With the soon to be law Protection of Personal Information (POPI) bill, retailers have to be prepared to deal with customers’ questions about the type and amount of personal information that they are collecting, why they are collecting it and how they intend to protect it against abuse. Jana van Zyl of Dommisse Attorneys helps answer some of these questions that retailers may have.
“First of all, we should be aware of what constitutes personal information,” says Van Zyl. “POPI provides a wide definition because this could include diverse forms of data, ranging from addresses, ID numbers, cell phone numbers, biometrics and even personal views on certain issues. It also differentiates between “normal” personal information, special personal information (such as information about health) and children’s personal information – all of which have different rules that will apply to the processing of the personal information. There isn’t a defined list of information that retailers are prohibited from collecting, but as a rule of thumb, any business should only collect what is necessary for them to achieve a specific purpose – which should be communicated to customers or potential customers.”
A good example of that would be the use of ID documents to verify a customer’s identity. “The retailer has to justify why he or she should be entitled to collect the information. For example, do they really need a copy of a customer’s ID document or is it sufficient for that customer to merely display the document?” says Van Zyl. “If they don’t need a copy, why keep it?” “And even if they can justify why they need a copy of such a document, they should only use if for the purpose they originally collected it for, e.g. a credit check. Should they wish to use the information for any other purpose, they will need to notify the customer.”
Consent as such does not always have to be given in written format, as “it won’t always be practical to gain written consent. For example, if a supermarket has a lucky draw box on the counter where customers could place their till slip with a phone number to enter into the competition, they won’t want a customer to fill in a lengthy permission form – but they will only be able to use the information for entry into the draw. Any other purpose will need to be specified explicitly. It is important to bear in mind what the expectation of the individual would be – what can the retailer use the information for?
Similarly, if a customer has signed up for a loyalty program, the retailer is entitled to track their purchases and use it to promote products in the future based on buying behaviour – provided that they received consent to do so when the customer signed up or notified the customer that the information would be used for that purpose.
Of course, not all retailers’ communication occurs in-store. Many retailers frequently communicate with their customers via social media platforms such as Facebook. “Social media has meant that many customers make information publically available. The fact that information has been made publically available does not mean that POPI in its entirety won’t apply. If the company wishes to collect data via their Facebook page, they would still be responsible for securing and protecting that data once they start processing it, and they would still have to limit their use, disclosure and retention of that information in line with the purpose for which they collected it.”
Naturally, security is a large concern for retailers, many of whom frequently receive and retain sensitive hard copy information, such as credit card slips. “Retailers would have to retrain their employees in preparation for POPI,” Van Zyl says. “There isn’t an exact list of specific measures to be implemented, but retailers would need to review their current processes and educate their staff about the importance of safeguarding personal information, for example, they would need to ensure their staff understand that items such as credit card details can’t be left in full view of anyone, but should be locked away. One needs to consider it from a practical point of view and educate staff members with reference to practical examples.”
POPI also has implications for future HR activities. These will for example include revising current policies and employee contracts. Although this may be a costly exercise, Van Zyl believes that most retailers – rightfully – see the Act as a positive introduction to their systems. “Most retailers understand that the misuse of customer information will have serious reputational consequences. And it is necessary to create awareness around staff members to focus on how they use personal information. Responsible use is key!. The majority of retailers are eager to safeguard their customers’ information and upgrade their security measures and policies accordingly – POPI has forced retailers to reconsider and improve existing processes.”
Van Zyl advises retailers to liaise with an attorney as a first step to becoming compliant with the Act. “The implementation of POPI is around the corner, and retailers should launch a Compliance Project sooner rather than later.”
Memorising basic requirements of POPI using the CLAAP acronym:
Consent: Organisations may only collect, use and disclose personal information with the knowledge and consent of the individual. (In some instances organisations will be able to use personal information even though they have not received the express consent, but mostly organisations will still need to notify the individual that the information has been collected.
Limited use: The collection of personal information is limited to what is necessary for the identified purposes and must be collected by fair and lawful means.
Accountability: Retailers are accountable for protecting the personal information under their control and must ensure that adequate safeguards are in place.
Access: An individual has the right to access his/her personal information, subject to legislated exceptions, and has the right to seek correction of information or the withdrawal of permission.
Purpose: The purposes for the collection of personal information must be identified prior to or during the collection.
By Jana van Zyl, Partner at Dommisse Attorneys