The Protection of Personal Information Bill (POPI) was passed by the National Assembly on 11 September and will be signed by the President before Christmas - but what is it? And how will it affect your business, and your individual rights?
The intention of POPI is to establish a protection for personal information regime in South African law, and bring South Africa in-line with international standards of protection of personal information.
Once the Bill has passed the National Council of Provinces, and become an Act, businesses will have one year to become compliant. Andrew Marshall from Ellipsis Regulatory Solutions says: "This period can be extended to a maximum of three years by the Minister. In the light of South Africa's typically lax response to such occasions, I expect that the extension will be required."
What POPI means
POPI protects personal information by restricting how it can be collected and used, and sets out eight principles:
- Accountability: The responsible party, those who process the personal information, must ensure that all the principles and the measures are complied with.
- Processing limitation: This stipulates that processing must be done lawfully and in a manner that does not infringe the privacy of the individual, and that personal information can only be processed if the processing is adequate, relevant and not excessive, given the purpose for which it is to be used.
- Purpose specification: Personal information must only be collected for a specific purpose and the individuals must be aware of the purpose of collection. In addition, records must not be retained for longer than necessary to achieve the purpose for which it was collected or processed for.
- Further processing limitation: This is simply stating that further processing must be compatible with the purpose of collection.
- Information quality: The holder of the data must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated when necessary. All the while upholding this, taking into account the purpose for which the information was initially collected.
- Openness: Steps are required to ensure that the data subject is aware of the personal information being collected and the purpose of collection.
- Data subject participation: The data subject can request whether an organisation holds their private information, and what information is held. They may also request the correction or deletion of information which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
- Security safeguards: The responsible party must secure the personal information under their possession/control.
Specifically relating to the running of SMS marketing campaigns, direct marketers cannot use personal information for direct marketing unless they have the consumer's permission, and in the case or a direct marketing organisation, they must have 'opted in'.
The consumer can "opt-in" in one of two ways. Firstly, the consumer can give his or her explicit consent to receive direct marketing. This would ideally be obtained when the information is collected, but a direct marketer can also approach the consumer for consent later. If it does this, it can only approach the consumer once for consent.
As an aside, a direct marketer must get a consumer's contact details in the first place to approach the consumer for consent. Unless these contact details were in the public domain, e.g. a telephone directory, merely obtaining the contact details could be an infringement of POPI. For example, if a direct marketer received a list of individuals and their contact details from a company that collects and sells marketing information (data vendor), the data vendor would itself have infringed POPI by passing the list on to the direct marketer, even if the direct marketer never actually uses any of the information contained in the list. Unless the individual specifically consented to their information being passed on.
Secondly, if the consumer is a customer of the direct marketer (and not of anyone else) then the direct marketer can use their information for direct marketing ONLY if:
- The data was obtained in the context of the sale of a product or service, and
- The direct marketing will be in respect of the marketer's OWN similar goods/services, and
- The consumer has been given a reasonable opportunity to object to receipt of direct marketing both when the data was first collected and on each occasion when direct marketing is made to the consumer.
POPI makes provision for enforcement notices to be served on those infringing the data protection principles or the direct marketing provisions of POPI. Failure to comply with an enforcement notice is an offence, and on conviction may lead to a fine, up to 10 years in prison, or both.
Perhaps more seriously, if a data subject suffers any loss as a result of an infringement, the responsible person will be strictly liable for this loss. In other words, it does not matter if the responsible person was negligent, or acted intentionally in infringing POPI - if the infringement caused loss to the consumer, the responsible person is liable.
Marshall says: "As a result, SMS gateways must be careful to specify that they are not themselves conducting the direct marketing, but that their systems are being used by the direct marketer e.g. a retailer, bank or other institution. In other words they must ensure that they are mere conduits insofar as this is possible."
Consumer Protection Act
The provisions of POPI will be in addition to those set out in the Consumer Protection Act (CPA). Section 11 of the CPA allows for consumers to pre-emptively block direct marketing by listing their contact details in a 'do not contact' registry. The registry is yet to be set up, but once it has been the two Acts will inter-relate:
A direct marketer will have to assume that, unless a consumer has expressly consented to receive direct marketing from that direct marketer, that a pre-emptive block has been registered. The direct marketer must first query the registry to make sure that no pre-emptive block has been registered before it can market to that consumer. Note that until it has done this, the direct marketer cannot send any communication to the consumer if the approach or communication is primarily for the purpose of direct marketing.
Applied to the provisions of POPI, a direct marketer will have to check the registry before it can even approach a consumer for consent to market to that consumer.
Even for its own customers, the direct marketer will have to check the registry unless the customer has expressly consented to receive direct marketing, even if the marketer has previously sold similar products or services to the consumer.
South Africans will have for the first time, the right to privacy of their personal information, in an enforceable way. It is going to be a period of change and uncertainty for many, but as organisations responsible for people's personal information we must all act responsibly, and uphold the reputation of businesses, as well as our partners who use our service.