“I work at a recruitment agency. I generally receive personal information, such as copies of identity documents from our clients listing their CVs with us. These copies are stored in our electronic database. I understand that POPI requires that personal information of clients, such as the quality of copies of identity documents must meet certain requirements. What exactly are these requirements?”
Firstly, it should be noted the Protection of Personal Information Act 4 of 2013 (“POPI”) was signed into law on 19 November 2013, but has, to date, not yet fully come into effect.
POPI protects persons from suffering damage and harm by requiring entities and persons who, store, use and destroy personal information to protect such information and to keep it private and confidential. The entities and persons who carry this responsibility are termed “responsible parties”.
The quality of information stored by responsible parties is also important, since data that is of a sub-standard quality may negatively affect the person to whom it relates (the “data subject”). Also the commercial value that personal information holds, could be compromised by sub-standard quality data.
Although POPI does not provide detailed specifications for what is standard or sub-standard data, it does oblige responsible parties to take reasonable practicable steps to ensure that all the personal information which they collect is complete, accurate and not misleading. In your example of an identity document, if the quality of such is so poor that it is not legible or the person cannot be identified, the data (namely the identity document) would then be sub-standard, particularly if the reason for the collecting – namely to forward it to potential employers – is taken into account.
Responsible parties also carry the obligation to ensure that personal information is up to date. For example, if you have outdated contact details of a client which is provided to potential employers, such outdated contact details may make it impossible for the interested employers to contact your client (the data subject) for a recruitment interview. Responsible parties must thus ensure that the quality of data remains intact over time, taking into account that data can change or deteriorate over time, thereby impacting on the quality of the data.
As you are potentially dealing with a wide variety of personal information and are also providing access thereto to other third parties, it would be advisable that you enlist the help of a legal specialist to help you establish a compliance framework for your business that is aligned with POPI when it becomes effective.