The Protection of Personal Information Act (“the POPI Act”) sets out standards for the lawful processing of personal information. In previous blogs I have introduced some of the key concepts contained in the POPI Act (in the context of advocating the need for organisations to receive training on the POPI Act). In this blog I set out a DIY method as a first step to achieving compliance with the POPI Act.
Processing of personal information – the definition in the POPI Act.
The definition of “processing” is important because the POPI Act introduces a number of conditions for lawful processing. Before one can understand the conditions and how they apply to one’s company, exactly what processing is, and the manner in which a company processes personal information must first be understood.
The definition of processing in the POPI Act is very wide and covers just about everything that one could dream of doing with personal information. Let’s dive right in to the letter of the law. Section 1 of the POPI Act defines “processing” as “any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including…” This introduction is then followed by a list of a number of operations and activities. These operations and activities are: “collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use”; “dissemination by means of transmission, distribution or making available in any other form”; “merging, linking, as well as restriction, degradation, erasure or destruction of information.” You will agree that that pretty much covers everything you could possibly do with personal information. Even forgetting it could possibly fit in that definition!
A suggested method towards compliance with the POPI Act
The first step to achieving compliance with the POPI Act is to undertake an exercise in order to identify all of the personal information which is processed by your company. A suggested method of doing this is to form a table. First, name the rows of the table by all the ways in which personal information is processed in your company. So rows, 1, 2, 3 and 4 may be collection, receipt, recording and organisation respectively. It is suggested that each type of processing be “sub-divided” to be as specific as possible. For example, how is personal information currently collected by your company? Make each of these collection methods a row and name as many rows as possible.
The next step is to name the columns with each and every way personal information may be processed. The columns would be types or examples of personal information as defined below. So, for example, rows 1, 2, 3, 4 and 5 may be, name, sex, id number, email address, phone number etc. Name as many rows as necessary with different types of personal information.
Remember, “personal information” is defined as “information relating to an identifiable, living natural person, and where it is applicable, an identifiable, existing juristic person, including…” The definition is then a list of examples of personal information. The list is not a closed list and includes other information which fits the definition.
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
( f ) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
Once you have set up the table, begin to populate it by checking each cell of the table where a certain type of personal information is processed in a certain way. The process of doing this fairly exhaustive exercise, and the resultant populated table will give you a very good understanding of how your company processes personal information. This is the first step towards compliance with the POPI Act and ensuring that personal information is processed lawfully in terms of the conditions imposed by the POPI Act before it comes into force.