Newsletter Details

POPIA

THE SECOND CONDITION - PROCESSING LIMITATIONS.

 By Gilles van de Wall

Attorney at Johanette Rheeder Inc

The Protection of Personal Information Act, Act 4 of 2013 (“POPIA”) is now fully effective and yet again South Africans has been hit by a major privacy breach and leaking if their personal information. POPIA applies to all instances of processing of personal information (PI) of natural and juristic persons, whether they are aware of it or not or whether they have consented to it or not. All parties who process PI of the South African public (called a Data subject) must at least have a basic knowledge of what POPIA entails.

POPIA contains 8 conditions for the processing of personal information to be lawful, and each of these conditions impose different rights, duties, and obligations unto those who process personal information (called the Responsible Party). Below, I shortly discuss, on an introductory level, the second of the 8 conditions (each of the 8 conditions will be discussed separately over the course of the following few weeks).[1]

ITS WHAT THE LAW SAYS:

The Second condition of lawful processing of personal information as contained in POPIA, is the condition of process limitation. The limitation on the processing of personal information is regulated by the provisions of Section 9 to 12 of POPIA, which Sections require that the processing of personal information must at all times be lawful and done in a reasonable manner to ensure that the privacy of a Data subject is not infringed when personal information is being processed. In order to ensure that the privacy of the data subject is not infringed, the purpose for processing must be adequate, relevant and not excessive.

Therefore, when the employer process the personal information, it must pass the test of minimality. You may only collect and process personal information if you do so for legitimate (business) requirements and the information you collect or process can be linked to the purpose, passing the minimality requirement.

Therefore, all Responsible parties will have to audit the Personal information they process and test the purpose against the minimality test.

WHEN MY PERSONAL INFORMATION BE PROCESSED?

First and foremost, Personal information must be processed with consent of the Data subject and/or a competent person in case of the Data subject being a minor;

However, POPIA also allows processing without consent if the processing :

• Is required by law, contract and/or an obligation imposed unto the Responsible party;
• “…protects a legitimate interest of the Data subject;
• “…necessary for the proper performance of a public law duty by a public body;
• Is for a legitimate interest of either the responsible party or a third party;

Responsible parties may also collect Personal information without consent if the information is derivative from a public record or has been deliberately made public by the Data subject or if the Data subject or a competent person in case of a minor, has given consent to the information being collected from an alternative source.  Data subjects may withdraw consent object on reasonable grounds to having personal information processed by sending a notice to the Responsible party, which is available in the Regulations the act.

THE REGULATIONS:

Item 2, 3 and 6 of the Regulations to POPIA contains a standard form to assist a Data subject in lodging objection to the processing of Personal information and to request for amendment, correction, deletion and/or destruction of personal information. A Responsible party must render “…such reasonable assistance as is necessary, free of charge, to enable the data subject to complete the necessary forms and may charge a minimal fee for copies of Personal information.

 TO CONCLUDE:

Through these limitations on the when, where and what of processing personal information, it seems as if the legislator aimed to have organisations develop, structure and implement a ‘data-diet’, which I am of the opinion will be beneficial to organisations. There is a lot of information which organisations hold onto, process, and disseminate which may be unnecessary for purposes of legitimate processing. For example, holding onto the curriculum vitae of an unsuccessful candidate for a year or more, just in case a position opens within the organisation.

Businesses must start developing process flows and log the different personal information it processes through those process flows as well as the purpose of processing, which must be clearly defined and compatible with the minimality condition.

Gilles van de wall (BA Law, LLB) is an attorney at Johanette Rheeder Incorporated.

Contact us at:          johanette@smartprivacy.co.za or gilles@smartprivacy.co.za

[1] See our article on the first condition, being Accountability published on our website and LinkedIn on 7 July 2020.