Digital marketing law interview on @BallzRadio

Paul was interviewed about aspects of digital marketing law on Ballz Radio today. The interview was part of the business segment and Paul chatted to the team about some consumer protection issues, transparency, terms and conditions and privacy concerns.

Fortunately, Ballz Radio publishes the audio and video of the interviews. You can listen to the audio using the SoundCloud player below:

POPI compliance and your plan to fail

Unfortunately many companies may have left their preparation too late, especially the larger companies, and have not yet established a complete set of practices and processes to ensure their compliance with POPI’s many requirements. Although companies will likely have a year before many of POPI’s compliance requirements go into effect, a year is simply not enough time to prepare adequately. Compliance isn’t just a matter of writing a privacy policy and publishing that. In order to comply with POPI, organisations have to ensure that all their underlying processes are aligned with POPI’s requirements. In this sense a privacy policy is really more of a description of a series of data protection practices which have been implemented throughout the organisation. If there is a disconnect between your organisation’s practices and processes and what the privacy policy describes, the consents you are hoping to obtain through the privacy policy will amount to little more than lip service to the legislative framework it serves.

Nokia Lumia launch-9 railing

The Protection of Personal Information Act has been in the pipeline for so long I keep expecting someone to develop a drinking game around “POPI” mentions in conferences (every time a speaker says “POPI”, everyone takes a drink). The Bill was passed by Parliament and the President has signed it into law as the Protection of Personal Information Act (No. 4 of 2013). The next step is POPI’s commencement date in a government gazette and the final countdown to its implementation and a compliance deadline. A copy of the Act is at the bottom of this post for your reading pleasure.

Unfortunately many companies may have left their preparation too late, especially the larger companies, and have not yet established a complete set of practices and processes to ensure their compliance with POPI’s many requirements. Although companies will likely have a year before many of POPI’s compliance requirements go into effect, a year is simply not enough time to prepare adequately. Compliance isn’t just a matter of writing a privacy policy and publishing that. In order to comply with POPI, organisations have to ensure that all their underlying processes are aligned with POPI’s requirements. In this sense a privacy policy is really more of a description of a series of data protection practices which have been implemented throughout the organisation. If there is a disconnect between your organisation’s practices and processes and what the privacy policy describes, the consents you are hoping to obtain through the privacy policy will amount to little more than lip service to the legislative framework it serves.

Something else to bear in mind is that a data gold rush before POPI comes into effect may amount to a waste of time, money and effort. Some of my colleagues have advised their clients that POPI will not have retrospective effect so anything done before POPI goes into effect will not be affected by POPI’s more stringent restrictions. They are likely correct about POPI not having retrospective application but POPI’s compliance requirements will almost certainly not be waived just because you collected personal information before POPI’s implementation date. If, for example, you don’t obtain adequate consent for your intended personal information uses before POPI is implemented, I doubt very much that this will be excused once POPI goes into effect and you could find your shiny data treasure trove is tainted, must be discarded and you will have to start again and do the work you should be doing now (if you haven’t done it already).

The bottom line, so to speak, is that if you haven’t prepared for POPI you may not have much time left. As the saying goes, your failure to plan for POPI is, effectively, your planned failure to comply.

That said, here are a couple next steps in your road to compliance:

  1. Review your processes which touch on personal information collection and processing. The best data protection policies are useless if your underlying processes are not going to comply with POPI’s requirements. Your marketing teams, in particular, need to understand how POPI affects them and must assess their databases, marketing initiatives and other personal information-related activities. Don’t forget to include internal data processing in your review. You will have to apply similar principles to the personal information you process internally so your human resources people need to be involved too.
  2. Align your marketing initiatives with your organisation’s compliance requirements and your underlying processes. Marketing campaigns rely on personal information and they have to be supported by the day to day data processing workflows and, in turn, support essential policy frameworks. Don’t just leave this up to your marketing teams, you need people who understand POPI’s impact and can mediate between Marketing/Communications and Legal/Compliance imperatives.
  3. Take into account industry regulatory frameworks like the WASPA Code of Conduct. It is now backed by a law and could have a fundamental impact on any mobile initiatives you are running. Failure to comply with WASPA’s Code and its Advertising Rules can behead a mobile campaign that relies on mobile short codes, for example.
  4. Develop and implement clear and practical privacy or data protection policy frameworks. These policy frameworks must be supported by the practical realities of how your teams handle personal information every day. A policy framework in a process vacuum is pretty ineffective and a pretty short road to reputational harm and regulatory attention.

Preparing for POPI is not a quick and easy process and I’m not saying this because this is one of my focus areas, the more you delve into the law the more you realise what a mammoth undertaking it is. Call me if you could use some help. Alternatively, read the Direct Marketing Legalities Survival Guide I published earlier this week. I explain many of the compliance requirements in POPI and other legislation like the Electronic Communications and Transactions Act and Consumer Protection Act as well as WASPA and ISPA Hall of Shame considerations.

Consent for Direct Marketing Under POPI

The Protection of Personal Information Act has particular interest for direct marketers because of the likely substantial impact the legislation will have on consumer-facing initiatives when it goes into effect. POPI has a section that deals specifically with and introduces a consent model designed for direct marketing. It is an interesting model and I’ll explain why in this post.

The Protection of Personal Information Act has particular interest for direct marketers because of the likely substantial impact the legislation will have on consumer-facing initiatives when it goes into effect. POPI has a section that deals specifically with and introduces a consent model designed for direct marketing. It is an interesting model and I’ll explain why in a moment. In the meantime, it is worth reading the following posts if you haven’t already:

Protection of Personal Information Act’s section 69 is titled “Direct marketing by means of unsolicited electronic communications”. It begins with the following general prohibition on –

The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail …

unless the data subject [1] either consents[2] or, importantly, is the “responsible party’s[3]” customer.

If, on the other hand, the consumer (or data subject) is not the provider’s (responsible party) customer and if the consumer has not “previously withheld” consent, the provider has a once-off opportunity to send the consumer a request for the consumer’s consent to allow his or her personal information to be used for direct marketing purposes. In practice this is usually a message simply informing the consumer about the products or services the provider would like to market to the consumer and requesting consent. This once-off message should not be a marketing message because that would violate the general prohibition. It should be an information message and its specific format may be prescribed in regulations supporting the Protection of Personal Information Act in due course.

If the consumer consents then the provider will be entitled to use the consumer’s personal information for direct marketing purposes within the consent’s parameters. This may sound obvious but this can be a little tricky. The best way to obtain the quality consent the Protection of Personal Information Act contemplates (take another look at the consent definition[2]) is through a sufficiently detailed privacy policy document. This is a privacy policy’s role. It is the foundation of a compliant direct marketing campaign so do it properly!

If the consumer doesn’t give express consent through a privacy policy but is a provider’s customer[4] already, the consumer’s consent is essentially implied by virtue of the consumer being a customer who is already interested in learning more about the provider’s products or services. In this scenario, the provider can use the consumer’s personal information for marketing purposes where –

  1. the provider obtained the consumer’s personal information in the context of a sale of a product or service;
  2. “for the purpose of direct marketing of the [provider’s] own similar products or services”; and
  3. the consumer has been given “a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details” both at the time the consumer’s personal information was first collected and each time the provider communicates with the consumer for marketing purposes (and assuming the consumer didn’t refuse to consent the first time he or she was asked).

Then, lastly, the each communication for the purpose of direct marketing must contain both the provider’s identity as well as contact details which the consumer can use to opt-out of further marketing communications.

This basic model isn’t totally new. It has existed for some time in other regulatory frameworks like the WASPA Code of Conduct (mobile service providers will be familiar with this mechanism). It does represent a broader shift in South African law because the Protection of Personal Information Act will establish minimum requirements for practically all direct marketing communications, particularly from a consent perspective.

If you are engaged in direct marketing, this is a pretty important aspect of the Protection of Personal Information Act for you. This isn’t the only legislation dealing with direct marketing, though, just arguably the most important from a privacy perspective. The Consumer Protection Act, for example, deals with other issues relating specifically to direct marketing such as cooling off periods for sales made through direct marketing (there is some overlap with the Electronic Communications and Transactions Act which also deals with cooling off periods and which Act applies will depend on what was sold and how?).

In the meantime, it is worth taking some time to explore how your direct marketing activities may need to change to accommodate the Protection of Personal Information Act’s compliance requirements. You may not need to make substantial changes, only make sure you have an adequate privacy policy framework and the back-end systems to properly process opt-ins and opt-outs. Whatever your particular requirements may be, time is running out. The Protection of Personal Information Act has been passed by Parliament and is likely before the President waiting for his signature and then it will be implemented.


  1. ‘‘data subject’’ means the person to whom personal information relates.  ↩
  2. consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.  ↩
  3. ‘‘responsible party’’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.  ↩
  4. Express consent would be required where a consumer is approached for the first time by a provider’s representative and asked to consent to direct marketing. An example could be a consumer who completes a feedback form at a bookstore which includes a section requesting permission to send the consumer marketing information about book sales and specials. On the other hand, a consumer who has already bought books from the bookstore is, obviously, already a customer and the rules change somewhat.  ↩

The Path to the spam Dark Side is paved with lawyers’ wishful thinking

Planning for the Protection of Personal Information Act is not a small endeavour and taking shortcuts to preserve current business models may turn out to be disastrously short-sighted in the year or two ahead. My colleagues may be correct in their approach and their clients may be able to adopt a relatively liberal interpretation of the Protection of Personal Information Act and its implementation. I have a different take on how the Act will apply, especially given its broader role as substance for the Constitutional right to privacy. Going beyond the Act’s interpretation and application by the proposed Regulator and Courts, the risk of being too careless with consumers’ personal information could have even more dire consequences for brands than legal non-compliance. 

The path of the righteous man is beset on all sides by the inequities of the selfish and the tyranny of evil men. Blessed is he who, in the name of charity and good will, shepherds the weak through the valley of darkness, for he is truly his brother’s keeper and the finder of lost children. And I will strike down upon thee with great vengeance and furious anger those who attempt to poison and destroy my brothers. And you will know my name is the Lord when I lay my vengeance upon thee.

This quote from the movie Pulp Fiction is a colourful reminder to direct marketers intent on taking liberties with consumers’ personal information. The self-proclaimed “personal network”, Path, has recently come under a considerable amount of scrutiny due to its apparent practice of spamming users’ contacts through its mobile apps. According to an article in The Verge, “Path is spamming address books with unwanted texts and robocalls — again”

Path, the photo-centric social network that just hit 10 million users yesterday, has been getting some heat for what some users say are spammy tactics to recruit new users. Digital marketer Stephen Kenwright downloaded the app earlier this week, tried it out, uninstalled it, and went to bed. When he woke up, he found that Path had gone on a rogue mission early in the morning, texting and robocalling an unknown number of his contacts, including his grandparents.

By the time Kenwright got to work, it became clear that Path had gotten in touch with his entire phone book. Coworkers, friends, and family were asking him about the text or phone call they’d received from Path, which stated that Kenwright wanted to share photos with them.

Path’s Dave Morin defended Path’s privacy practices in an interview with AllThingsD. Mike Isaac’s article, Dave Morin Talks About the Hyper-Growth Pains of Path examines Morin’s claims, particularly his assertion that “Path does not spam users”. Morin insisted that –

Invites on Path are never sent without a user’s consent — any allegations to the contrary are false.

This may be technically correct but, as Isaac notes –

Here’s the big issue: During the invitation process, check-boxes are automatically marked to send messages to your friends, which means you have to uncheck them in order not to send out invites. Technically it’s an opt-in process to send out those invites, as the user must tap a button to send them out. But for the average user who is not paying close attention and just wants to get to the app, it’s easily something that could be missed — and, ultimately, could feel like Path has spammed your network of friends.

What this model ignores is that the personal information being used to reach out to your contact through the app to promote Path is not the user’s, it belongs to the user’s contacts. As I pointed out in our previous post titled “Processing, personal information and direct marketing under POPI“, the definition of “personal information” is pretty broad:

‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person

Take this a step further and consider whose consent is required. The Protection of Personal Information Bill defines consent as follows:

any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

Consider that the personal information Path uses to reach out to users’ contacts belongs to those contacts and those contacts are probably not current Path users who have consented to Path contacting them and the result is that Path has violated their privacy. When a Path user taps the button to send the messages out to his or her contacts, that isn’t consent from those contacts to Path, that is, at best, the Path user indicating to Path that the contacts probably won’t mind being contacted. Perhaps the messages are sent with the user’s consent, as Morin insists, but that is largely irrelevant.

Path services integration screenshot - iPad

What is interesting about this story is that it highlights a mindset local marketers seem to be latching on to. Path is relying on some pretty technical explanations for why its promotional practices are not “spammy” by pointing to consents given and choices made by users. To a large extent, this is a valid model when applied at scale and is in fairly widespread use. Users consent to privacy policies all the time without being particularly mindful of having done so. It is a flawed model but the alternative is just not practical. What is problematic is when marketers forget the broader context within which they operate. Simple, technical consent may be fine from a legal perspective (with the appropriate privacy policy framework in place). That isn’t particularly comforting to consumers who are alarmed when they discover precisely what they have consented to and lash out at the provider. This controversy over Path’s approach is the latest of a long line of case studies.

As the Protection of Personal Information Act approaches (theoretically), many of my colleagues are adopting technically correct, although short-sighted, approaches to privacy law compliance. The latest example I read recently is an article explaining the current legal requirements for consent in a marketing context. The thoughtful articles reviews applicable legislation and points out that the current paradigm is still largely opt-out. Changes to the Electronic Communications and Transactions Act will alter that position when it comes to electronic communications. Until the Protection of Personal Information Act comes into effect, the general paradigm remains “opt-out” and this is what my colleagues are pointing out to marketers who are, rightfully, concerned that Protection of Personal Information Act threatens their survival unless they take decisive action soon to adapt.

What my colleagues don’t point out is that it isn’t just about the legislation in place. They also have to consider the WASPA and ISPA Codes of Conduct if they use SMS or email for their campaigns. More importantly, my colleagues don’t seem to be pointing out the big downside for marketers who adopt a strictly self-serving approach to their campaigns and treat their consumers like commodities. Reputational harm could be devastating to marketers who don’t take their consumers’ interests into account. Marketers may be acting in compliance with current legal requirements when they send unsolicited marketing materials to consumers and then rely on opt-out mechanisms when consumers complain but how does that assist them when outraged consumers revolt and take their frustrations online?

Another difficulty with the “make hay while the sun shines” approach to direct marketing is that it doesn’t take into account the possible retrospective effect of the Protection of Personal Information Act when it goes into effect. I had a few thoughts about this last week:

Planning for the Protection of Personal Information Act is not a small endeavour and taking shortcuts to preserve current business models may turn out to be disastrously short-sighted in the year or two ahead. My colleagues may be correct in their approach and their clients may be able to adopt a relatively liberal interpretation of the Protection of Personal Information Act and its implementation. I have a different take on how the Act will apply, especially given its broader role as substance for the Constitutional right to privacy. Going beyond the Act’s interpretation and application by the proposed Regulator and Courts, the risk of being too careless with consumers’ personal information could have even more dire consequences for brands than legal non-compliance.

<

p>Consumer activism is swift and brutal and doesn’t pay much heed to legal technicalities.

Processing, personal information and direct marketing under POPI

Consent, while critical, just scratches the surface of the Protection of Personal Information Bill. There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to give you an overview of two further important terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”.

I touched on consent as a key consideration in the Protection of Personal Information Act (expected to be passed shortly) in our recent post titled “POPI is a steep, uphill climb for direct marketers“. As I pointed out in that post, the consent issue (the video above summarises consent as a key concept and why it is so important in direct marketing), while critical, just scratches the surface. There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to give you an overview of two further important terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”.

Personal Information and Processing

Before you can understand the conditions, you need to understand two further terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”. The “personal information” definition is pretty broad. It includes all the usual categories of personal information and a great deal more:

‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

I highlighted some of the interesting aspects of “personal information” because these categories of personal information are not always recognised as such. For example, “any identifying number, symbol” or “online identifier” could include a Twitter handle or pseudonym (assuming it could be associated with an identity). “Personal opinions, views or preferences” covers a wide range of questions marketers often ask people in surveys and competitions. Add to this other people’s “views or opinions” about your data subject and you’re now dealing with personal information about person A which you obtain from person B and which is also person B’s personal information so you potentially need to obtain consent from both people.

The next important term is “processing”. This is the term used for a variety of activities pertaining to how personal information is handled. It is also fairly broad:

‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

This definition basically categorises virtually any action relating to personal information as “processing” and subject to consent by the data subject. As the definition’s lead-in indicates, this covers both single actions and groups of actions or, as the definition puts it: “any operation or activity or any set of operations”. Like I said, it is broad, very broad.

<

p>Both of these terms form part of the foundation of an adequate privacy model that direct marketing businesses should have in place already or, at the very least, should be actively developing. We will explore more POPI themes in an upcoming series of posts about the processing conditions in this anticipated legislation in more detail. The processing conditions establish a series of parameters that will shape direct marketing campaigns and other activities that make use of personal information for quite some time to come.

POPI compliance is a steep, uphill climb for direct marketers

The Protection of Personal Information Act is going to have a radical impact on the direct marketing industry and a number of direct marketing businesses are going to shut down because they won’t be able to adapt and remain viable, especially if they don’t take action right away. If you don’t have a direct marketing business that is already based on a truly consensual business model (bearing in mind the consent model in the Protection of Personal Information Bill), you simply can’t afford to waste any more time.

Nokia Lumia launch-59

Direct marketers who are working towards bringing their businesses into line with the Protection of Personal Information Bill, which is expected to be finalised and put to a vote by 6 March 2013, may have a lot of work ahead of them. What is worrying is that many direct marketers don’t really appreciate just how much work they have to do. Ignorance isn’t bliss, it is a recipe for disaster.

We’ve been working with clients on bringing their direct marketing businesses into line with the Protection of Personal Information Act. The first step is understanding what the business’ current degree of compliance is and, more often than not, there are usually compliance gaps big enough to float a cruise liner through. The first thing that direct marketers need to understand is that the starting point is not the direct marketer’s current systems and processes but rather its database’s origins and the consents which were given to compile the database the direct marketing business is based on.

As a general rule[1], personal information must be collected directly from the data subject[2] (where I refer to a consumer in this post, I am referring to a consumer as a data subject) who must also consent to how the personal information will be “processed”[3]. We’ve seen letters from data suppliers simply stating that consumers have “consented” or “opted in” to their personal information being collected, added to the databases they have supplied and for the purposes those databases are to be used. That just isn’t enough of an indication of what the consumers have given their consents for.

Consent is not just some generic approval for some personal information to be collected and used for marketing purposes. The consent has to be very specific. It has to be –

any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

If you break that down, consent, under the Protection of Personal Information Bill –

  • can’t be taken from the data subject involuntarily (this sounds obvious but how many campaigns purport to take a consent without the data subject being aware that he or she is giving consent for anything?);
  • has to be specific and must relate to specific uses and conditions instead of a general purpose consent for vague uses under the umbrella term “marketing purposes”;
  • has to be informed (this ties in with the specificity requirement) so the data subject is well aware of what personal information is being collected; what that personal information is going to be used for; how the personal information will be handled and under which circumstances the personal information will be disclosed to whom?

A consumer must also give consent explicitly. This is borne out by the phrase “expression of will” which implies some sort of express act and not an implicit understanding that consent is required for some or other purpose.

Once you have that understanding of consent as a fundamental requirement for personal information to be processed and that obtaining that consent from the data subject directly is required for any subsequent personal information processing. In essence, that consent applies to subsequent use of the data subject’s personal information and if those subsequent uses are not adequately covered by the original consent, those subsequent uses will probably infringe the data subject’s privacy rights and fall foul of the Protection of Personal Information Act.

As a direct marketer, your entire business rests on the quality and scope of the consents that relate to each and every record in your database. Those consents must cover aspects such as –

  • what personal information is being processed (can you use the data subject’s name, phone number and email or did the data subject only consent to you using a phone number, for example?);
  • which personal information can be processed for which campaign or use (did the data subject consent to receive marketing information about cars and you are marketing furniture?);
  • have you received consent to process the data subjects’ personal information or was consent only given to your source (if consent was not given to you, specifically, you may still be permitted to process the personal information depending on your relationship with the party that received the consent).

Another problematic practice is enriching databases using 3rd party data sources. Firstly, this can only be done under the Protection of Personal Information Act with the Regulator’s consent[4] and you also have to take into account that the requisite consents must have been given to the parties you obtain the additional personal information from to add it to your databases and then process that additonal personal information in the manner in which you intend to process it.

Of course there are also specific provisions in the Protection of Personal Information Bill that deal with direct marketing[5] which impose additional requirements on direct marketers when it comes to the forms of consents required in different contexts. The Electronic Communications and Transactions Act is also about to be amended to support the opt-in requirements for so-called “electronic communications” and I expect the Consumer Protection Act will be amended to close the opt-out loophole too.

This only really just scratches the surface of the analysis that has to take place just to determine how much work a direct marketing business has ahead of it to bring it into line with the Protection of Personal Information Act when it goes into effect (if everything stays on track, this could be around March 2014). The process of identifying the gaps can take months, the process of changing a business model to adapt to the necessary changes could take longer. We and other lawyers in this space have been talking about the need to perform the necessary analysis and introduce the necessary changes for some time now. It is a long and complex process.

The Protection of Personal Information Act is going to have a radical impact on the direct marketing industry and a number of direct marketing businesses are going to shut down because they won’t be able to adapt and remain viable, especially if they don’t take action right away. If you don’t have a direct marketing business that is already based on a truly consensual business model (bearing in mind the consent model in the Protection of Personal Information Bill), you simply can’t afford to waste any more time.

As we mentioned at the beginning of our post, we are working with clients to help them adapt to the coming changes. We have developed a detailed and comprehensive compliance gap analysis and review model which we use to gain a detailed understanding of our clients’ businesses and give specific advice on how to close the gaps.

Contact us

if you would like us to assist you.

  1. Section 12 of the Protection of Personal Information Bill  ↩
  2. Defined as “the person to whom personal information relates”  ↩
  3. ‘‘processing’’ means any operation or activity or any set of operations, whether or
    not by automatic means, concerning personal information, including—
  4. (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  5. (b) dissemination by means of transmission, distribution or making available in any other form; or
  6. (c) merging, linking, as well as restriction, degradation, erasure or destruction of information  ↩
  7. Section 57(1)(ii)  ↩
  8. Section 69  ↩

Time is running out to publish your PAIA Manual

Time is running out for private bodies to prepare and publish their Promotion of Access to Information Act manuals. The exemption the Minister of Justice and Constitutional Development granted in August 2005 will expire in just a few weeks, on 31 December 2011. From 1 January 2012, the heads of those private bodies which haven’t prepared and published their Promotion of Access to Information Act manuals may be subject to a fine and imprisonment.

What is the Promotion of Access to Information Act?

The Bill of Rights includes the right of access to information, largely as a response to the previously secretive and oppressive National Party regime (a little ironic considering the controversial Protection of State Information Bill). Section 32 of the Bill of Rights provides as follows:

32 Access to information

(1) Everyone has the right of access to-

(a) any information held by the state; and
(b) any information that is held by another person and that is required for the exercise or protection of any rights.

(2) National legislation must be enacted to give effect to this right, and may provide for reasonable measures to alleviate the administrative and financial burden on the state.

The Promotion of Access to Information Act was passed in 2000 to give effect to this right. It went into effect on 9 March 2001 and the Act’s stated purpose is as follows:

To give effect to the constitutional right of access to any information held by the State and any information that is held by another person and that is required for the exercise or protection of any rights; and to provide for matters connected therewith.

One of Promotion of Access to Information Act’s central requirements was that public and private bodies publish manuals disclosing the types of records in their possession and how so-called “requesters” may access those records. Before going further, its worth expanding a couple defined terms in the Act.

November 13, 1942

Defined terms

Promotion of Access to Information Act refers to the “head” of a privatee body being the responsible person for Promotion of Access to Information Act compliance. The Act defined the “head” as follows:

‘head’ of, or in relation to, a private body means-

(a) in the case of a natural person, that natural person or any person duly authorised by that natural person;
(b) in the case of a partnership, any partner of the partnership or any person duly authorised by the partnership;
(c) in the case of a juristic person-

(i) the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer; or
(ii) the person who is acting as such or any person duly authorised by such acting person;

Given the Act’s objectives, personal information held by public and private bodies becomes pretty important as this may be the sort of information a requester may require in order to “exercise or [protect] any rights”. “Personal information” is defined as follows:

‘personal information’ means information about an identifiable individual, including,
but not limited to-

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the individual;
(b) information relating to the education or the medical, criminal or employment history of the individual or information relating to
financial transactions in which the individual has been involved;
(c) any identifying number, symbol or other particular assigned to the individual;
(d) the address, fingerprints or blood type of the individual;
(e) the personal opinions, views or preferences of the individual, except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual;
(f) correspondence sent by the individual that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the individual;
(h) the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual, but
excluding the name of the other individual where it appears with the views or opinions of the other individual; and
(i) the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual,

but excludes information about an individual who has been dead for more than 20 years;

The personal information definition is pretty broad and one industry this potentially becomes very relevant to is the direct marketing industry which collects a lot of this personal information about people on its databases. Consumer facing businesses will also collect personal information about its customers over time and this Act is directly applicable to those businesses, particularly in light of the Consumer Protection Act.

Promotion of Access to Information Act refers to public and private bodies. I am focusing on “private bodies” for the purposes of this post and the Act defines “private bodies” as follows:

‘private body’ means-

(a) a natural person who carries or has carried on any trade, business or profession, but only in such capacity;
(b) a partnership which carries or has carried on any trade, business or profession; or
(c) any former or existing juristic person,

but excludes a public body;

The “private bodies” definition covers virtually all aspects of commercial enterprise ranging from sole proprietors to partnerships to companies.

When it comes to “requesters” in the context of private bodies, the Act defines a “requester” as follows:

‘requester’ , in relation to-

(a) a public body, means-

(b) a private body, means-

(i) any person, including, but not limited to, a public body or an official thereof, making a request for access to a record of that private body; or
(ii) a person acting on behalf of the person contemplated in subparagraph (i);

A “person”, in turn, is defined as both a natural person (legalese for human beings) or a juristic person like a close corporation or company.

Railway Post Office Clerks at Work

Manuals and records disclosures

The Promotion of Access to Information Act requires private bodies to prepare and publish manuals which explain to the public what records they hold and how to access those records. The process of requesting and obtaining records is fairly clearly regulated and fees associated with requests are specified in the legislation. A substantial portion of the Act is dedicated to the manuals which public and private bodies must compile and when these must be published. The central section relating to private bodies’ manuals is section 51 which provides as follows:

51 Manual

(1) Within six months after the commencement of this section or the coming into existence of the private body concerned, the head of a private body must compile a manual containing-

(a) the postal and street address, phone and fax number and, if available, electronic mail address of the head of the body;
(b) a description of the guide referred to in section 10, if available, and how to obtain access to it;
(c) the latest notice in terms of section 52 (2), if any, regarding the categories of record of the body which are available without a person having to request access in terms of this Act;
(d) a description of the records of the body which are available in accordance with any other legislation;
(e) sufficient detail to facilitate a request for access to a record of the body, a description of the subjects on which the body holds records and the categories of records held on each subject; and
(f) such other information as may be prescribed.

(2) The head of a private body must on a regular basis update the manual referred to in subsection (1).

(3) Each manual must be made available as prescribed.

Compiling a manual isn’t a simple matter as it has to accommodate all “records” a private body has and which are subject to disclosure (not all records must be disclosed). The Act initially required these manuals to be prepared by early September 2001 but the Minister of Justice and Constitutional Development granted smaller private bodies a broad exemption from complying with the Act’s requirement to publish a manual based on their turnover and industry. This exemption expires on 31 December 2011 and while an amendment to the Promotion of Access to Information Act limiting its application to private bodies above a certain size, this does not appear to have been passed so all private bodies will have to comply from 1 January 2012.

The South African Human Rights Commission was mandated to publish a guide to the Promotion of Access to Information Act as well as to assist with compliance with the Act or to assist persons wishing to invoke the Act’s provisions. The Commission’s Promotion of Access to Information Act help page contains a handy summary of section 51’s requirements and what a manual should contain:

In terms of section 51 of PAIA, the head of a private body must:

  • compile a section 51 manual which is a roadmap of the company
  • submit the manual to the South African Human Rights Commission once 
  • effect material changes if any each time these occur and resubmit to the SAHRC
  • electronic submissions to the Commission are accepted, sent to dmalesa@sahrc.org.za thereafter followed by hard copy originals;
  • manuals must be submitted to SAHRC head office at the address listed below
  • update any material changes on the manual on a regular basis;
  • make the manual available as prescribed by the Act at the company offices and on their website;
  • must  annex a request form to the manual and  also make request form available on the    website and at the company premises access points;
  • there are penalties for non compliance – please see section 90 of PAIA, the Commission has not imposed fines for non compliance to date but reserves the right to do.

The manual must among others contain the following information:

  • details of the company’s postal, email and street address, fax and phone of the company,
  • the description of available records generated by the company stating those which are automatically available and those that are available on request.
  • outline the request procedure in terms of PAIA;
  • state who the head of the company is (CEO is usually the  Information Officer in terms of PAIA)
  • stipulate the fees applicable as legislated by the Act which are chargeable to requesters
  • remedies available to requesters if their request for information has been refused
  • details facilitating request for access to a record etc.

Aside from the statutory obligation on all businesses to publish manuals, this legislation will be of particular interest to businesses which tend to collect a fair amount of information about other people. As I mentioned above, these businesses include direct marketing businesses (already under a spotlight with the Consumer Protection Act’s marketing restrictions and the upcoming Protection of Personal Information Bill which specifically targets direct marketing activities) and consumer facing businesses, generally. That said, because requesters can be individuals and businesses and because the Promotion of Access to Information Act doesn’t limit itself to consumer facing private bodies, all businesses should be working on their manuals and having them submitted before the deadline, if possible, or as close to it as they can.

It is also worth noting that, in the case of private bodies, the person responsible for Promotion of Access to Information Act compliance is generally the business’ head and that is the same person who could find him or herself fined and imprisoned for non-compliance with the Act.

Once a business has published its manual, it should develop an effective procedure to handle requests for records. This procedure should include a process of assessing requests’ validity, identify and locating the requested records and making those records available to the requester on payment of the prescribed fees. Ideally this procedure should be well thought out and responsible persons within the business identified to facilitate the procedure and trained on the relevant requirements.

Assistance with manual preparation and publication

Given the amount of information available about the Promotion of Access to Information Act and manuals in particular, it is possible for businesses to prepare and publish their manuals internally. It does require familiarity with the Act and its requirements and its a good idea to obtain a copy of the Commission’s guide and work through that. Alternatively we are available to assist businesses with their manual’s preparation, submission and publication (bear in mind the manual should be published through your website too) over the coming weeks. Contact us for more information if you require assistance.

Google+ Pages off to a good start for consumers

Google released Google+ Pages for brands publicly last night (South African time) to much excitement on the Web. Google+ has, until now, been reserved for humans posting as themselves and Google has been criticized for not allowing brands to create pages and for insisting that users use their real names and not pseudonyms (Google seems to have reversed course on this and is expected to announce support for pseudonyms soon). The elephant in the room has been brands’ inability to create a presence on the growing platform.

Google+ Pages have a number of similarities to personal profiles including their basic design and functionality. Businesses can publish posts, photos, videos, run Hangouts (a very appealing and engaging video conferencing solution) and participate in comment threads as the brand. I enjoy using Google+ and have seen some pretty high engagement levels there. It is a product designed for engagement.

web.tech.law - Google+

That said, there are some very interesting differences between Pages and profiles which are pretty good for consumers weary of the constant flow of direct marketing material. Susan Beebe, a Dell Corporate PR and Social Business Strategist listed a number of differences in a post on Google+:

  • Pages can’t add people to circles until the page is added first or mentioned.
  • Pages can be made for a variety of different entities whereas profiles can only be made for people.
  • The default privacy setting for elements on your page profile is public.
  • Pages have the +1 button.
  • Pages can’t +1 other pages, nor can they +1 stuff on the Web.
  • Pages can’t play games.
  • Pages don’t have the option to share to ‘Extended circles’.
  • Pages don’t receive notifications via email, text, or in the Google bar.
  • Pages can’t hangout on a mobile device.
  • Local pages have special fields that help people find the business’ physical location.

Of these differences, the most significant difference for consumers is the first in that list: Pages can’t add people to circles until the page is added first or mentioned.

Explicit opt in on Google Plus for Pages

The reason this is so significant is that consumers must explicitly and specifically add brands to their circles (or, to use Twitter terminology, follow the brands) before those brands can publish posts targeted at those consumers. Until that point brands’ Pages remain publicly visible but their posts don’t enter consumers’ streams until they are followed. This model is similar to Twitter in that Twitter users won’t see brands’ tweets in their Twitter stream unless they follow the brand’s Twitter profile. Like Twitter is also appears that a brand could publish a post which tags a consumer not following the brand on Google+ and get their attention that way.

It certainly appears that Google is thinking about building a product for brands that doesn’t overpower consumers’ streams with marketing messaging although an option requiring that consumers add brands to their circles before they can be contacted by brands would protect consumers better.