POPIA GOES LEGAL
Today – July 1 – is the big day. The long awaited Protection of Personal Information Act (POPIA) is now in full force and the numbers of emails popping into email boxes assuring us that our data is safe and will be used legally and respectfully are as common as, well, popcorn in a movie house if we weren’t on lockdown.
I’ve heard from our church, financial service providers, real estate agents, home décor newsletters … the list seems endless. But I also received a phone call from The Unlimited, an insurance company trying to peddle yet another unwanted policy.
When I asked from where they had obtained my details, I was told “the system” (even though the group’s website tells me I have a right to ask). When I started asking the caller if she even knew about POPIA and my right to tell her whether or not she could use my personal information, she “politely” ended the call mid conversation.
Enough said. When it comes to protecting personal information, there is still a long way to go – something of which we should all be aware when handing over identity documents and phone numbers at entrance gates to business and residential estates and writing down contact details at restaurants once they are open again.
POPIA IS POPPING
“POPIA is still popping and applies during the pandemic. Consumers will benefit from POPIA’S requirements in that their personal information must be protected and can only be collected or handled where there is a lawful justification for doing so. Consumers are informed about what personal information is collected, by whom and why, so that consumers can make informed decisions,” says compliance officer for legal firm, Garlicke & Bousfield, Shannon Budhram.
“The consumer wants to do business with a company that values their personal information by having data processes in place to protect the consumer’s information. Data security will definitely give your company a marketing edge. I call it the Vitamin D edge. A dose of Data security processes and procedures to assist in the overall wellness of the consumer and the company. Whilst protecting the consumer, data security will also ensure that the company is protected from data breaches and who can put a value on that? “
Ros Lake, director of law firm Norton Rose Fulbright, explains that POPIA sets out the minimum requirements for those processing personal information. “Processing includes storing, transferring, accessing, merging, destroying, deleting and anything else you can think of when it comes to using personal information. Personal information is also very broad. It includes health information, opinions, private correspondence, finger prints, criminal history and any other information that can be used to identify someone.”
But Ros warns that, when it comes to the information required to protect us from Covid, the right to privacy must be balanced against other rights such as the public interest and keeping people safe.
“However, these records should not be openly displayed, not be kept for longer than necessary and not be used for anything other than the purpose for which they were collected. That means, if you give your details to a restaurant to be contacted for Covid, they shouldn’t use this information to contact you for direct marketing or add you to their databases,” she explains.
Shannon goes on to explain that, in April 2020, the Information Regulator issued a Guidance Note on the processing of personal information for the management and containment of Covid-19. This not only outlined the limitations and the need to protect people’s right to privacy, but also addressed the provision of location-based data by electronic communication service providers to government to track data subjects during the management of Covid-19.
“In essence, the responsible party must always ensure that the spirit of the legislation is upheld even during a pandemic,” she says.
Although doing this would, at first sight, seem little more than common sense. It has taken some time for South Africa to catch up to first world countries where misuse of personal information has very real consequences and that those are responsible can actually be held accountable.
From today, POPIA will not only ensure that defaulters can face a fine or penalty for using your personal information without your permission, but that they can also be found liable for damages.
Every company is required to appoint an information officer who is responsible for protecting information within an organisation and can be held accountable for the use/misuse of any data that the company has about you.
This is not an easy task as this person can be fined or imprisoned if they do not perform their duties adequately. They are also not protected by their employer and can be held personally liable.
It also doesn’t stop there according to Shannon. From July 1, the Regulator can take enforcement action against responsible parties who are alleged to have interfered with the protection of personal information of data subjects.
This does not prevent civil claims on top of that so, in addition to facing any fine or penalty in terms of the enforcement process, responsible parties may also be found civilly liable for damages by a court of law,” she says.
Many companies are not aware of the level of compliance that is required and the time that it will take to ensure compliance. The office of the Information Regulator is still relatively small at the moment and so extensive monitoring may be challenging, however that does not mean that compliance is not necessary. Ignorance of the requirements will never be an excuse or a defence for non-compliance with the POPIA,” warns Shepstone & Wylie’s head of social media law, Verlie Oosthuizen.
Even though various clauses of POPIA have been around for some time, this is probably a case of learn as we go – as the lass who called from the Unlimited found out this morning. It is only when cases come to court that any legal precedent will be set.
But companies have no excuse for not complying or for not training their staff to meet POPIA requirements, especially those using call centres for marketing.
“Many companies are not aware of the level of compliance that is required and the time that it will take to ensure compliance. The office of the Information Regulator is still relatively small at the moment and so extensive monitoring may be challenging, however that does not mean that compliance is not necessary. Ignorance of the requirements will never be an excuse or a defence for non-compliance with the POPIA,” warns Shepstone & Wylie’s head of social media law, Verlie Oosthuizen.
SO WHAT NOW?
Can we expect less spam and will telemarketers leave us in peace? Do companies still have the right to make those pesky marketing calls?
Unfortunately, yes, according to Shannon. “POPIA does not prohibit direct marketing but Section 69 of POPIA does gives individuals the right to prevent their personal information from being processed for direct marketing. An individual must be given reasonable opportunity to object to a company using their details for direct marketing. In other words, companies must stop any marketing directed at a particular individual if that person objects to receiving such marketing.”
Perhaps The Unlimited need to take note rather than simply put down the phone.
Make sure you adhere to good cyber hygiene. Change your passwords often, check your privacy settings on social media, look at privacy policies of companies you deal with so you understand what they are doing with your information. Also, do not click on unknown links and watch out for phishing emails.
Shannon advises that, to determine the outcome of whether or not the direct marketer who calls is legitimate or not, consumers need to ask a number of important questions. How direct is the direct marketer when they call you? Are you an existing client? Where did they obtain your information? Do you want them to call you again? Can you opt out/opt in?
“Consumers should know that they always have the right to opt out of being contacted and they should be allowed to do so for free. If you are contacted after you have told someone not to contact you, you can report them to the National Consumer Commission. In terms of POPIA, companies will only be able to contact people who are not on their existing customer list once to ask for their permission to receive marketing material,” adds Ros.
It seems that the POPIA journey may be a long one and it still comes down to the consumer actually policing the system.
“All consumers can do is apply common sense. There is really no checklist that can be followed. Our suggestion is to be vigilant about the personal information that you disclose to unknown people over the telephone, especially if that call was ‘unsolicited’,” warns Verlie.
Ros takes this a step further: “There are people and robots looking for all sorts of ways to get hold of your personal information. This information is then often sold on the dark web to criminals to impersonate you. Medical records are particularly valuable. Make sure you adhere to good cyber hygiene. Change your passwords often, check your privacy settings on social media, look at privacy policies of companies you deal with so you understand what they are doing with your information. Also, do not click on unknown links and watch out for phishing emails. Always check carefully to make sure contact is legitimate,” says Ros.
Shannon also comments that consumers can vote with their feet by supporting companies that treat their sensitive information respectfully – and that companies should see this as a potential marketing tool.
“The consumer wants to do business with a company that values their personal information by having data processes in place to protect the consumer’s information. Data security will definitely give your company a marketing edge. I call it the Vitamin D edge. A dose of Data security processes and procedures to assist in the overall wellness of the consumer and the company. Whilst protecting the consumer, data security will also ensure that the company is protected from data breaches and who can put a value on that? “