In this post we will look at certain interrelated, but distinct requirements of two of the conditions for lawful processing of personal information necessary for POPI Act compliance. One could say that these are some of the minimum requirements for POPI Act compliance. They are:
- the requirement of “consent” contained in “condition 2: processing limitation”, and
- the requirement of “collection for a specific purpose” contained in condition 3.
We will show that all businesses, big and small must comply perfectly with these requirements as they are two requirements which are not subject to the defence of compliance not being “reasonably practicable”, which will also be briefly discussed.
Brief recap of definitions in the POPI Act
In previous blogs in this series on compliance with the POPI Act we have looked at the definition of personal information and also what is meant by “processing“. We also suggested a DIY method to get you on your way to understanding exactly how your company or organisation processes personal information as a first step towards POPI Act compliance.
It is important to understand how personal information is processed by your company so that you can ensure that the manner in which it is processed complies with the “conditions for lawful processing of personal information”.
Before we launch into this, here is a brief recap of some things covered in previous blogs:
- “data subject” is defined in the POPI Act as “the person to whom personal information relates”
- “processing” is very broadly defined in the POPI Act and can be construed to mean just about anything that one could possibly dream of doing with personal information and includes collection, storage, use and destruction
- “responsible party” is the person who “… determines the purpose of and means for processing personal information”.
Before we compare the two requirements discussed above it it important to understand the concept or the defence of when compliance with the requirements of the POPI Act is not “reasonably practicable”.
The concept of “reasonably practicable” when is POPI Act compliance not necessary?
The crux of this defence is that for certain companies and organisations it is just not reasonable, practical or sometimes even possible to achieve perfect compliance with the POPI Act. The POPI Act acknowledges that the burden of compliance could put some smaller companies out of business and so in the instances where the POPI Act provides for the qualification of “reasonably practicable”, perfect compliance is not required. However, such imperfect compliance must be reasonable as judged by an objective third party. We will develop this concept further in future posts, but for now, consider a medical scheme, its resources and the type of personal information that it processes, versus a corner cafe, its resources and the type of personal information that it processes. They are in different leagues and the POPI Act takes this into consideration.
The subtle difference between the requirements of the two conditions
The aspect of consent provided for in condition 2 relates to all processing of personal information. Consent obtained must therefore cover all the ways in which personal information is to be processed or used. “Consent” is defined in the POPI Act as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.” Therefore, companies and organisations must ensure that any processing of personal information is only undertaken with the permission of the data subject. And obviously, there should be some record of this permission having been given.
Significantly, this requirement is not subject to the defence that the failure to obtain consent was not reasonably practicable. The only times that it is not necessary to obtain the consent of a data-subject for the processing of personal information are strictly defined, namely:
- the processing of the personal information is necessary to carry out the obligations of a contract to which the data subject is a party
- the processing complies with an obligation imposed by law on the person processing personal information
- processing protects a legitimate interest of the data subject
- processing is necessary for the proper performance of a public law duty by a public body
- processing is necessary for pursuing the legitimate interests of the holder of personal information.
This list is a fixed and finite list and therefore the grounds that a party may rely on for processing personal information without the consent of the data-subject are limited to this list and not the more open ended requirement of reasonableness.
The difference between the requirement for consent in condition 2, and the requirement in condition 3 “purpose specification” is that the requirement for consent relates to all the ways in which personal information may be used or processed, while the requirement of “purpose specification” relates to only one manner of processing, namely “collection”. It states “personal information must be collected for a specific, explicitly defined and lawful purpose related to a function of activity of the responsible party”. This condition is not subject to any defence of reasonable practicality, and significantly its effect is not mitigated by a list of specific circumstance circumstances for when compliance is not necessary. The other requirements in the POPI Act may be subject to the defence of compliance not being reasonably practicable, but all companies and organisations must at least ensure that the requirements discussed in this blog are complied with as these are requirements that are not subject to that defence.
It must be noted that this blog is not legal advice. Should you wish to understand:
- the implications of the POPI Act on your business or organisation,
- which provisions must be perfectly complied with,
- which provisions may be less than perfectly complied with,
- the extent of non-compliance that is permitted by the POPI Act for your business, as well as
- the impacts of the POPI Act on your privacy policy, contracts and operations,
we recommend that you contact your attorney.