Protection of Personal Information (POPI) Act

Home » Protection of Personal Information (POPI) Act

Personal Information: Four key areas to be aware of….

Personal information is everywhere. It is almost impossible to do business these days without collecting the personal information of customers, suppliers, and employees. Personal information is collected in so many ways, although to an ever-increasing extent, online through contact forms, email, and the creation of online profiles. The Protection of Personal Information Act of 2013 (POPI) – when it becomes fully operative – will regulate the collection, storage, and dissemination of personal information. Businesses must ensure that the necessary consents for the collection, storage, and dissemination of personal information are obtained. But first, businesses will need to be clear that what they are collecting is in fact personal information.

So, what is personal information? Personal information includes, among other things, the following:

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, belief, culture, language, and the birth of the person;
  • information relating to the education or the medical, financial, criminal, or employment history of the person;
  • the e-mail address, physical address, and telephone number of the person;
  • the biometric information of the person;
  • the personal opinions, views or preferences of the person; and
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

There are four key areas of collection of personal information that businesses need to be aware of:

  1. Market research via direct marketing Collecting personal information is big business.

Understandably, businesses can profitably make use of this information to market their products or services. Many businesses undertake research as regards prospective customers by, among other things, accessing information already available in the public domain (for example, through publicly accessible social media platforms and websites) as well as obtaining contact information in respect of potential customers (for example, from a company switchboard). The personal information is then captured and stored to be used for purposes of direct marketing. The business then reaches out to these persons via personalised or mass-generated emails and/or via telephone calls. This is all personal information. Even the personal information of persons who have indicated that they do not wish to be contacted again via direct marketing is required to be stored for a certain period of time.

  1. Online

As noted, most businesses these days also collect information from their clients and customers via their websites. For example, most e-commerce stores require users to complete a profile of themselves, containing personal information. If you collect personal information from your clients or customers, make sure that they are made aware of this in clear and express terms, and make sure that you provide that they expressly consent to the collection, sharing, and storage of such personal information. This can be achieved by introducing such consents into the business’s online terms and conditions.

  1. Employment Agreements

A third significant source of personal information that businesses collect, store, and disseminate is that of its employees and prospective employees. Employment agreements (including both permanent and fixed-term employment agreements), as well as an independent contractor and consultancy agreements, need to have the requisite provisions in place as regards the collection, storage, and dissemination of the personal information. Similarly, any application forms that are used for application purposes will need to contain similar provisions (even if the person never becomes an employee of the business).

  1. Service Level Agreements

Service level agreements (or ‘SLAs’) are a common source of personal information that businesses collect, store and disseminate. This will contain information about customers or third-party service providers. Customer-facing service level agreements and third-party supply agreements need to have the requisite provisions in place to ensure that consent is provided to collect, store, and disseminate this information. It is critical that businesses are alive to the personal information being collected, stored, and disseminated via market research, online browsing, employment agreements, customer-facing service level agreements, and third-party supply agreements, and ensure that the requisite approvals are in place from data subjects. The collection, storage, and dissemination of all of this personal information will need to comply with the requirements of POPI.

Information courtesy of Cliffe Dekker Hofmeyr (CDH)