Lize de la Harpe – Senior Legal Advisor at Sanlam
Introduction
In July 2021 the Association for Savings and Investment South Africa (“ASISA”) issued guidelines for its members who are responsible parties as defined in the Protection of Personal Information Act, 2013 (“POPIA”), to assist them in implementing POPIA (hereinafter referred to as “the Guidelines”).
These Guidelines have recently been updated. In this article we will do a quick recap and then look at the updates.
Codes of conduct in terms of chapter 7 of POPIA
As we all know, the processing of personal information is diverse and extends across many different sectors. For this reason, POPIA makes provision for the establishment of codes of conduct that will govern the processing of personal information within defined sectors.
A code of conduct can apply to a specific body, a specific class of information, a specific activity or a specific industry or profession. The Regulator may out of its own accord (but after consultation with affected stakeholders) issue a code of conduct or on the application of a body representative of an industry, profession, or vocation as defined in the code.
All codes of conduct must:
- incorporate all the Conditions for the lawful processing of personal information or set out obligations that provide a functional equivalent of all the obligations set out in those conditions; and
- prescribe how the Conditions for the lawful processing of personal information are to be applied, or are to be complied with, given the particular features of the sector or sectors of society in which the relevant responsible parties are operating.
It’s clear from the above that the issuing of codes of conduct does not mean that a particular sector will have more flexibility in respect of how it processes personal information. The intention is merely to give responsible parties operating within specific sectors governed by such codes of conduct clearer guidance on how to process personal information lawfully.
The updated Guidelines
As mentioned above, ASISA first published its Guidelines in July 2021. Since then, the Regulator has issued several guidance notes, and we continue to see media coverage reporting on serious security breaches.
ASISA has now published their updated Guidelines on the protection of personal information with the aim of assisting its members in implementing POPIA.
The updated Guidelines expand significantly on certain aspects, the most notable of which are the following:
Accountability – section 8
Responsible parties are accountable for compliance with POPIA. As such, section 8 requires a responsible party to ensure that the conditions for lawful processing (and all measures that give effect to such conditions) are always complied with.
The Guidelines suggest that entities have appropriate measures and evidence in place to be able to demonstrate its compliance. In addition, an accountability framework which includes a checklist against which to measure compliance is encouraged.
Consent – section 11(1)(a)
Consent in the context of POPIA remains a widely misunderstood concept with many believing it is always required. A much-welcomed addition to the Guidelines is the expansion on the concept of consent. It makes it clear that consent is merely one of the grounds for lawful processing.
Legitimate interest– sections 11(1)(d) and 11(1)(f)
Section 11, which sets out the conditions for lawful processing, includes processing of personal information for the protection of the legitimate interest of the data subject as well as the legitimate interest of the responsible party or of a third party to whom the information is supplied.
POPIA does not define “legitimate interest”. The Guidelines now include guidance on what may be considered when determining whether or not you meet this requirement. It also suggests documenting the circumstances on which you relied to justify your reasoning.
Collection directly from data subjects – section 12
Section 12 states that personal information must be collected directly from the data subject, unless one of the exceptions apply. One of these exceptions is where the information is contained in or derived from a public record or has deliberately been made public by the data subject.
POPIA does not define the concept of “deliberately been made public”. The Guidelines now offers guidance on interpreting this concept as well as considerations to bear in mind when determining whether this requirement has been met.
Retention of records – section 14
Section 14 sets the requirements for the retention and restriction of records. It states that records of personal information may not be retained for any longer than is necessary for the achieving the purpose for which the information was collected, unless certain conditions apply.
The Guidelines now expand on what to consider when determining appropriate time limits for keeping records as well as the importance of weighing up the risks for the data subject against the potential future use of such records.
Further processing – section 15
Section 15(1) states that further processing of personal information must be in accordance or compatible with the original purpose of collection.
To put it differently, responsible parties may only process personal information for a another (further) purpose if such processing is compatible with the original purpose for which it was collected.
The Guidelines suggest conducting a compatibility assessment to decide whether or not a new purpose is compatible with the original purpose and provides guidance as to what factors to consider.
Openness – section 18
Responsible parties must be transparent about their reasons for obtaining personal information and must ensure that what they do with the information is in line with the reasonable expectations of the data subject. Accordingly, section 18(1) states that, when personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of, inter alia, the information held, who holds it, the purpose thereof and who it has been shared with.
The Guidelines make certain suggestions as to how and in what form to ensure that data subjects are aware of the entities’ Privacy Notice.
Joint responsible parties
Interestingly, the Guidelines now includes reference to “Joint Responsible Parties”. As you may know, POPIA does not refer to (or define) this term. In fact, this term originates largely from the General Data Protection Regulations (GDPR) that includes the concept of “joint controllers”, i.e.: parties who jointly determine the purposes and means of processing.
Nevertheless, the Guidelines provide examples of where you may be considered to be a “joint responsible party”.
Operators – sections 20 and 21
Section 1 of POPIA defines an “operator” as the person (natural or juristic) who processes personal information for a responsible party in terms of contract or mandate, without coming under the direct authority of the responsible party.
The Guidelines now include significantly expanded guidance on who will qualify as operators, when you may be regarded as both an operator and a responsible party, as well as the requirements for the agreement between the responsible party and the operator.
Notification of security compromises – section 22
Where there are reasonable grounds to believe that personal information has been accessed by an unauthorised person, the responsible party must notify the Regulator and the data subject as soon as reasonably possible after the compromise.
The Guidelines include suggestions on the platforms to be used to notify data subjects as well as useful examples of what will be regarded a security compromise for the purposes of section 22.
Special personal information – section 26
In essence, POPIA distinguishes between 3 categories of personal information, i.e.: personal information in general, special personal information and personal information of children.
Section 26 creates a special category of personal information called “special personal information” which is afforded a higher degree of protection than the processing of general personal information. The processing of special personal information is prohibited unless one of the exemptions as set out in section 27 applies.
The Guidelines encourage responsible parties to take note of the Regulator’s Guidance Note on Processing Special Information (published in June 2021).
Electronic direct marketing – section 69
Section 1 defines “direct marketing” as approaching a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of:
- promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
- requesting the data subject to make a donation of any kind for any reason.
Section 69(1) states that the processing of personal information for the purpose of direct marketing by means of any form of electronic communications, including automatic calling machines, fax, SMSs or e-mail, is prohibited unless certain conditions are met.
The Guidelines expand significantly on the requirements for direct marketing and offers guidance on what to consider when embarking on direct marketing campaigns. Interestingly, it now also includes a new section titled “Cookies” which offers guidance as to what this entails, having regard to international guidelines.
Conclusion
The Guidelines, which serve to enhance transparency about how POPIA may be applied in the savings and investment industry, are non-binding. Each ASISA member must ensure that they are compliant with the provisions of POPIA and/or any documents and guidance notes published by the Regulator.
ENDS