Tag: POPIA

Source: MyBroadband

There will be no deadline for registration of Information Officers and Deputy Information Officers; meaning that no responsible party will be held liable for not registering by 30 June 2021.

In a statement released on Tuesday, the Information Regulator said this decision follows technical glitches with the registration portal and numerous concerns raised by responsible parties regarding the registration process.

“The regulator is currently looking into alternative registration processes and will communicate this in due course. We understand that our portal malfunctioning has caused a lot of anxiety and panic and for that we really do apologise,” Chairperson of the Information Regulator, Advocate Pansy Tlakula said.

The registration of a Chief Executive Officer (CEO) as an Information Officer for multiple legal entities has been taken into consideration and it will be permissible.

The registration portal is currently being configured to accommodate these changes. When the registration portal has been updated, it will be announced.

“The Protection of Personal Information Act (POPIA) enforcement powers as promulgated by the President of South Africa in June 2020 will still be coming into effect as of the 1 July 2021. The Information Regulator had thus afforded responsible parties a one-year grace period to be compliant with POPIA.

“For responsible parties to be compliant with POPIA, they are required amongst many actions, to appoint and register their Information Officers with the Information Regulator and apply for Prior Authorisation before processing personal information,” the regulator said.

There has been an exponential increase for engagement from responsible parties with the regulator. This as the POPIA enforcement powers draw closer and are less than 10 days away.

Furthermore, the regulator has extended the applications for Prior Authorisation in terms section 57 (1) subject to section 58 (2) to 01 February 2022.

Responsible Parties must obtain prior authorisation from the regulator prior to any processing of personal information where that responsible party plans to:

  • Process any unique identifiers of a data subject.
  • Process information on criminal Behaviour or on unlawful or objectionable conduct on behalf of third parties.
  • Process information for purposes of credit reporting.
  • Transfer special personal information or personal information of children to foreign countries that do not provide an adequate level of protection for processing of personal information.

The Information Regulator as of 30 June will also be taking over the function of the Promotion of Access to Information Act (PAIA) from the South African Human Rights Commission (SAHRC).

Should the public require lodging a complaint, they may approach the Regulator to adjudicate, or they may approach the court directly.

 

Final countdown to POPI Act

Source: Lexology

There is less than a month to go before South Africa’s Protection of Personal Information Act, 2013 (“POPIA”) is set to go into full effect on 1 July, 2021.

It is critical for organisations operating in South Africa to ensure that they are ready if and when the Information Regulator comes knocking.

It is only when organisations start their POPIA journey that they realise just how wide the POPIA net is cast, and that very few businesses fall outside of its reach. The road to POPIA compliance should be viewed as a marathon, and not a sprint. While implementing and maintaining an effective POPIA compliance program will take continued effort and resources well beyond the July 1, 2021 go-live date, here we outline five steps to which companies subject to POPIA should give their attention in the short term.

Step 1: Identify and appoint an Information Officer

POPIA provides for a similar position as the GDPR’s data protection officer in the form of an “Information Officer.” Organisations subject to POPIA must identify an Information Officer who will be responsible (and who may be held personally liable) for, among other things, all of the organisation’s data protection compliance requirements, working with the Information Regulator, establishing policies and procedures, and POPIA awareness and compliance training.

The “head” of the organisation (i.e., the CEO, managing director, or “equivalent officer”) is automatically deemed the organisation’s Information Officer, however, the organisation can “duly authorise” another person in the business (who is at management level or above) to act as Information Officer. Similarly, the organisation can designate one or more employees (also at management level or above) to act as “Deputy Information Officers” to assist the Information Officer perform his or her responsibilities. Both the Information Officers and Deputy Information Officers must be registered with the Information Regulator before the end of June 2021, via the Information Regulator’s Online Registration Portal, or by submitting the downloadable Manual Registration Form to the Information Regulator.

Step 2: review the organisation’s marketing practices

While many organisations may not consider themselves to be engaging in so-called “direct marketing” practices, this concept is widely defined in POPIA to include “any approach” to a data subject “for the direct or indirect purpose of […] promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject […].” POPIA provides data subjects with certain rights with respect to unsolicited “electronic communications” (i.e., direct marketing by means of automatic calling machines, fax machines, SMSs, or emails). The processing of a data subject’s personal information for the purposes of direct marketing is prohibited, unless the data subject has consented to the processing, or the email recipient is an existing customer of the organisation.

In practical terms, the organisation must have obtained the data subject’s details through the sale of a product or service, and the marketing should only relate to similar products or services of the organisation. The data subject must be given a reasonable opportunity to object to the use of their personal information for marketing each time the organisation communicates with the data subject for marketing purposes, i.e., recipients must be able to “opt-out” at any stage. Potential new customers can only be marketed with their express consent, i.e., on an “opt-in” basis.

Step 3: Review the organisation’s security measures

POPIA obliges organisations to take appropriate technical and organisational measures to safeguard the security and confidentiality of personal information – aimed at preventing any loss, damage to, or unauthorised destruction of personal information, including measures to prevent unlawful access to, or processing of personal information under the organisation’s control.

There is a general data breach notification obligation under POPIA. Where there are reasonable grounds to believe that a data subject’s personal information has been accessed or acquired by an unauthorised person, the organisation, or any third party processing personal information under its authority (e.g., an outsourced payroll service provider), must notify the Information Regulator and the data subject of the data breach “as soon as reasonably possible,” unless the identity of the data subject cannot be established. It is therefore crucial that organisations ensure that they have an effective data security incident protocol in place, which will allow them to comply with the breach notification obligations under POPIA, and avoid falling under additional scrutiny.

Step 4: Review the organisation’s existing data transfer and outsourcing arrangements

POPIA generally applies not only to organisations that process personal information in South Africa, but also to any person or company that processes personal information on behalf of the organisation – commonly referred to as a “processor.” POPIA also applies to organisations outside of South Africa that process personal information in South Africa with the assistance of a third party (e.g., a channel partner, or outsourced service provider). Where any processing of personal information is outsourced by an organisation, it must, in terms of a written contract between it and the processor, ensure that the party processing personal information on the organisation’s behalf establishes and maintains appropriate security measures as prescribed under POPIA.

POPIA contains a general prohibition on cross-border transfers of personal information. However, this prohibition is subject to numerous exceptions, including: (1) where the data subject consented to the transfer; (2) the transfer is necessary for the performance of a contract between the company and the data subject; (3) the transfer is necessary for the conclusion or performance of a contract between the company and a third party that is in the interest of the data subject; or (4) the transfer is for the benefit of the data subject. Where personal information is being transferred to a third party outside of South Africa, the company must ensure that the recipient of the personal information is subject to a law, binding corporate rules, or binding contract which provide an adequate level of protection that effectively upholds POPIA’s principles for reasonable processing, and that include provisions substantially similar to the conditions for the lawful processing of personal information, and for the further transfer of personal information under POPIA.

Step 5: Deliver POPIA awareness training

POPIA awareness training is a not only a valuable tool for organisations to promote compliance, it is also a requirement under the POPIA Regulations. The Information Officer must ensure that awareness sessions are conducted regarding the provisions of POPIA, the POPIA Regulations, codes of conduct (where applicable), as well as any information that is obtained from the Information Regulator from time to time.

 

By Wendy Tembedza for Webber Wentzel

​​​All businesses with employees, customers and suppliers must comply with POPIA, which comes into effect on 1 July 2021. Here’s a practical guide to the most important aspects.

With the commencement date of the Protection of Personal Information Act 4 of 2013 (POPI) of 1 July 2021 fast approaching, businesses should be reviewing their use of personal information to determine if it complies with the Act. It is important to understand that any business that has employees, customers and suppliers must comply with POPI when dealing with personal information. Below are a few tips on ways businesses can kick-start their compliance exercise.

Figure out what personal information you process and why
Under POPI, a business must be able to justify why it holds personal information based on one of the several justifications set out in POPI. This is a good opportunity for a business to assess what information it collects (whether from employees, customers, services providers or other third parties such as credit bureaus) and review whether that information is actually necessary for the purposes for which it was collected. In this regard, minimality is key – business should not collect more personal information than is required. Importantly, the term “personal information” is defined very broadly to mean any information that can be used to identify an individual person or another business entity.

Get rid of what you don’t need
Under POPI, a business cannot keep a record of personal information once the reason for which it was collected no longer exists, unless required by law. For example, unless required by law, a business should not keep personal information of any former supplier when the relationship has ended. Businesses should therefore check whether they are holding onto any old records of personal information that they no longer need and dispose of them in a secure manner. It is important to note that more data means more risk and it is best to purge what is not required.

Look at security
Correct management of personal information means appropriate security must be in place to protect it. POPI requires a business to put in place “appropriate, reasonable technical and organisational measures” to prevent loss, theft or damage to personal information. The suitability of security measures will depend on the business and the type of personal information it holds.

Marketing
Opt-out marketing emails and SMSs are a thing of the past under POPI. Unless a person is an existing customer, a business cannot send him or her marketing emails or SMSes without first getting consent from the person. Any request for marketing consent must include language that is set out in Regulations to POPI. Businesses should therefore review their direct marketing practices.

Go for the easy-wins
POPI compliance may seem like a daunting task but there are some “easy wins” when it comes to compliance. ​Basic documents used by the business will likely need updating for POPI compliance. These include company privacy policies and employee and supplier contracts. All of these documents should aid the business in proving its compliance with POPI.

By Hanno Labuschagne by MyBroadband

Popular call screening app Truecaller could be in violation of South Africa’s incoming Protection of Personal Information Act (POPIA), according to two law firms who recently spoke to MyBroadband.

Many South Africans may be familiar with the app, particularly given its usefulness in identifying unknown phone numbers and blocking unsolicited calls from telemarketers or scammers.

The app has more than 150-million daily users across the globe – 1.7-million of which are based in South Africa.

Truecaller is often able to show the owner of a number which a user does not yet have through its universal database which is supported by crowd-sourcing of data from its users.

Contrary to popular belief, Truecaller does not actually automatically upload your address book or contact list to its servers when you download and install the app from the Apple App Store or Google Play Store.

This is because both companies have strict data protection policies which prohibit the app from doing so.

However, this is not the case if the app is downloaded directly from the truecaller.com website. In this instance, Truecaller will prompt the user with an option to upload their full address book as part of its crowd-sourcing features.

This information is then uploaded to the company’s database, which is stored in a foreign server.

In addition, Truecaller allows users to manually submit the details of a number which was not yet available on its database.

According to law firms Werksmans Attorneys and Norton Rose Fulbright, there are several issues with these features under POPIA.

No lawful basis for data processing
Director at Werksmans Attorneys Ahmore Burger-Smidt said Truecaller failed to comply with POPIA in a number of areas.

“Without a doubt, concerns can be raised from a POPIA perspective in relation to the manner and the purposes for which personal data is collected and processed via the Truecaller app,” Burger-Smidt said.

She said that there were grave concerns in terms of POPIA regulations when the app is considered from the perspective of a person or business who has not registered for the service.

The primary issue was that the app allowed full disclosure of a contact list, which could amount to confidential information being disclosed.

“From a data protection perspective, a responsible party, in this instance Truecaller, can only process the personal information of a data subject if he has a lawful basis to do so,” Burger-Smidt said.

“POPIA provides for lawful bases, which include: consent, compliance with a legal obligation, if there is a legitimate interest, and the performance of a contract.”

“One can argue that there might indeed be a legitimate basis for processing the personal information of the individual that subscribes to the Truecaller service,” she stated.

“However, on what basis are they processing all the contact information that the subscriber holds?” Burger-Smidt asked.

“It is very difficult to motivate for this to be done on the basis of a legitimate interest.”

“It is entirely possible that individuals do not have any knowledge of this use of their data at all. This means that they are being denied their rights as data subjects in terms of POPIA and that their privacy is being infringed,” Burger-Smidt stated.

Shifting the blame to the user
Director in Competition Practice at Norton Rose Fulbright Rosalind Lake echoed these views.

She said POPIA requires a responsible party – in this case Truecaller – to notify a data subject of how it will process – use, store, transmit, and access – its personal information, even when it is not collected directly from the data subject.

“These notification requirements are usually fulfilled through a privacy policy,” Lake stated.

“However, it appears that Truecallers’ privacy policy places this obligation on the user,” Lake said.

According to its privacy policy, Truecaller says users must confirm with another party whose details they share with Truecaller before doing so.

Lake said this approach was problematic under POPIA.

“If you are reporting a number as spam, you are hardly going to phone them to tell them that their number has been added to the database,” Lake said.

“In this situation, the user of the app would not be considered a responsible party when it consents to provide access to its phone book. Truecaller is the one who requests access and use of the information and they are therefore responsible under POPI.”

“The user of the app may be considered an ‘operator’ for Truecaller, but then POPI says there must be an agreement in place to impose certain obligations on the operator, but the liability still sits with the responsible party.”

Lake warned that users should still think carefully before consenting to provide access to their address book and carefully peruse the privacy settings on the app.

“There have been some circumstances reported where a person’s safety may be compromised by their name being on the database – such as a journalist working undercover – or indeed, businesses may suffer losses in some way from being identified without their knowledge,” Lake cautioned.

What Truecaller can do
Burger-Smidt said that Truecaller ought to consider how it collects personal information from non-subscribers.

According to Lake, the inclusion of its privacy policy on its website does not give sufficient notice to the data subjects, as they are explicitly directed to it during the process.

She said that POPIA requires a responsible party to take reasonably practicable measures to notify the data subject of the collection and processing of their personal information.

“It would be our recommendation, therefore, even though consent may not be required if Truecaller relies on its legitimate interests to process the information, that under POPI Truecaller notify by SMS or email each person who is added to their database, direct them to their privacy policy and highlight their ability to delist from the database.”

However, this could introduce another problem under POPIA, Lake added.

“A tricky issue is that the responsible party is required to disclose where it is collecting the personal information from if it is not collecting it directly from the data subject,” Lake said.

“It is not clear yet whether stating that it is collected from users of the app will be sufficient or whether the particular individual from whom the information is collected has to be disclosed.”

“It seems unlikely to be the latter as this may also be unnecessary processing of the user’s personal information.

Truecaller not anticipating any issues
Truecaller told MyBroadband that the POPIA offered a good opportunity for companies to review their practices and think more deeply about the importance of privacy of their users.

“We are continuing to look at changes we can make to align with the evolution of privacy laws in different jurisdictions, including South Africa,” the company said.

However, it said it did not anticipate any disruption to the services or features its app offers due to the implementation of POPIA.

Both Burger-Smidt and Lake submitted that Truecaller is beneficial in its ability to identify and screen unsolicited calls.

Lake added that POPI in and of itself would also help restrict direct marketing, which will hopefully reduce the volume of spam calls in South Africa.

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top