Tag: POPIA

By Wendy Tembedza for Webber Wentzel

​​​All businesses with employees, customers and suppliers must comply with POPIA, which comes into effect on 1 July 2021. Here’s a practical guide to the most important aspects.

With the commencement date of the Protection of Personal Information Act 4 of 2013 (POPI) of 1 July 2021 fast approaching, businesses should be reviewing their use of personal information to determine if it complies with the Act. It is important to understand that any business that has employees, customers and suppliers must comply with POPI when dealing with personal information. Below are a few tips on ways businesses can kick-start their compliance exercise.

Figure out what personal information you process and why
Under POPI, a business must be able to justify why it holds personal information based on one of the several justifications set out in POPI. This is a good opportunity for a business to assess what information it collects (whether from employees, customers, services providers or other third parties such as credit bureaus) and review whether that information is actually necessary for the purposes for which it was collected. In this regard, minimality is key – business should not collect more personal information than is required. Importantly, the term “personal information” is defined very broadly to mean any information that can be used to identify an individual person or another business entity.

Get rid of what you don’t need
Under POPI, a business cannot keep a record of personal information once the reason for which it was collected no longer exists, unless required by law. For example, unless required by law, a business should not keep personal information of any former supplier when the relationship has ended. Businesses should therefore check whether they are holding onto any old records of personal information that they no longer need and dispose of them in a secure manner. It is important to note that more data means more risk and it is best to purge what is not required.

Look at security
Correct management of personal information means appropriate security must be in place to protect it. POPI requires a business to put in place “appropriate, reasonable technical and organisational measures” to prevent loss, theft or damage to personal information. The suitability of security measures will depend on the business and the type of personal information it holds.

Marketing
Opt-out marketing emails and SMSs are a thing of the past under POPI. Unless a person is an existing customer, a business cannot send him or her marketing emails or SMSes without first getting consent from the person. Any request for marketing consent must include language that is set out in Regulations to POPI. Businesses should therefore review their direct marketing practices.

Go for the easy-wins
POPI compliance may seem like a daunting task but there are some “easy wins” when it comes to compliance. ​Basic documents used by the business will likely need updating for POPI compliance. These include company privacy policies and employee and supplier contracts. All of these documents should aid the business in proving its compliance with POPI.

By Hanno Labuschagne by MyBroadband

Popular call screening app Truecaller could be in violation of South Africa’s incoming Protection of Personal Information Act (POPIA), according to two law firms who recently spoke to MyBroadband.

Many South Africans may be familiar with the app, particularly given its usefulness in identifying unknown phone numbers and blocking unsolicited calls from telemarketers or scammers.

The app has more than 150-million daily users across the globe – 1.7-million of which are based in South Africa.

Truecaller is often able to show the owner of a number which a user does not yet have through its universal database which is supported by crowd-sourcing of data from its users.

Contrary to popular belief, Truecaller does not actually automatically upload your address book or contact list to its servers when you download and install the app from the Apple App Store or Google Play Store.

This is because both companies have strict data protection policies which prohibit the app from doing so.

However, this is not the case if the app is downloaded directly from the truecaller.com website. In this instance, Truecaller will prompt the user with an option to upload their full address book as part of its crowd-sourcing features.

This information is then uploaded to the company’s database, which is stored in a foreign server.

In addition, Truecaller allows users to manually submit the details of a number which was not yet available on its database.

According to law firms Werksmans Attorneys and Norton Rose Fulbright, there are several issues with these features under POPIA.

No lawful basis for data processing
Director at Werksmans Attorneys Ahmore Burger-Smidt said Truecaller failed to comply with POPIA in a number of areas.

“Without a doubt, concerns can be raised from a POPIA perspective in relation to the manner and the purposes for which personal data is collected and processed via the Truecaller app,” Burger-Smidt said.

She said that there were grave concerns in terms of POPIA regulations when the app is considered from the perspective of a person or business who has not registered for the service.

The primary issue was that the app allowed full disclosure of a contact list, which could amount to confidential information being disclosed.

“From a data protection perspective, a responsible party, in this instance Truecaller, can only process the personal information of a data subject if he has a lawful basis to do so,” Burger-Smidt said.

“POPIA provides for lawful bases, which include: consent, compliance with a legal obligation, if there is a legitimate interest, and the performance of a contract.”

“One can argue that there might indeed be a legitimate basis for processing the personal information of the individual that subscribes to the Truecaller service,” she stated.

“However, on what basis are they processing all the contact information that the subscriber holds?” Burger-Smidt asked.

“It is very difficult to motivate for this to be done on the basis of a legitimate interest.”

“It is entirely possible that individuals do not have any knowledge of this use of their data at all. This means that they are being denied their rights as data subjects in terms of POPIA and that their privacy is being infringed,” Burger-Smidt stated.

Shifting the blame to the user
Director in Competition Practice at Norton Rose Fulbright Rosalind Lake echoed these views.

She said POPIA requires a responsible party – in this case Truecaller – to notify a data subject of how it will process – use, store, transmit, and access – its personal information, even when it is not collected directly from the data subject.

“These notification requirements are usually fulfilled through a privacy policy,” Lake stated.

“However, it appears that Truecallers’ privacy policy places this obligation on the user,” Lake said.

According to its privacy policy, Truecaller says users must confirm with another party whose details they share with Truecaller before doing so.

Lake said this approach was problematic under POPIA.

“If you are reporting a number as spam, you are hardly going to phone them to tell them that their number has been added to the database,” Lake said.

“In this situation, the user of the app would not be considered a responsible party when it consents to provide access to its phone book. Truecaller is the one who requests access and use of the information and they are therefore responsible under POPI.”

“The user of the app may be considered an ‘operator’ for Truecaller, but then POPI says there must be an agreement in place to impose certain obligations on the operator, but the liability still sits with the responsible party.”

Lake warned that users should still think carefully before consenting to provide access to their address book and carefully peruse the privacy settings on the app.

“There have been some circumstances reported where a person’s safety may be compromised by their name being on the database – such as a journalist working undercover – or indeed, businesses may suffer losses in some way from being identified without their knowledge,” Lake cautioned.

What Truecaller can do
Burger-Smidt said that Truecaller ought to consider how it collects personal information from non-subscribers.

According to Lake, the inclusion of its privacy policy on its website does not give sufficient notice to the data subjects, as they are explicitly directed to it during the process.

She said that POPIA requires a responsible party to take reasonably practicable measures to notify the data subject of the collection and processing of their personal information.

“It would be our recommendation, therefore, even though consent may not be required if Truecaller relies on its legitimate interests to process the information, that under POPI Truecaller notify by SMS or email each person who is added to their database, direct them to their privacy policy and highlight their ability to delist from the database.”

However, this could introduce another problem under POPIA, Lake added.

“A tricky issue is that the responsible party is required to disclose where it is collecting the personal information from if it is not collecting it directly from the data subject,” Lake said.

“It is not clear yet whether stating that it is collected from users of the app will be sufficient or whether the particular individual from whom the information is collected has to be disclosed.”

“It seems unlikely to be the latter as this may also be unnecessary processing of the user’s personal information.

Truecaller not anticipating any issues
Truecaller told MyBroadband that the POPIA offered a good opportunity for companies to review their practices and think more deeply about the importance of privacy of their users.

“We are continuing to look at changes we can make to align with the evolution of privacy laws in different jurisdictions, including South Africa,” the company said.

However, it said it did not anticipate any disruption to the services or features its app offers due to the implementation of POPIA.

Both Burger-Smidt and Lake submitted that Truecaller is beneficial in its ability to identify and screen unsolicited calls.

Lake added that POPI in and of itself would also help restrict direct marketing, which will hopefully reduce the volume of spam calls in South Africa.

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top