PoPIA Compliance: The Use and Processing of Data
The Protection of Personal Information Act (PoPIA) came into effect on the 1st of July 2020. A grace period of 12-months was stipulated, meaning that all businesses must meet compliance standards by the 1st of July 2021. The purpose of the Act is to prevent the misuse of personal information pertaining to individuals and entities. With various stringent regulations that must be adhered to, organisations are hard pressed to ensure compliance. A critical element of the Act is the lawful use and processing of data.
While many large corporates have the budget required to put compliance measures in place, many smaller businesses simply cannot afford this approach. Yet they will still face severe penalties for non-compliance. With the knowledge that ignorance of the law is no excuse, Impressions Signatures embarked on a PoPIA Campaign that provides relevant information about the Act, free of charge.
“There are serious penalties for non-compliance, and we want to ensure that organisations have the relevant tools to assist them in realigning operations where needed to comply with the Act. Especially in a time of global economic uncertainty, small businesses need support,” explains Carrie Peter, Solution Owner at Impression Signatures, a local provider of eSignatures.
One of the areas of compliance that is strictly stipulated within PoPIA Data Processing. This term refers to any and all operations or activities pertaining to the use of personal information, including three different areas of data processing: the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use of the personal information; the dissemination of personal information by means of transmission, distribution or any other form utilised in making the data available; and the merging, linking, restriction, degradation, erasure or destruction of the personal information.
Understanding what data processing entails is the first step in complying with regulations. Processing involves everything to do with the use of the data, which is obtained with consent; from when the organisation obtains the information to when the information is destroyed when no longer needed. This means that processing data covers the entire lifecycle of the information within the organisation from start to finish. When the information needs to be destroyed is linked to when the information is no longer needed for its relevant purposes, as well as, to when it is required by law to do so. The impetus is on the organisation to research and understand the laws regarding the length required for obtaining certain data as this varies according to the type of data and its use. For example, there are types of financial data that can be stored for up to five years, and some medical information that is required by law to be stored for up to 18 years.
Peter explains that PoPIA outlines eight conditions for data processing compliance. The first of these is accountability. The organisation holds the responsibility for compliance and must prove compliance with the requirements outlined by the Act.
The second condition is processing limitation, which stipulates that all data must be obtained directly from the data subject with the required consent. The data subject should know what the data will be used for and give consent for third party use. Only the most essential information should be obtained.
The third is that data must be purpose specific, requiring that the organisation not obtain additional or irrelevant data. The purpose and reason for obtaining the information should be made explicit, and the processing of the data for its purpose must be well documented.
The fourth condition is the further processing limitation, which inhibits the organisation from processing the information for a secondary purpose. This is only allowable if it can be proven that the secondary purpose is compatible with the original intent for the data.
Information quality is the fifth condition, and this pertains to ensuring that the information obtained is correct, complete and in no way misleading.
The sixth condition is openness. In addition to the data subject providing consent and being informed of the purpose for the data, the name and number of the responsible individual within the organisation must also be provided to the subject. The data subject must be informed that they have the right to complain to the Information Regulator if they suspect any misuse of the information.
Seventh is security safeguards, entailing the processes and strategies that must be put into place to ensure that data is kept private and secure. A risk assessment may be needed to evaluate processes and find suitable technological solutions and services that can assist in the storage and management of data.
The final condition is data subject participation. The data subject has the right to withdraw or change information at any time. They also have the right to request that the organisation show them what personal information about them is being held. The organisation does not have the right to refuse.
“Understanding these conditions and the further regulations as outlined by PoPIA will go a long way to ensure that organisations can rectify their operations and strategies, and implement data solutions that ensure complete compliance,” concludes Peter.
Issued by Perfect Word Consulting (Pty) Ltd
For more information, contact firstname.lastname@example.org
About Impression Signatures
Founded in 2011, Impression Signatures (an iOCO company) is the leading provider of e-signature solutions in South Africa. Our patented approach is locally created whilst committing to making this innovative technology available to the public enabling true social inclusion to fully realize digital transformation in South Africa. For more information, visit www.impression-signatures.com.