8 Requirements of POPI
POPI (Protection of Personal Information Act) provides 8 minimum requirements for businesses to comply with. It is essential that businesses comply with these requirements whenever personal information relating to employees and customers is processed.
These principles inform the manner in which employee information is processed in business, relating to information such as job applications in the recruitment and selection process; employment records; and workplace monitoring on the use of the internet, telephone and the e-mail system.
The business is accountable for complying with the measures in the prescribed in the Act. The obligation to process personal information lawfully cannot be contracted out, by outsourcing the processing of personal information. The business will be responsible and liable from the time that the information is processed to the time of its deletion.
This conditions works towards protecting the legitimate interests of the data subject by providing a sort of warranty as to the security of their personal information.
2. Processing Limitation
Businesses are permitted to collect only the minimum required personal information for their purpose. In addition the consent of the data subject is required as it ensures that he/she is aware that personal information is being processed, the purpose as well as the type of information being processed. The need for consent also ensures that personal information is collected directly from the source, further ensuring accuracy.
The recruitment process could be used to illustrate the processing limitation condition. In this scenario, the business must only access information that is relevant to the application process. Information such as a job applicant’s banking details cannot be justified. In addition, ensure that the documents are held centrally and that they are deleted after the requisite period.
3. Purpose Specification
Personal information must be collected for a legitimate and lawful purpose and must not be retained for longer than the required period unless it is lawful to do so. Ultimately this requires processing to be necessary and proportionate. Therefore this condition ensures that processing is carried out in the least intrusive manner considering the possible security risks.
4. Further Processing Limitation
The business is obliged to prevent the processing of information in a manner that is incompatible with the purpose for which the information was collected. Generally, this limits any secondary use of personal information, for any other purpose than the purpose for which it was collected for initial processing. This includes preventing the disclosure or transfer of personal information to third parties.
5. Information Quality
The business must take reasonably practical steps to ensure that personal information is complete, accurate, not misleading and updated where necessary. It is important to note that the information quality condition is better fulfilled by ensuring that the business is aware of the purpose for which the information is processed.
The business is required to ensure that the data subject is aware of the various matters related to the collection of their personal information. This involves informing him of the reasons and “destiny” of the personal information.
7. Security Safeguards
The business must secure the integrity and confidentiality of personal information in its possession by taking appropriate reasonable and technical measures to prevent loss, damage and unlawful access. In order to do so, it is important for the business to
- Identify all reasonably foreseeable internal and external risks to the personal information in its possession;
- Establish safeguards such as passwords to restrict internal and external access; and
- Regularly update the safeguards to prevent hacking.
8. Data Subject Participation
The data subject is entitled to
- An explanation of the personal information;
- Request information about the recipients of personal information; and
- Request deletion or correction of the personal information.
This participation ensures that the data subject has some measure of influence over the processing of their personal data. The condition also works to instill confidence in the data subject; confidence in the business and the security of his/her personal information.
It is critical that business is aware of these minimum threshold requirements as non-compliance carries a very heavy penalty. These conditions require review of the business operations and how personal information is processed.