Occasionally a new law comes along that changes the landscape to such an extent that business owners cannot just leave it to their accountants to sort out. The Protection of Personal Information Act (Popia), which comes into full effect on 1 July this year, is such a law.
The Popia scope is such that every business owner needs to get their head around it. It seeks to govern the way in which businesses handle the personal information of their customers, suppliers and staff members, or any personal information about members of the public and other companies. It deals with the minimum threshold requirements for the lawful processing of such information, which entails any activity concerning personal information, for example, the collection, receipt, use, safekeeping, and destruction of such information, whether automated or non-automated – clearly a sweeping and wide-ranging privacy law, says Marjan Gerbrands, corporate legal counsel at Business Partners Limited.
As comprehensive as it is, Popia is not draconian, and business owners need not worry that it will suddenly make business impossible, unless you are in the business of spamming or selling people’s contact details to spammers. Be wary of consultants who offer “free” seminars on the new law. These are often designed to scare business owners into signing up for their overpriced consultation services after the course.
But at the same time Popia is not one of those compliance issues that you can ask your accountant to look at while you go on with your business as usual, says Marjan. For one thing, Popia requires a business to register an Information Officer with the Information Regulator. It should be the business owner or someone senior. It is clearly not a responsibility to be given to, for example, the receptionist, says Marjan. If you do not register an Information Officer, Popia says it will automatically be the head of the business or the CEO of the company. Following technical glitches with the registration portal, the Information Regulator has confirmed that there will be no deadline for registration of Information officers.
The Popia limits what your business can do with the personal information of natural and juristic persons, called “data subjects” in the Act, and it also makes you responsible for keeping the information safe in your business. If it ends up in the hands of somebody who misuses it, you can now not only be sued by the person whose information you lost, but you can also be fined by the Information Regulator, in addition to the reputational damage you would suffer.
Begin by reading widely about Popia to gain a high-level overview, but keep in mind that the Popia is complex and wide ranging, so you will certainly have some homework to do. Have a look at the reading materials and seminars that your industry body or business association has to offer.
Once you have gained some understanding of what the law is about, Marjan recommends that you carefully analyse how it impacts your business processes. It is best to do it together with your management team and all of those staff members who deal with the processing of data subjects’ information. In most businesses, this means the sales, IT, admin and the HR staff.
It is a substantial process, so consider dividing it up into manageable sections – your sales, administrative, IT and human resources divisions:
1. Scope the information that you collect
Workshop with your team all the ways in which your business collects personal information, including names, addresses, telephone numbers, email addresses, ID numbers, car registration numbers – any information that can be used to identify a person or a company. List the tasks for which personal information is collected in each department and list the categories of individuals to whom the personal information relates to, like creditors, employees, and clients. Information that has been de-identified is however excluded from Popia as only personal information relating to an identifiable, living, natural person, and an identifiable, existing juristic person is protected.
2. Flag any category of information that the law calls “special information”
This includes trade union membership, race, or ethnic origin, biometric information such as fingerprints and CCTV camera footage. Special rules apply to the processing of personal information of children. You are not allowed to keep special information without consent or unless a law requires you to keep this information. If you have a biometric clock-in system, you have to get your staff to sign consent to have you put their fingerprints into the system. Daycare centres must get permission from the parents or guardians to keep information about their children, and if you have CCTV cameras, put a notice up at the entrance of your premises that anyone entering consents to be recorded for security purposes.
3. Plot your information flows
After the first exercise, you should have a list of categories of information that your business collects ranging from your staff records to your customer database to your visitors’ book.
After the first exercise, you should have a list of categories of information that your business collects ranging from your staff records to your customer database to your visitors’ book. Now, brainstorm with your team about why the information is collected, identify where you obtain the information from – is it directly from the person or from a third-party source, with whom the information is shared, how and where it is kept and how and when it is discarded.
This will give you a very handy chart plotting the flow of types of information through your business.
If you send any personal data to outside service providers, for example an agency who does electronic marketing campaigns for you, you have to sign a contract with such a service provider prohibiting them from using the data for anything else and include an obligation on the operator to establish and maintain the required confidentiality and security measures.
Asses if and how the information is updated in your business.
Popia demands information quality and that reasonable steps are taken to ensure that personal information is complete, accurate, not misleading and updated.
4. Consider the security of data subjects’ information in your business
The next step is to think carefully about how protected the information is at any point along its flow through your business. Are your databases of customers, staff and suppliers kept on a password protected system? Are the computers and cellphones that have access to your business data password protected? Do you clear the discs of your obsolete electronic devices? Do you have protocols in place to prevent illicit downloading of information from your computers? Can you identify any other risks or vulnerabilities in the security of the information?
Popia applies to paper-based information as well. Make sure that copies of IDs and other personal information are not left lying around the photocopy machine. Have a paper shredder at hand. Throwing paper with personal information on it in the bin is now a legal risk.
If any of the information gets lost, or if you think it might have ended up in the hands of an unauthorised person, you have to inform the Information Regulator as well as everyone whose information is involved. You would be required to prove that you have put reasonable security measures in place to protect personal information.
Pay special attention to the sending of personal information. Make sure it is transmitted securely, and to the correct recipient. If a staff member sends private information to the wrong email address by mistake, your business will be liable for the breach of privacy.
Until now, South Africa followed an opt-out approach. You were allowed to send marketing messages or call on anybody until they told you to stop. Popia changes this to an opt-in regime. You are only allowed to send a marketing message or make a marketing call once. Only if someone then agrees to receive similar messages in future, may you do so again.
The same goes for your existing customers. If they have never given you explicit consent for receiving regular messages, you may contact them only once more in order to gain consent and be given an opportunity to opt-out
Consent must be explicit and must be limited to a type of product or service. Blanket consent to receive any type of marketing messages in future is invalid. If someone agrees to subscribe to your newsletter on gardening, for example, you are not allowed to send them ads for electronic goods.
All electronic marketing messages must have a built-in unsubscribe option.
6. Popia proof your website
Most websites use tiny text files called cookies to identify visitors to the site, even if it is just to draw up visitor statistics through services such as Google Analytics. Popia requires that you have to obtain opt-in from visitors to your website before you can activate the cookies, so most South African websites will have to sport a cookie pop-up asking visitors to accept or decline. You will therefore have to decide whether to fork out the money to a website designer to install such functionality on your site, or you could have all cookies deactivated on your site, which means you won’t be able to use services such as Google Analytics.
7. Train your staff
If your staff members are aware of the gravity of the personal information collected and kept in your business, then half the battle is won. Training sessions, reinforced by awareness posters emphasising the importance of personal data protection can go a long way to keep your business on the right side of Popia.