I made use of a company on one occasion and do not actually need their services in future. However, I am worried about the personal information which I provided them in the course of my dealings. I do not want them to share my information with advertisers or sell it to another company. How does the law protect me?
The fundamental legislation regulating this issue is the Protection of Personal Information Act 4 of 2003 (“POPI”) which, as the title alludes, regulates the processing of personal information in order to protect individuals’ constitutional right to privacy. The Act is not yet in force, even though it has been signed into law since 19 November 2013. However, once POPI comes into effect, all public and private bodies who process (collect, store, transmit, alter, delete, etc.) personal information will have 1 year to comply with the requirements of the Act.
POPI requires that all personal information be processed on the basis of core principles, failing which the processing of personal information will be unlawful. The Act requires accountability from all private and public bodies which process personal information. The Act further only allows for limited processing of personal information i.e. the processing must be reasonable, lawful and minimal. In other words, personal information may only be processed where this is relevant to the purpose for which the information was collected and it must further not be excessive so as to infringe the privacy of the individual.
Furthermore, the information must be collected only for a “specific, explicitly defined and lawful purpose that is related to a function or activity”. The private or public bodies which process personal information must also take reasonably practical steps to ensure that the personal information is “complete, accurate, not misleading and updated where necessary”.
Importantly, POPI requires that you be notified every time your personal information is collected and you must be informed of the purpose thereof. An individual may also enquire whether an organisation has collected any of their personal information. You may then further request a record of this information, request that such personal information be corrected or even be deleted.
The most important requirement under POPI is that an organisation must keep an individual’s personal information secure. Therefore, the organisation must prevent loss/damage to the personal information as well as prevent unlawful access thereto. Where someone accesses this information unlawfully, the organisation is under a duty to report this. POPI goes so far that an organisation may not, for example, outsource a business function without a written agreement whereby the third party agrees to adhere to the above conditions.
Organisations which do not comply with POPI are committing an offence in terms of which they may be charged with an administrative fine or the information officer of that organisation may be imprisoned. The fines may not exceed R10 million and imprisonment may not exceed 10 years.
It is evident that POPI goes to great lengths in an attempt to safeguard the privacy of individuals. Naturally, this means that great obligations are placed on organisations to lawfully process personal information.
Should you wish to know more about the rights and duties of individuals and organisations under POPI, contact our offices.