How do the rules of POPI apply to companies making use of Twitter, Facebook and other platforms as part of their business operations?
The Protection of Personal Information Act (POPI) was signed into law in November 2013 and will commence on a date to be published in the Government Gazette. This Act is forcing many companies to rethink the way they collect, store and use personal information of their customers, prospects and employees. Of course, no medium has greater access to personal information than social media. But how do the rules of POPI apply to companies making use of Twitter, Facebook and other platforms as part of their business operations?
"It is important to understand that POPI does not only apply to "customers' information". The "data subject" - as the Act refers to the person's whose personal information is being processed - also for example includes what we call a "prospect" - the person who is not your customer yet, but may become your customer in future - the one that you want to market to." Social media platforms like Facebook and Twitter have their own rules of use that apply. "Information collected via social media channels are not as a rule "exempt" from the rules of POPI," says Jana Van Zyl, Senior Partner at Dommisse Attorneys. This information will still need to be handled and obtained in a responsible manner - as you would, had you gathered the information via email or fax or in person."The exception to the rule
There is an exception to the rule that both consumers and companies should be made aware of, however. "The general rule of POPI is that information must be collected from the data subject directly," says Van Zyl. "This means that if you want to process my information, you should collect it directly from me. However, there is an exception to this rule saying that you do not need to collect information directly from a person if the person has made the information publicly available and accessible. This doesn't mean that the rules of POPI won't apply to the information once it's been collected. Our advice would still be to secure the information as part of usual security measures implemented for information received through non-public sources - especially bearing in mind that in terms of POPI, should information be lost or should a security breach occur, they will be required to notify both the data subject and the Regulator."
Van Zyl acknowledges that the Act does not define security breaches as such. "Some forms of security breaches are obvious. A stolen laptop containing customer information is a clear security breach. But what about something like a bounced email? I have heard someone viewing this as a security breach. Or what about an email addressed to the incorrect "Jana" for example? This may be somewhat more of a grey area - can we say for certain that it's cause for alarm? POPI states that companies must protect the "confidentiality and integrity" of personal information. However, there is no tick list of the requirements per se, and so in this regard, we advise companies to do so in the spirit of that rule. Companies should consider acceptable industry standards. It may also be advisable for responsible parties to define security breaches and train employees on the required action, should a security breach occur. POPI is not alone
Van Zyl also advises companies that POPI is not the only legislation pertinent to social media. "Let's say that a company collects information via a competition on Facebook. The rules of the competition will come into play, also the contractual agreement between the company and the social media platform, as well as the laws of the country from which the social media platform operates. POPI, for instance, may require that companies destroy information collected for a specific purpose (e.g. notifying the winner of the competition) once that purpose has been achieved. But on the other hand the Consumer Protection Act (CPA) may require the company to store that information for three years...POPI won't override existing legislation in this regard. When a law requires information to be retained for a specific period, that retention period still needs to be implemented. So there are many different rules at play that companies should be aware of."
"It is also important to understand that Individuals do have the right to receive a record of the information that a company holds on them - this could include the source from where the information was obtained from, with whom it has been shared, and of course details of the contact details."Information obtained by hacking would be problematic
Of course, social media platforms aren't fail-proof in terms of security. Facebook, Twitter and most recently, Snapchat, have all been subject to hacking, revealing millions of consumers' personal information. Van Zyl says, in a case of hacking, it does not mean that companies are free to collect information that people may otherwise not have made publicly available. "In terms of POPI information must be collected in a lawful manner - I would certainly advise that information obtained due to any form of hacking should not constitute "lawful" processing under POPI".
Van Zyl advises any company that wishes to start collecting information via social media to familiarise themselves with both the POPI Act and the platform rules before using the information or launching any campaigns through the platforms. "Read the terms and conditions of the platform very carefully, and compare that to the requirements that POPI has set out. Always make sure that all the bases are covered and err on the side of caution when it comes to protecting your customers' (or other "data subjects" - such as "prospects'")personal information once it has been collected."
And when you are not sure, call your lawyer!