Introducing POPI’s processing conditions

There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to introduce you to what are known as “Conditions for lawful processing of personal information”. These conditions effectively operate as processing parameters and will have a relatively subtle but substantial impact on direct marketing because they limit the scope of what personal information can be processed and for how long.

I touched on consent as a key consideration in the Protection of Personal Information Act (expected to be passed shortly) in our recent post titled “POPI is a steep, uphill climb for direct marketers”. As I pointed out in that post, the consent issue, while critical, just scratches the surface. I took this further in a subsequent post titled “Processing, personal information and direct marketing under POPI” where I explored two further fundamental terms, namely “personal information” and “processing” which have interesting implications for marketers in particular. The recording below is an overview of that post and the implications of those two terms.

There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to introduce you to what are known as “Conditions for lawful processing of personal information”. These conditions effectively operate as processing parameters and will have a relatively subtle but substantial impact on direct marketing because they limit the scope of what personal information can be processed and for how long.

An Overview of the Processing Conditions

The Protection of Personal Information Act will have 8 processing conditions:

  1. Accountability
  2. Processing limitation
  3. Purpose specification
  4. Further processing limitation
  5. Information quality
  6. Openness
  7. Security Safeguards
  8. Data subject participation

In this post I’ll introduce you to the first two processing conditions, namely Accountability and Processing limitation.

Accountability

This condition essentially requires that the “responsible party” ensure that the various processing conditions are met and –

are complied with at the time of the determination of the purpose and means of the processing and during the processing itself

In other words, the responsible party is required to ensure the conditions are met at all times. So who or what is the responsible party? The “responsible party” means –

a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information

A “responsible party” is not to be confused with an “operator”, though. They are different parties in the context of this legislation.

Processing Limitation

This condition is divided into 4 distinct requirements:

  1. Lawfulness of processing
  2. Minimality
  3. Consent, justification and objection
  4. Collection directly from the data subject

Lawfulness of Processing

This requirement is fairly self-explanatory and entails ensuring that personal information is not just processed “lawfully” but also reasonably in a way that doesn’t infringe the data subject’s “privacy”. This second part both a little circular because the Protection of Personal Information Act goes a long way to unpacking privacy as a legal concept and also establishes a broad reasonableness requirement for personal information processing.

Minimality

This requirement is linked to the Purpose specification condition and states that, in addition to processing personal information for its specific purpose, it may only be processed if that is “adequate, relevant and not excessive”. It is an overarching limitation on top of the Purpose specification condition and serves as an additional layer of protection for data subjects against overreaching, even within the confines of the Purpose specification condition.

Consent, justification and objection

As this section’s name suggests, this is all about consent or, where there isn’t adequate consent, when it processing personal information is justified and what the data subject can object to.

The starting point is that consent from a data subject is always the best option from the perspective that it incorporates informed and specific permission to process the personal information. Where the data subject is a child, you will need the child’s “competent person” to consent to processing the child’s personal information (there are a couple additional restrictions later in the Bill regarding children’s personal information). Who is a “competent person”? According to the Bill, “competent person” means –

any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child;

Consent isn’t the sole requirement to allow a party to process personal information. Other justifications include –

  • processing necessary to conclude or perform in terms of a contract the data subject is a party to;
  • where the processing is compliant with a legal obligation imposed on the responsible party (the party collecting the personal information);
  • where processing the personal information would protect the data subject’s legitimate interest (this is pretty vague and bound to be the subject of much debate);
  • where “processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied” (this is potentially even broader than the previous justification and isn’t constrained by the data subject’s interests).

Where a responsible party contends it/he/she received consent to process a data subject’s personal information, that responsible party will have to prove that. This means that documenting that consent is essential and preserving that documentation correctly is similarly essential. The requirements for data retention and preservation as evidence are spelt out in the Electronic Communications and Transactions Act and worth reading very carefully when designing your data retention systems. Not being able to present admissable evidence of consents obtained could leave you in breach of the Act and subject to its penalties.

Consent isn’t irrevocable under the Protection of Personal Information Bill. A data subject can withdraw consent at any time but doing that doesn’t invalidate processing prior to withdrawing consent. Going further, a data subject can also object to his or her personal information being processed under the various justifications on “reasonable grounds”, although not where legislation requires that personal information processing. An example here is a law requiring a mobile network provider to collect consumers’ personal information under the Regulation of Interception of Communications and Provision of Communication-related Information Act. A consumer can’t object to personal information being collected in that context because the statute requires it.

Section 69 of the Protection of Personal Information Bill deals with direct marketing using electronic communications and includes provisions enabling consumers to object or withdraw consent to direct marketing. We’ll go into that section in more detail in a subsequent post.

Interestingly, this section of the Bill also provides that where a data subject has objected to personal information processing, the responsible party “may no longer process the personal information”. This section doesn’t seem to require that the objection be confirmed as valid, just that an objection halts the processing activity. The responsible party would presumably then have to establish that the objection wasn’t reasonable or was required by law to continue.

Collection directly from the data subject

This processing limitation, as its name suggests, requires that responsible parties collect personal information directly from the data subject. There are some exceptions to this requirement where, for example, the information is “contained in or derived from a public record or has deliberately been made public by the data subject”; where the data subject is a child and a competent person has consented to the child’s personal information being collected from “another source” as well as wearing collecting the personal information from another source “would not prejudice a legitimate interest of the data subject”.

They are also a number of exceptions to this requirement based on necessity. These include law-enforcement requirements, steps taken to ensure compliance with legal obligations or to enforce legislation, for the conduct of legal proceedings, the interest of national security or to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied. Even further exceptions include situations where compliance would “prejudice a lawful purpose of the collection” or where compliance is “not reasonably practicable in the circumstances of the particular case”.

This limitation applies more to scenarios that do not include some sort of law enforcement requirement all where either the data subject’s all responsible party’s “legitimate interest” are involved. The “legitimate interests” concept is pretty broad and is not defined in the Bill. Where this limitation does have a real impact is on marketers who have, historically, been in the habit of aggregating marketing databases using multiple sources, many of which have been traded, enriched and expanded without much reference to the individuals concerned.

<

p>It is also worth bearing in mind that collection is distinct from other processing conditions such as the requirement for consent and purpose specification (which we will deal with in a subsequent post). In other words, simply being able to collect the personal information does not automatically grant the responsible party the right to make use of the personal information for any particular purpose. A number of other processing conditions deal with what can be done with that personal information once it is collected.