Category : Popi
Cape Town – Personal data has become a must-have commodity and a new Act seeks to limit just how much personal data companies may share or retain.
The scenario is a common one that many South Africans experience: You get a call at the most inappropriate time; the caller knows your name and proceeds to try and sell you something.
When asked about where your details were obtained, the answers are often vague at best – usually citing some database of a company – one that you usually can’t check while you’re on the phone.
One of the responses to this kind of invasion has been the Protection of Personal Information Act, signed into law after several delays as industry players negotiated what constituted personal information.
Generally the act seeks to protect privacy as guaranteed in the South African Constitution, and the law notes that “the right to privacy includes the right to the protection against the unlawful collection, retention, dissemination and use of personal information” in its preamble.
One of the most common ways that companies have been collecting personal data is by way of loyalty programmes, but the law prescribes that a clear distinction should be made on how this information should be secured.
“What Popi is aiming to achieve is for companies to classify their data and determine those elements that would fall into the Popi category. They would then need to go through the process of protecting or securing that data to meet this regulation,” Andrew Kirkland, regional director for Trustwave Africa told News24.
Trustwave is a security company that specialises in helping organisation fight cybercrime by, among other things, conducting ethical intrusions and monitoring to ensure data fidelity.
The act prohibits the collection of information for the purposes of resale or trade, and also instructs those with access to personal data to ensure that the subject is aware thereof.
“Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party,” the law says.
This would, for example, prohibit so-called raffles that record personal data which is then sold to third parties who can call or e-mail people with “special offers” or insurance products.
However, while different company departments may share data, the law takes a dim view on sharing data between subsidiaries.
“If by divisions you mean subsidiaries then this may be more of a challenge since I would expect that you would still need to get permission to use this information from the customer. I suspect the regulator will have to make a call on this if it’s not that clear,” Kirkland explained.
However, the regulator has not yet been appointed in terms of the legislation and it is therefore unclear how companies that flout the law will be penalised.
The act requires that personal data be deleted once the objective has been achieved and if statistical information of the data is required, the subjects must be informed and their consent requested.
Kirkland said that the appointment of a regulator to manage the compliance is key to ensuring that Popi pay more than lip service to the protection of personal information in SA.
“We are waiting for the regulator to be appointed to get a better understanding of this [company accountability]. Non-compliance will at some point be penalised but to what extent can only be speculated at this point.”