What POPI means for retailers
What is personal information?
POPI provides a wide definition of personal information because it could include diverse forms of data, ranging from addresses, ID numbers, cellphone numbers, biometrics and even personal views on certain issues. It also differentiates between normal personal information, special personal information (such as information about health) and children's personal information - all of which have different rules that will apply to the processing of the personal information. There isn't a defined list of information that retailers are prohibited from collecting but as a rule of thumb, any business should only collect what is necessary for them to achieve a specific purpose - which should be communicated to customers or potential customers.
A good example of that would be the use of ID documents to verify a customer's identity.
The retailer has to justify why he or she should be entitled to collect the information. For example, do they really need a copy of a customer's ID document or is it sufficient for that customer to merely display the document? If they do not need a copy, why keep it? Even if they can justify why they need a copy of such a document, they should only use if for the purpose they originally collected it for, eg. a credit check. Should they wish to use the information for any other purpose, they will need to notify the customer.
Customer's consent
Consent does not always have to be given in written format, as it will not always be practical to gain written consent. For example, if a supermarket has a lucky draw box on the counter where customers could place their till slip with a phone number to enter into the competition, they won't want a customer to fill in a lengthy permission form - but they will only be able to use the information for entry into the draw. Any other purpose will need to be specified explicitly. It is important to bear in mind what the expectation of the individual would be - what can the retailer use the information for?
Similarly, if customers have signed up for a loyalty program, the retailer is entitled to track their purchases and use it to promote products in the future based on buying behaviour - provided that they received consent to do so when the customer signed up or notified the customer that the information would be used for that purpose.
Social media issues
Not all retailers' communication occurs in-store. Many retailers frequently communicate with their customers via social media platforms such as Facebook. Social media has meant that many customers make information publically available. The fact that information has been made publically available does not mean that POPI in its entirety will not apply. If the company wishes to collect data via their Facebook page, they would still be responsible for securing and protecting that data once they start processing it, and they would still have to limit their use, disclosure and retention of that information in line with the purpose for which they collected it.
Naturally, security is a large concern for retailers, many of whom frequently receive and retain sensitive hard copy information, such as credit card slips. "Retailers would have to retrain their employees in preparation for POPI. There is not an exact list of specific measures to be implemented, but retailers would need to review their current processes and educate their staff about the importance of safeguarding personal information. For example, they would need to ensure their staff understand that items such as credit card details cannot be left in full view of anyone, but should be locked away. One needs to consider it from a practical point of view and educate staff members with reference to practical examples.
HR implications
POPI also has implications for future HR activities. These could include revising current policies and employee contracts. Although this may be a costly exercise, most retailers rightfully see the Act as a positive introduction to their systems. Most understand that the misuse of customer information will have serious reputational consequences. Moreover, it is necessary to create awareness around staff members to focus on how they use personal information. Responsible use is key. The majority of retailers are eager to safeguard their customers' information and upgrade their security measures and policies accordingly - POPI has forced retailers to reconsider and improve existing processes.
The implementation of POPI is around the corner and retailers should launch a compliance project sooner rather than later.
Handy acronym
To memorise the basic requirements of POPI use the CLAAP acronym:
- Consent: Organisations may only collect, use and disclose personal information with the knowledge and consent of the individual. (In some instances, organisations will be able to use personal information even though they have not received the express consent, but mostly organisations will still need to notify the individual that the information has been collected.
- Limited use: The collection of personal information is limited to what is necessary for the identified purposes and must be collected by fair and lawful means.
- Accountability: Retailers are accountable for protecting the personal information under their control and must ensure that adequate safeguards are in place.
- Access: An individual has the right to access his/her personal information, subject to legislated exceptions and has the right to seek correction of information or the withdrawal of permission.
- Purpose: The purposes for the collection of personal information must be identified prior to or during the collection.