PoPI 101: privacy for civic tech
A simple guide to one of South Africa’s current top-of-mind legal talking points, the Protection of Personal Information Act
Is your civic tech project PoPI-compliant? The Protection of Personal Information (PoPI) Act has been a talking point for businesses for several years now, but with the appointment of the Information Regulator, the time has come for civic tech initiatives get serious about PoPI compliance .
At our recent Civic Tech Innovation Network (CTIN) event, media lawyer Dario Milo presented on PoPI , offering some key guidelines for how to interpret the legislation, what penalties non-compliant organisations may face, and the simplest solutions for compliance. Drawing from that and additional research, here is our straightforward CTIN guide to PoPI for civic tech.
The headlines
You are probably collecting what the law now calls ‘personal information’.
Soon civic tech initiatives (like others) will have to do a lot more than including a tick box to get permission to store and use people’s personal information.
You will need to tell people who you collect information from — on websites, mailing lists and applications — what you are planning to do with their information in some detail.
You are also responsible for ensuring that any other organisations you use to store or process the information is also compliant. So you need to be particularly careful about cloud services, for example which store data all around the world where the law may not be so strict — one of the places it is less strict is the US!
Anyone you collect information from is entitled under PoPI to ask to see what information you have about them, to get any inaccurate information corrected or to ask for their personal information to be deleted.
All the regulations are not in place yet. But its the right thing to do so start working on this now.
What is the current status of PoPI?
The 10th draft of POPI was adopted and signed into law by the President.
On 11 April 2014, some sections of POPI came into force, which enabled the establishment and powers of the Information Regulator.
In 2016 the Information Regulator, Pansy Tlakula was appointed. The regulator has extensive powers to investigate complaints and to fine organisations that misuse personal information.
The regulations that affect organisations and companies that gather personal data have not yet come into force. At the workshop, Dario suggested that PoPI could be in full force within two years.
Who does PoPI apply to?
The Act applies to “any person or organisation who (or which) processes the personal information of others and who is defined under PoPI as ‘responsible parties’.” From a civic tech perspective, it’s hard to imagine any scenario that would exclude you from such a definition.
What is the basis for PoPI?
PoPI is predicated on our constitutional right to privacy, specifically informational privacy. Section 14 of the Constitution deals with privacy, saying: “Everyone has the right to privacy, which includes the right not to have their person or home searched; their property searched; their possessions seized; or the privacy of their communications infringed.” PoPI tries to balance these rights with the rights to freedom of expression and freedom of information.
What constitutes ‘personal information’?
Dario says that “personal information”, according to the Act, includes any information relating to an identifiable, living, natural person (or an identifiable, existing juristic person). This includes, among other things, identifying information like your name and ID number, contact details, physical address of people and businesses. But it could also include information that doesn’t appear to be personal , for example, the ‘IP’ addresses of people’s computers which could be used to identify people.
There are also especially strict rules that apply to ‘special personal information’ which includes any information about people’s race, political persuasions, health or sex life.
Okay, so you have personal information from users. But what do you do with it?
PoPI is concerned with the “processing” of this info. PoPI says that all personal information must be collected for “a specific, explicitly defined and lawful purpose related to the function or activity of the responsible party”. Dario explained that processing includes “any operation, or activity, or set of operations (whether or not by automatic means) concerning personal information”.
This includes:
- collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, erasure or destruction
Dario told the participants of our event that responsible party may not process personal information, unless:
- The data subject consents to the processing;
- Processing is necessary for performance of a contract to which the data subject is party;
- Processing complies with an obligation imposed by law;
- Processing protects a legitimate interest of the data subject;
- Processing is necessary ‐ public law duty by a public body;
- Processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
Explicit steps must be taken ensure the data subject is aware of the purpose of collection. There are eight conditions for lawful processing under PoPI.
Condition 8 is particularly relevant for civic tech projects. It specifies that the data subject is entitled to:
- Enquire — without monetary charge ‐ whether his / her personal information being processed
- Request description of his / her personal information
- Request information on the recipients of this personal information
- Challenge the accuracy of personal information
- Request correction of information (if inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully)
- Request deletion
So, if you get the info, analyse it, store it, or even delete it, PoPI regulations governs this, and not complying could see you fined.
What penalties could you face?
Non-compliance could see an organisation face both administrative fines (up to R10 million) and criminal offences (including imprisonment up to ten years).
What about the implications of cloud storage?
If you use any virtual or off-site storage, you should also consider the following rule: “Personal information may not be transferred to a third party in a foreign country”.
There are some exceptional conditions that apply when data may be transferred trans‐border. These are when the recipient is subject to a law, or binding corporate rules or a binding agreement which:
- provides for an “adequate level of protection” that effectively upholds the principles that are substantially similar to the conditions for lawful processing; or
- includes substantially similar provisions relating to the further transfer
- of personal information to third parties in foreign countries
- consent
- other exceptions
Ethics
Beyond the legal considerations of PoPI, there are ethical concerns that civic tech organisations and practitioners ought to consider. Some guiding questions include:
- Does your organisation have an internal or published privacy policy and how far along are you in thinking about your privacy and data security?
- Is your privacy policy clear and easy to understand?
- What information do you collect from users and partners? What do you use it for?
- How do you secure the information you have?
- What is your data retention policy?
- How well do you inform the people whose data youhave about your answers to these questions?
Consent: the golden rule
Dario argues that the simplest way to ensure PoPI compliance is to get “informed consent”. If you source explicit consent from users, having provided them with clear, simple, accurate information on precisely how you will use and manage their info, you’re on the right side of the law.
So dust off those privacy policies, civic techies. They are no longer ‘just’ a tick-box concern. Rather, a thoughtful and precise privacy policy — with active consent built in — could be your legal saving grace, and its the right thing to do.
About our expert
Dario Milo is a partner in the Dispute Resolution Practice at Webber Wentzel, where he leads a team that focuses on media, communications and information law, and commercial and tax dispute resolution. Dario also teaches media law, access to information law, and privacy law at the University of the Witwatersrand, where he is a visiting associate professor.
Access the full set of slides from Dario Milo’s presentation here.
