On Monday we discussed the rationale behind the Protection of Personal Information Act 4 of 2013 (“POPI” or “the Act”), some important definitions and the role of the information officer. This article deals with some practical requirements ordained by the Act.
Collection of Personal Information
Generally speaking, personal information must be collected directly from the client and must be collected for a specific, explicitly defined, lawful purpose. An FSP must therefore be sure to define and know why it is collecting (and processing) personal information. The FSP must also ensure that the client is explicitly informed of the personal information that will be processed. This must be done in writing and a record of the notification must be retained.
The FSP should only process personal information which is “adequate”, “relevant” and “not excessive” for the purpose of processing; in other words, only process what is necessary.
There is a duty on the FSP to take reasonable steps to ensure that personal information records are complete, accurate, not misleading and updated. This includes the obligation to ensure that reasonable steps are taken to update client information from time to time.
Records may not be retained for longer than is necessary in order to achieve the purpose for which they were collected and must be destroyed after that period. Retention policies should therefore be implemented to ensure compliance with this requirement.
Security of Personal Information
Section 19 of the Act provides that the FSP (‘responsible party’) must ensure the integrity and confidentiality of the personal information in its possession by putting the ‘appropriate’ and ‘reasonable’ technical and organisational measures in place to prevent the loss of, damage to, unauthorised destruction of, unlawful access to, or unlawful processing of the personal information.
Every FSP should implement very specific and realistic procedures to ensure compliance with this particular requirement. It may also be prudent to consider some form of indemnity insurance that covers this risk.
If clients’ personal information is compromised in any manner, the consequences can be serious. Clients could be severely prejudiced by, for example, identity theft or details of bank accounts being compromised and this information landing in the hands of criminals. Obviously, this would also result in reputational and financial harm for the FSP in question.
In addition, it is important to note that the Information Regulator will have to be notified of any security breach or compromise.
If the FSP outsources any part of the processing activities to a third party, then a written outsource agreement must be concluded. The outsourced party is referred to in the Act as an operator and specific requirements are laid down for these types of arrangements. The outsource agreement must be in writing and must ensure that the operator establishes and maintains the security measures required by the Act.
Outsourcing could include, for example, the storage, administration of cleaning of databases, premium collection in respect of clients of the FSP and the sending of bulk communications.
POPI imposes various offences, penalties and administrative fines for non-compliance with its provisions. Administrative fines could potentially be imposed and certain prohibited actions may constitute offences. Furthermore, a civil action for damages may be instituted against the FSP for a breach of any provision of POPI.
The POPI Act will require some adjustments to current procedures. Even though the date of commencement of the Act has not been determined, there is no doubt this will happen, sooner or later. The provisions of the Act and the Regulations will not change much – if at all. Prudent FSPs won’t wait for the Act’s commencement before beginning the implementation of the requirements – they will have begun to incorporate these requirements into normal business procedures already.
There is no dearth of cybersecurity hacks, breaches, malware (including ransomware) and, quite frankly, just plain stupidity on the part of some Internet users. As they said in Hill Street Blues – be careful out there.
Moonstone will be conducting follow-up workshops on POPI once we are satisfied that we can add value by relating facts, rather than conjecture.