The POPI Act is soon to be promulgated in its entirety, and in light of the Liberty data breach this week, corporates should be asking themselves now more than ever – how careful are we with our data?
Sizwe Snail ka Mtuze, member at the Information Regulator, and director at Snail Attorneys noted in an address at a GDPR and POPI seminar hosted by Xperien at SLOW in the City, that companies are already starting to behave in accordance with the Act, in order to get themselves up to speed for its ultimate implementation. “The regulator is active, and we are reviewing cases already,” he said.
Snail ka Mtuze discussed the eight conditions of lawful processing of personal information; in essence, what companies (the responsible person) need to do to be compliant. Travel managers need to ensure that their travel suppliers are adhering to these conditions, and that they themselves are handling any personal information of their travellers (the data subject) with the utmost care. The conditions are as follows:
- Accountability: The company is to ensure that all conditions are complied with at the time of deciding the purpose of the information, the means of processing it, as well as during the processing itself.
- Processing limitation: Personal information must be processed lawfully, and must only be limited to the information relevant for the purpose for which it has been collected. Consent must be given by the traveller, and the company bears the burden of proof of that consent. The traveller can choose to withdraw consent or object to the collection of personal information at any time. If the traveller has objected, the company may no longer process that information, and would need to ensure that the supplier or service provider no longer processes it either. Personal information may only be collected from the traveller themselves, or from public record, or if it has been deliberately been made public by the traveller.
- Purpose specification: Information must be collected for an explicitly defined purpose, in this case for travel. Companies would need to provide the travel buyer with all the specifics of what it will need the traveller’s information for. The traveller must be made aware of the purpose of collection, be if for visa requirements, booking of airline tickets and the like. Records may not be retained for any longer than is necessary, and the company must destroy it or make the traveller unidentifiable by the data, as soon as is reasonably possible.
- Further processing limitation: Further processing may only take place if it is in accordance with the purpose for which it was collected.
- Information quality: The company must take practicable steps to ensure the personal information is complete, accurate, and updated regularly, keeping in mind the purpose for which the information was collected.
- Openness: Documentation must be maintained by the company, and the traveller must be notified of what information is being collected and for what purpose, whether they have a choice to provide their information or not, the name and address of the company using the information, whether the company intends to transfer the information to a third party, and the level of protection afforded to the information. Travellers must also be made aware that they have a right to lodge a complaint with the Information Regulator, if they feel that their information has been inappropriately shared or handled.
- Security safeguards: The company must secure the integrity and confidentiality of personal information in its possession by taking appropriate, reasonable technical and organisational measures to prevent loss, damage, or unauthorised destruction, as well as unlawful access to, or processing of, personal information. The company must identify reasonably foreseeable internal and external risks and safeguard against them. Regular verification of the effective implementation of safeguards must be done. In the case of a suspected breach, the responsible party must notify the Regulator, as well the traveller. The notice must be communicated in writing to either the traveller’s last known physical or postal address or email, published in news media, or placed in a prominent position on the responsible party’s website. The notice must include sufficient information for the data subject to take protective measures against the potential consequences of the compromise.
- Data subject participation: A traveller may request the company to confirm whether or not it holds personal information about them, and may request a record of information, which may include information about the identity of all third parties who have, or have had, access to the information. A traveller may request the company to correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully. The company must notify traveller that action has been taken as a result of the request.
Do you have any specific POPI-related questions? Email firstname.lastname@example.org