“I own a local cellphone and electronics store. We collect personal information from our clients, and quite often have to pass on information to third parties such as cellular providers etc. in order to provide our services. I’m not sure where our business fits into the picture with POPI and what my responsibilities are? Can you provide some clarity?”
The Protection of Personal Information Act 4 of 2013 (“POPI”), which has been signed into law, but has not yet come fully into effect, protects our rights to privacy by setting conditions and requirements for the processing of ‘personal information’, which is any information relating to a living natural person or an identifiable legal entity and includes, amongst others, information such as names, birth dates, identity/registration numbers, passport numbers, demographic information, occupational information, health information, contact information etc. POPI also relates to the ‘processing’ of such information, which includes, amongst others, the collection, use, storage, deletion or destruction of personal information, etc.
POPI establishes a number of role players with specific rights and responsibilities under POPI. The subject of the protection afforded by POPI is the ‘data subject’ which is a person (natural person or legal entity) to whom the personal information relates. This can be a new or existing client, a prospective client, a supplier, or any other person whose personal information is being processed by your organisation. Data subjects can also be resident anywhere in the world and will qualify as a data subject if their personal information is processed by a responsible party in South Africa.
On the other side of the coin is the ‘responsible party’ who is the party who must comply with POPI. The responsible party is the party that processes the personal information, determines the purpose for which the personal information is needed and who can even outsource a part or all of the processing of the personal information to a third party who is referred to as an ‘operator’ in terms of POPI. Importantly though, despite the processing being outsourced to an operator, the responsible party still remains responsible for such processing, making it imperative that processing of personal information by operators must also be compliant with POPI.
The personal information your cellphone store receives when opening cellular accounts will qualify as personal information in respect of those clients who will also be seen as data subjects for purposes of POPI. Your actions of collection, storing and passing such information on to cellular providers will qualify as processing and since you determine the purpose of the processing, will qualify your business in this context as a responsible party under POPI. This means that POPI will apply to your business and that you will need to ensure that all your processing actions in relation to personal information are compliant with POPI.
Given that you also pass personal information on to other parties for specific actions in respect thereof, this may also be seen as passing information on to operators. This would require that you put proper operator agreements in place to ensure that the operators meet the requirements of POPI as you remain responsible for the operator’s actions in terms of POPI.
Our advice is to seek the assistance of a POPI specialist to review your business and how you process personal information to ensure that the correct compliance framework, procedures, client forms and contracts are put in place to ensure you meet all facets of POPI.