By Lucia Audu, ILFA Programmes Intern (January –April 2018)
With more people carrying out various transactions online and joining social media sites that require them to share personal and sensitive information, the incidents of cybercrimes have increased and gained complexity. Identity theft, for example, has been an area of great concern for consumers through the years and has been occurring with greater frequency in recent times. Interestingly, however, despite these facts, organizations and businesses do not take great pain to secure the sensitive information that they handle. Nonetheless, every individual should be entitled to some rights where the handling of their personal information is concerned.
What is Personal Information?
Personal information is any factual or subjective information, whether recorded or not, about an identifiable individual. The Definition Section of Act No 4 of 2013: Protection of Personal Information Act 2013 (the POPI Act) defines personal information as information relating to an identifiable, living, natural person, and, where applicable, an existing juristic person (a body recognized by law as being entitled to rights and duties in the same way as a nat=ural person, e.g. a company).
The POPI Act in Context
The POPI legislation, which is in line with current international trends, was signed into law in 2013 although it isn’t expected to fully come into force until the second half of 2018. The purpose of the POPI Act is to ensure that all South African organizations conduct themselves in a proper manner when collecting, storing, processing and sharing personal information of “Data Subjects,” meaning the person or persons to whom personal information relates, and holding them accountable where such information is abused or compromised.
Section 5 of the POPI Act itemizes the rights available to Data Subjects and some of these rights are explained below:
- Every Data Subject has the right to be notified that his/her personal information is being collected. By extension, such Data Subject must give consent to the processing or further processing for some other purpose of such information. Consent is an overriding requirement and may be withdrawn at any time.
- Every person has the right to request the correction, destruction or deletion of his/her personal information where such information is found to be inaccurate, excessive, irrelevant or misleading. The handlers of such information are expected to comply with this request as soon as reasonably practicable.
- Every Data Subject may object to the use of his/her personal information and the responsible party, meaning a public or private person or any other person who processes personal information, has a duty to stop the processing of such information after the objection is taken.
- A Data Subject also has a right not to have his/her personal information processed for direct marketing by means of unsolicited electronic communications.
- A Data Subject, having provided adequate proof of identity, has the right to request or confirm, free of charge, whether a responsible party holds information about him/her/it.
- A Data Subject would not be subject to any decision which has legal consequences, if such decision is made after the automated processing of his/her/its personal information that is intended only to provide a profile of such person.
*Note that this provision applies only where the decision was based solely on such personal information provided for profile purposes.
A Data Subject may institute civil proceedings where there is an alleged interference with his/her/its personal information or where there is a breach of any of the aforementioned rights. Additionally, whether there is negligence or intent on the part of the responsible party is immaterial. The import of this provision is that the liability of the responsible party is strict as there is no requirement to prove fault, negligence or intention to be responsible. A successful claimant under this provision would be entitled to damages, aggravated damages or interest. He/she/it may also claim the cost expended in the course of prosecuting the matter in court.
To obtain an in-depth understanding of these rights and their application, a Data Subject need also be aware of the minimum requirements and conditions that must be met by the responsible party in the handling of personal information.
There are processing limitations provided under the POPI Act relating to the manner and purpose of processing personal information; information must be processed in a manner that does not infringe on the privacy of the Data Subject.
The subsequent condition deals with specificity of purpose. This condition requires the use or purpose of information to be explicitly defined and for a lawful purpose.
Furthermore, the responsible party must also secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate measures to prevent loss, damage, unlawful access and to identify reasonably foreseeable internal and external risks.
Finally, further processing of personal information must be done in accordance, or in a manner compatible, with the purpose for which it was originally collected.
The accelerating evolution of information and communication technologies has created a situation where more data is being collected, created and shared across sites and geographical boundaries, often without the knowledge or involvement of the Data Subjects. The POPI Act makes it obligatory for companies to put security of personal records and information that they process first. This places a greater burden of accountability and care on a responsible party for ensuring the safety of information within its database.