Legal expert sheds light on POPI Bill

Some forums on the internet define the Protection of Personal Information Bill (POPI) as having to have consent to process information in each and every situation, which is incorrect.

According to Jana van Zyl from legal firm Dommisse Attorneys, consent is one of the requirements set out in Section 11, but it's not as simple as stating that every business needs express permission from the data subject to process personal information in all circumstances. "A credit provider will for example be entitled to collect on outstanding debt - whether they have the customer's explicit consent or not. The Bill makes provision for justification grounds to process personal information over and above consent - one of these is if the processing is in the 'legitimate interest' of the responsible party."

Van Zyl says that the Bill does not implicitly define what a 'legitimate interest' might be, but that this will require a balancing act where the responsible party will need to consider its legitimate interests for processing against the rights and expectations of the data subject. If the processing is fair in the circumstances, the processing should be allowed. But responsible parties should take care not to try and use this justification ground in circumstances where the processing is clearly unfair.

Emphasis is on purpose

"Responsible parties should also bear in mind that POPI places emphasis on purpose. If information is collected for a specific purpose - such as debt collection - it should not be used for any other purpose not linked to the purpose for which it was collected. An example would be to also use it for creating a data base for sale to list providers. The data subject should be informed for which purposes that information collected will be used. In short, POPI doesn't stop businesses from collecting and processing information, but it does regulate the use of that information.

Van Zyl also does not believe that the legislation will impact the growing business process outsourcing industry in South Africa negatively. "Actually, foreign investors might see this as a positive development," says Van Zyl. "A good deal of privacy legislation deals with the trans-border flow of information, i.e. foreign privacy legislation prescribes that information can't be freely shared across borders without applying any rules. Some foreign companies have legislation in their own countries stating that the general rule is that they may only share information with countries that have adequate data protection and improving our privacy legislation is in line with that. Our own legislation will do the same - limit the cross border processing of information."

Difficult job

Van Zyl emphasises that training staff will be more important than ever before. "Call centre operators have a difficult job. They have to listen to complaints, and work with difficult customers, and often they are not adequately trained to deal with these complaints. The temptation may be there to vent about it on social media or to others. But there are restrictions on what call centre workers can and can't disclose about the calls they take. I always advise clients that they will have to review their HR policies and regulate the use of social media contractually. Train your staff and discuss the possible legal implications sooner rather than later."

Although gaining legal advice is essential, there is no quick-fix to becoming compliant, Van Zyl says. "You cannot simply have a session with a consultant and changes your policies overnight to become compliant. Becoming and remaining compliant will be an on-going project. Partner with a legal advisor that can assist you every step of the way."

Let's do Biz