The Protection of Personal Information Bill is legislation will change the way organisations collect, store and use personal information about their contacts and will effectively provide South Africa as a jurisdiction, parity with other countries that have implemented data protection legislation. A primary impact will be the propelling of South African organisations to permission based or consent based communications with their customers and contacts.
For instance, section 10 of the Bill states unequivocally that personal information may only be processed if a data subject consents to such processing. In terms of the Bill consent means “any voluntary, specific and informed expression of will in terms of which a data subject agrees to the processing of personal information relating to him or her”.
Then, throughout the Bill you will observe scattered consent requirements, including:
- Consent for Direct marketing communications: Direct marketing, by sms, fax, automatic calling machines or electronic mail, is strictly prohibited unless the data subject has consented thereto or subject to certain requirements, is an existing customer of the organisation.
- Trans-border flow of personal information: Subject to certain other factors, no personal information may be sent outside the borders of the Republic of South Africa unless the data subject has given their consent.
Such provisions have resulted in a frenzy amongst certain organisations who have equated the consent requirements as presenting a looming doomsday for their current operational procedures. Others have approached the upcoming legislation with a clear to-do list including boosting their Database Consent Quota i.e. the number of people that have consented to receipt of communications from the company represented as a percentage of the total number of people on the database.
It is in fact a good first step for organisations awaiting the Bill to take effect but wanting to get a head start on implementing the requirements ie. evaluating and improving their Database Consent Quota. Organisations may for instance, review and amend online and offline contact documentation (such as newsletter sign up forms) to obtain specific consent for the related processing of the personal information by the organisation. While this will improve their Quota over time, organisations may also contact the members of their database requesting consent to continue to receive communications. These steps have also proven to generate a more accurate database even showing an improved read rate of communications sent. At this stage, organisations may also wish to implement certain other consent related measures prescribed by the Bill and otherwise constitute good business practices, for instance:
- Implement an unsubscribe facility on marketing communications sent;
- Confirm a contact’s unsubscribe or revocation of consent and institute procedures to ensure that the contact does not receive any further communications;
- Implement a complaints procedure and policy for persons aggrieved with the handling of their personal information; and
- Evaluate records management processes within the organisation to ensure that all records containing consent received from contacts are locatable and may be presented as evidence.
DEFINITION OF PERSONAL INFORMATION:
Personal Information means: information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to-
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;
(d) the blood type or any other biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
DEFINITION OF PROCESSING:
Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:-
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alternation, consultation, use,
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as blocking, degradation, erasure or destruction of information.
EXCEPTIONS:
The Bill does not apply to processing of personal information:-
(a) in the course of a purely personal or household activity;
(b) that has been de-identified to the extent that it cannot be re-identified again;
(c) by or on behalf of the State and that is required national security, defence or public safety or the purpose of which is the prevention, investigation, or proof of offences;
(d) for exclusively journalistic purposes;
(e) by the Cabinet and its committees, the Executive Council of a by the Cabinet and its committees and the Municipal Council of the Municipality;
(f) relating to the judicial functions of a court;
(g) that has been exempted from the application of the information protection principles in terms of section 34.
Chetty Law is currently assisting organisations with a review of their Database Consent Quota. For more information please contact Jenna Cuming, Chetty Law: