Printing SA held a free webinar where the new legislative regulations of the compliance with the Protection of Personal Information Act (POPIA), also known as the POPI Act, were discussed. Compliance with the POPI Act will be mandatory for all registered businesses in South Africa effective 1 July 2021.
As per the latest update from the InfoRegulator’s website, the date for registering an Information Officer (and Deputy Information Officer) for your business or your client’s business commenced on 1 May 2021. Access the registration form here.
Safee Siddiqi, Senior Associate at Gunston Strandvik, discussed the importance of data privacy and protection, and how POPI sets conditions for the lawful processing of personal information in South Africa. This information is broad and can relate to anything from contact information and banking details to biometrics and personal opinions.
Siddiqi stated eight conditions for the lawful processing of information:
1. Accountability: the responsible party must be accountable.
2. Processing limitation: personal information should only be obtained by limited and lawful processing that does not unnecessarily infringe privacy.
3. Purpose specification: the purpose for which information is collected must be specific, explicitly defined and lawful.
4. Further processing limitation: further processing must be compatible with the purpose for which personal information is collected.
5. Information quality: reasonably practical steps should be taken to ensure information is complete, accurate, not misleading, updated and processed for the stated purpose.
6. Openness: notify data subjects of certain aspects related to the processing of personal information, including why it is collected, the purpose for collection and how it will be used.
7. Security safeguards: steps must be taken to ensure that personal information is securely processed, stored and destroyed.
8. Data subject participation: the data subject has certain access rights, including a right to access the data’s deletion.
Also discussed:
– Special personal information, which may not be processed unless certain requirements are met, namely consent from the data subject.
– Direct marketing/electronic direct marketing, which is generally prohibited unless certain requirements are met. There are different forms, with different rules. Consent must be given in the prescribed form, and there must be the option to opt-out.
– To comply with the POPI Act, you must register an information officer, who must conduct an impact assessment to see how compliant you are with the Act and take steps where necessary to comply.
– A privacy policy should be published on your website, as well as the implementation of an internal compliance framework plus amendments to employment contracts.
– The information officer has the power to issue an enforcement notice that legally requires a business to change its operations to comply with the POPI Act.
– If you are processing low-risk data, harm to data subjects will be low.
– Make sure your information is as secure as possible.
Watch the full webinar below:
Q&A:
1. How do you register for more than one information officer if you are responsible for more than one entity?
– There is currently an issue on the registration portal. The Information Regulator should be contacted directly.
2. How many deputy information officers can be registered?
– As many as you like.
3. What about the various forms of direct marketing – e.g door drops, brochures etc.
– That kind of direct marketing does not contain personal information, and therefore falls out of the ambit for POPI, unless for some reason personal information is involved.
4. If you send a notification to a data subject, do they have to send confirmation or consent?
– It depends on the kind of notice that is being sent. If you send out a request for consent to direct market, then yes. If you believe you already had the consent, then no they do not, you just need to make sure that you have done enough.
5. What about a telephone call regarding confirmation of employment?
– Find out from the person whose employment is being confirmed.
6. As printers we store artwork and templates for clients, what are the responsibilities towards doing this?
– It depends on what kind of personal information is in that template. If it does contain personal information make sure you have received consent for it. If it is a customer that supplies the information voluntarily, that takes care of the consent requirements.
7. What about the need for an unsubscribe tag?
– The act does not specifically state that you need an unsubscribe tab, but people need to easily be able to opt out of communications. It needs to be easy to unsubscribe.
8. In terms of cookies on websites, does the POPI Act have anything to do with that?
– The Act doesn’t expressly deal with cookies, but cookies can contain personal information and in that case will fall in the ambit of the Act. You need to delineate between the cookies that store your personal information and the ones that do not. If you are collecting personal information using cookies, then have your cookie policy on your website.
9. Many organisations upon entering them (ie car park, reception) request your ID, cell number, etc. How is this impacted by the POPI Act?
– In this case, information is provided with the data subject’s consent. That information will still need to be treated in accordance with POPI’s provisions and you will be entitled to make further enquiries if you would like.
10. Are schools/universities required to be POPI compliant?
– Yes.
11. Where can one get the copy of the POPI Act?
Click on the following documents: POPI Act and POPI Regulations
12. Should data/information be kept in an encrypted environment?
– If feasible, yes, in all cases. If the exercise would be expensive or difficult, then consider how sensitive the information is and what the risk would be if there was a security compromise. The Impact Assessment Questionnaire Gunston Strandvik prepares would aid you in conducting this risk analysis.
13. What do you do if debtors/creditors call companies for employees’ information when they owe people money? Should companies get the consent from the employees first to share such information such as contact information before sharing the information with debtors/creditors?
– Yes. There is no law that forces employers to share this information with creditors.
14. What happens to printers who print for brokers and ad agencies where the client and the actual printing are not the same people? If we have permission from the broker, is that sufficient?
– This will depend on the circumstances but, ultimately, the broker/ad agency will be the responsible party and you will be an operator. Provided you have the right contract/mandate in place, you will not have any issues.
PRINTING SA
+27 11 287 1160
info@printingsa.org
http://www.printingsa.org
