up to 10 years in prison, or both.
Perhaps more seriously, if a data subject suffers any loss as a result of an infringement, the responsible person will be strictly liable for this loss. In other words, it does not matter if the responsible person was negligent, or acted intentionally in infringing POPI – if the infringement caused loss to the consumer, the responsible person is liable.
As SMS gateways we must be careful to specify that we are not ourselves conducting the direct marketing, but that our systems are being used by a direct marketer e.g. a retailer, bank or other institution. In other words you must ensure that you are mere conduits insofar as this is possible.
Consumer Protection Act
The provisions of POPI will be in addition to those set out in the Consumer Protection Act (CPA). Section 11 of the CPA allows for consumers to pre-emptively block direct marketing by listing their contact details in a ‘do not contact’ registry. The registry is yet to be set up, but once it has been the two Acts will inter-relate:
Direct marketers will have to assume that, unless a consumer has expressly consented to receive direct marketing from that direct marketer, that a pre-emptive block has been registered. The direct marketer must first query the registry to make sure that no pre-emptive block has been registered before it can market to that consumer.
Note that until it has done this, the direct marketer cannot send any communication to the consumer if the approach or communication is primarily for the purpose of direct marketing.
Applied to the provisions of POPI, a direct marketer will have to check the registry before it can even approach a consumer for consent to market to that consumer.
Even for its own customers, the direct marketer will have to check the registry unless the customer has expressly consented to receive direct marketing, even if the marketer has previously sold similar products or services to the consumer.
To conclude, South Africans will have, for the first time, the right to privacy of their personal information in an enforceable way. It’s going to be a period of change and uncertainty for many, but as organisations responsible for people’s personal information we must all act responsibly, and uphold the reputation of businesses like ours, as well as our partners who use our service.
Can Your Words Be Used Against You?
Yes, they most certainly can. Here’s what the RICA Act has to say about recordings.
“This call may be recorded for quality control and records purposes…” Anyone who has been on hold with insurance companies would be familiar with these words — but what are the implications of a recorded conversation and when is it legal?
In essence, the Regulation of Interception of Communications and Provision of Communication-Related Information Act of 2002 (mercifully shortened to ‘RICA’) permits any person, who is a party to a conversation to record that conversation, provided that it is direct communication — which is defined as oral communication between two or more persons that occurs in the immediate presence of those persons.
Section 4 of the RICA Act governs this aspect of our monitoring law. What is unclear, however, is the degree to which this extends to legal persons, such as a company that monitors a call centre agent’s performance, for example.
Related: Understanding Shareholder Agreements
Evidence in legal cases
While limited to direct communications and not covered by third party interception, such as an eavesdropper, the lesson here remains pretty stark — you could legally be recorded during any conversation you have.
The implications of this are significant — just ask former Springbok player Luke Watson, who had a conversation recorded during a function in 2008 that was subsequently leaked to the media.
Furthermore, with the widespread use of smartphones, together with applications freely available on the relevant app stores, designed to record cellphone calls, the likelihood of you being recorded — whether you know it or not, is ever increasing.
Beyond the moral or ethical ambiguity of this, the legal ramifications of what is recorded are more certain — the recording may be used against you as evidence in any criminal proceedings, or equally as possible, in civil proceedings where, for example, agreement to a contract or term thereof is in question, or in the insurance company’s case, whether or not to repudiate a claim based on the information you provide to them.
Related: Protect Your SME From PoPI
Know the business exception
Section 6 of the RICA Act contains a course of business exception that allows the interception of indirect communication:
- a) By means of which a transaction is entered into in the ordinary course of business
- b) Which relates to that business
- c) Which otherwise takes place in the course of that business.
While there has not, to my knowledge, been a reported case that deals with this aspect of the RICA Act, the implications regarding the use of this information to evidence the valid conclusion of a contract or as to the intentions of the parties to a contract are significant, particularly given that the scope is relatively broad, although limited.
The matter has, however, come before the Constitutional Court in the 1999 criminal case of S v Kidson, where the court held, per Justice Cameron, that unless a “reasonable expectation of privacy exists” it would be difficult to prevent the recording or interception falling within the ambit of the RICA Act.
Where to from here?
From both a commercial and criminal perspective, this should serve to remind us all of our wise grandmother’s words — if you have nothing nice to say, rather say nothing at all (especially because you never know whether you are being recorded).
Why You Shouldn’t Be Sweating The Fine Print
Signing a contract is a big deal, and you never want to sign anything you don’t fully understand.
While it is almost always a grudge purchase, ensuring that you have had a legal eye cast over a contract you intend to conclude means that you are protected, that you understand the nature of the obligations you are taking on and perhaps, an even better deal for you.
Given that legal agreements are an important aspect of commerce, we have distilled key points for you to consider, before engaging with external counsel. This will make the process more efficient and, hopefully, less expensive.
Reviewing a contract is a tricky business, not entirely different from asking a builder to finish building a half built house. However, there are some useful techniques to ensure you get the most out of the exchange with your lawyer.
Always create a timeline
You have lived and breathed your business and this transaction, while your attorney is possibly hearing about the matter for the first time.
Setting the scene correctly puts your attorney in the picture and explains what you want out of the exchange. Print this out for your attorney.
It will help an attorney identify key areas of risk which you might not have anticipated. Be sure to also tell your external counsel how quickly you need the review to be done. Setting expectations means there is less chance of disappointment later.
Provide supporting documents
It wastes your time and money when your attorney has to come back to ask you for supporting documentation.
Try to anticipate which documents will be relevant to your transaction and bring copies of them to the meeting for your attorney to consider. If you have previous versions of the agreement, for example, bring those too.
Remember, the more background work you do, the simpler and more efficient the process will be.
Understand your needs
Are you looking for a high level overview of your document to highlight some key contractual risks or are you looking for a thoroughly sanitised document reviewed from every possible angle?
I recently had to look over Jim’s Sale of Business Agreement for the potential acquisition of his Technology Company. He came to me with limited areas of risk which he had identified and wanted me to look at these clauses.
I was able to advise him to push back on certain clauses he had already negotiated and the resulting document placed him in a stronger legal and financial position. It was easy to justify the costs associated with the review.
This is not always necessary though — where there is limited legal exposure, or you have no bargaining power, the role of the attorney can be restricted, but still worth the investment since you have assurance that your legal exposure is as restricted as possible.
Be guided by the relative value of the document and the ensuing legal responsibilities — is this a standard supply agreement with a strange payment clause or a multi-national acquisition of intellectual property? The type of expert you engage with will vary, as will the cost of the review.
Areas of concern
Directly related to knowing your business and understanding your needs, is your responsibility to communicate specific areas of concern to your attorney.
A recent client’s business processed a lot of personal information, in accordance with the Protection of Personal Information Act, but, the contractor they were about to sign a service supply agreement sought to have access to some of this personal information.
Seen alone, there was little risk, but within the context of this business, we were able to avoid this. A trusted and qualified expert will help you navigate the complex commercial world.
Are You Protecting Your Customer’s Data?
The collection, usage and sharing of personal information is regulated primarily by the Protection of Personal Information Act 4 of 2013. The Act was recently promulgated and is yet to be implemented. The Act seeks to give expression to the right to privacy provided for in the Constitution.
At the time of writing, the primary enforcement arm contemplated by the Act, the Information Regulator, has yet to be appointed. Once appointed, all businesses will be required to register with the Information Regulator to make public what personal information is being collected, and what it is being used for.
The Information Regulator will be empowered to enforce compliance with the Act, and able to investigate whether an entity is lawfully processing the public’s personal information.
Related: Protect Your SME From PoPI
How are privacy policies affected?
The Act defines the term ‘processing’ broadly, and includes “the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use of a person’s personal information”. To process a person’s personal information, the prior consent of the person (data subject) is needed.
The Act restricts a company’s ability to store personal information outside of the country by requiring that it be transferred only to countries in which comparable security laws and data protection measures exist.
A situation such as this arises more easily than expected. Consider the example of the humble contact form: Your website, with its local server situated in Midrand, utilises a plugin to create custom contact forms.
Although your server may be in Midrand, every person who completes the contact form on your website has their personal information transferred and stored on servers in the home jurisdiction of your plugin creator, which may be in the US. But the plugin creator may also make use of third-party service providers based in Vietnam. An in-depth investigation of all third-party plugins and processes of a website is therefore required to ensure that you comply with the Act.
Access by a data subject to personal information
A data subject is entitled to request a full disclosure of any personal information held by the company.
As the procedures governing access to personal information overlap, companies should also ensure compliance with the processes outlined by the Promotion of Access to Information Act 2 of 2000 (‘PAIA’).
In terms of PAIA, all companies are required to compile a manual that needs to be registered with the South African Human Rights Commission. This manual sets out the company’s contact information, what records are available for inspection, the identity of the leadership of the company, as well as the manner in which a person may request access to information held by the company.
However, the Minister of Justice and Correctional Services has exempted private bodies from complying with this requirement for a period of five years, starting from
1 January 2016.
Start-up Advice2 months ago
9 Quotes Every Entrepreneur Should Live By
Lessons Learnt2 months ago
15 Wise Insights From 15 Entrepreneurial Icons
Company Posts2 months ago
Enhance Your Entrepreneurial Flair With An Online Postgraduate Diploma From The University Of Pretoria
Personal Finance2 months ago
If You Think These 5 Things, You’ll Never Get Rich By The Time You’re 30