Saying "I Don't": the requirement of data subject consent for purposes of data processing and marketing - Ina Meiring, Werksmans Attorneys
Saying ‘I Don’t’: The requirement of data subject consent for purposes of data processing and marketing Ina Meiring
PURPOSE To promote the protection of personal information processed by public and private bodies; to introduce [information protection principles] certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information [Protection] Regulator; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of the Republic.
DEFINITIONS "data subject" means the person to whom personal information relates; "processing" means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including— (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b) dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as blocking, degradation, erasure or destruction of information;
DEFINITIONS "responsible party" means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information POPI applies to the processing of personal information - entered in a record by or for a responsible party by making use of automated or non-automated means: Provided that when the recorded personal information is processed by non- automated means, it forms part of a filing system or is intended to form part thereof; and where the responsible party is— domiciled in the Republic; or not domiciled in the Republic, but makes use of automated or non-automated means that are situated in the Republic, unless those means are used only to transfer personal information through the Republic.
PERSONAL INFORMATION "personal information" means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to— (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; (b) information relating to the education or the medical, financial, criminal or employment history of the person; (c) any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;
PERSONAL INFORMATION … (d) the blood type or any other biometric information of the person; (e) the personal opinions, views or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the person; and (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
CONDITIONS FOR LAWFUL PROCESSING (8PRINCIPLES) Principle 1: Accountability The responsible party must ensure that the [principles] conditions and all the measures that give effect to [the principles] such conditions, are complied with.
PROCESSING LIMITATION (2) Lawful, minimal (adequate, relevant and not excessive) Only if – the data subject consents to the processing; processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party; processing complies with an obligation imposed by law on the responsible party; processing protects a legitimate interest of the data subject; processing is necessary for the proper performance of a public law duty by a public body; or processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
PROCESSING LIMITATION (2) Personal information must be collected directly from the data subject, unless - the information is public; the data subject has consented to the collection of the information from another source; collection of the information from another source would not prejudice a legitimate interest of the data subject; collection of the information from another source is necessary— to avoid prejudice to the maintenance of the law by any public body; to comply with an obligation imposed by law; for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; in the [legitimate] interests of national security; or to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied; compliance would prejudice a lawful purpose of the collection; or compliance is not reasonably practicable in the circumstances of the particular case.
PURPOSE SPECIFICATION (3) Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party. Steps must be taken to ensure that the data subject is aware of the purpose of the collection of the information Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless— (a) retention of the record is required or authorised by law; (b) the responsible party reasonably requires the record for lawful purposes related to its functions or activities; (c) retention of the record is required by a contract between the parties thereto; or (d) the data subject has consented to the retention of the record.
FURTHER PROCESSING LIMITATION (4) Further processing of personal information must be in accordance or compatible with the purpose for which it was collected To assess whether further processing is compatible with the purpose of collection, the responsible party must take account of— the relationship between the purpose of the intended further processing and the purpose for which the information has been collected; the nature of the information concerned; the consequences of the intended further processing for the data subject; the manner in which the information has been collected; and any contractual rights and obligations between the parties.
INFORMATION QUALITY (5) The responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary. In taking the steps referred to the responsible party must have regard to the purpose for which personal information is collected or further processed.
OPENNESS(6) Must notify the Regulator The responsible party must take reasonably practicable steps to ensure that the data subject is aware of— the information being collected; the name and address of the responsible party; the purpose ; whether or not the supply of the information by that data subject is voluntary or mandatory; the consequences of failure to provide the information; any particular law authorising requiring the collection of the information; and further information such as the— recipient or category of recipients of the information; nature or category of the information; and existence of the right of access to and the right to rectify the information collected, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
OPENNESS(6) The steps must be taken— if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information referred to in that subsection; or in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.
OPENNESS(6) It is not necessary for a responsible party to take the steps required if— the data subject has provided consent; non-compliance would not prejudice the legitimate interests of the data subject; non-compliance is necessary— to avoid prejudice to the maintenance of the law by any public body ;to enforce a law imposing a pecuniary penalty; to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or in the interests of national security; compliance would prejudice a lawful purpose of the collection; compliance is not reasonably practicable in the circumstances of the particular case; or the information will not be used in a form in which the data subject may be identified; or be used for historical, statistical or research purposes.
SECURITY SAFEGUARDS (7) A responsible party must secure the integrity of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent— loss of, damage to or unauthorised destruction of personal information; and unlawful access to or processing of personal information.
SECURITY SAFEGUARDS (7) The responsible party must take reasonable measures to— identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control; establish and maintain appropriate safeguards against the risks identified; regularly verify that the safeguards are effectively implemented; and ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.
Operators A responsible party must ensure that an operator which processes personal information for the responsible party establishes and maintains security measures (a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party) The processing of personal information by an operator on must be governed by a written contract between the operator and the responsible party, which requires the operator to establish and maintain confidentiality and security measures to ensure the integrity of the personal information. If the operator is not domiciled in the Republic, the responsible party must take reasonably practicable steps to ensure that the operator complies with the laws, if any, relating to the protection of personal information of the territory in which the operator is domiciled.
Notification of security compromises Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party, or any third party processing personal information under the authority of a responsible party, must notify the— Regulator; and data subject, unless the identity of such data subject cannot be established.
DATA SUBJECT PARTICIPATION (8) A data subject has the right to— request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject; and request from a responsible party the record or a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information— (i) within a reasonable time; (ii) at a prescribed fee, if any; (iii) in a reasonable manner and format; and (iv) in a form that is generally understandable.
DATA SUBJECT PARTICIPATION (8) A data subject may request a responsible party to— correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain. A responsible party must— (a) correct the information; or (b) destroy or delete the information
UNSOLICITED ELECTRONIC COMMUNICATION The processing of personal information for the purpose of direct marketing by means of any form of electronic communication is prohibited unless the data subject has given consent to the processing, or is a customer of the responsible party. A responsible party may approach the data subject (not the customer) once in order to obtain the consent. “Consent” means any voluntary, specific and informed expression of will in terms of which a data subject agrees to the processing of personal information relating to him or her. Opt-in provisions are arguably more protective of a data subject’s rights than opt-out provisions. Responsible parties should make use of both options to make sure that the data subject understands and knows what he or she is consenting and objecting to.
UNSOLICITED ELECTRONIC COMMUNICATION If a customer, may process – if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service; for the purpose of direct marketing of the responsible party’s own similar products or services; and if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details— at the time when the information was collected; and on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
UNSOLICITED ELECTRONIC COMMUNICATION Any communication for the purpose of direct marketing must contain— details of the identity of the sender or the person on whose behalf the communication has been sent; and an address or other contact details to which the recipient may send a request that such communications cease.
NON-COMPLIANCE Any person may submit a complaint to the Regulator Investigate Act as conciliator/secure a settlement Refer to a regulatory body Enforcement notice Right of appeal (High Court) Civil remedies: damages, aggravated damages, interest and legal costs.
OFFENCES Failure to comply with enforcement notice False statements by witnesses Penalties: fines and imprisonment Administrative fine (R1 million)