Processing of Personal Information under POPI: A Snapshot

Takeover Defenses: The Thorn in the Side of US Corporation Shareholders
November 1, 2016
Directors Do’s and Don’ts
April 26, 2017
Show all

Louella TindaleThe fundamental activity underpinning the Protection of Personal Information Act, 2013 (‘POPI’ or ‘the Act’) is the processing of personal information. The Act’s very purpose is the protection of personal information processed by private and public bodies.

POPI contains many similarities to the UK Data Protection Act, 1998 (DPA) and it is likely that authorities will look to UK and EU case law and guidance in the interpretation of POPI. In its guidance regarding the difference between Data Controllers and Data Processors (as defined in the DPA), the Information Commissioner Office gave the following useful clarification of the definition of ‘processing’ contained in the DPA:

“The definition of ‘processing’ suggests that a data processor’s activities must be limited to the more ‘technical’ aspects of an operation, such as data storage, retrieval or erasures.”

Under POPI ‘processing’ is defined as:

“any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

(b) dissemination by means of transmission, distribution or making available in any other form; or

(c) merging, linking, as well as restriction, degradation, erasure or destruction of information.”

In its simplest form, the processing of information under POPI essentially involves the technical activities of receiving, storing, modifying/transforming, transferring, using or disposing of personal information.

Current technology that is involved in the processing of information includes inter alia computer hardware such as servers, various software including websites, search engines, mobile phone applications, automated technology and CCTV.

With this in mind, subject to certain exclusions contained in POPI, most companies’ activities at some point, be it in relation to their customers, suppliers or employees, will involve the processing of personal information and will fall within the ambit of Act.

Examples of day-to day processing activities:

Personal information is provided by data subjects through websites by means of booking forms, contact forms, newsletter signups, online purchasing and website registrations, to name a few. As such, in addition to the company that owns the relevant website, the website hosting company or the cloud provider’s activities would fall within the ambit of the definition of processing in that they are receiving the information, transferring the

information using the Hypertext transfer protocol (HTTP/HTTPS) to their server/cloud, and storing that information on behalf of their client. The disposal of that information can occur manually on instruction by the client, or automatically using specific software, which may be licensed from a third-party or owned by the web hosting company or by the client itself – the action of disposal falls within the ambit of processing as well.

In the running of surveys (for example, client satisfaction surveys or demographics analyses) or research (for example, market research or academic research), personal information is often collected from a data subject for the purpose of preparing reports, presentations and/or written research papers. In the User Experience (UX) space, for example, personal information is collected regarding data subjects’ opinions on a website or mobile application – information such as race, gender and age may be collected for such research to investigate the demographics of the user experience subject pool, and then collated into a report.

Perhaps the most widespread use in this sphere comes from marketing – whereby marketing companies engage in direct marketing to data subjects that have opted-in to receive marketing materials or run satisfaction surveys. The data subject generally provides their personal information online through, for example, an online registration form or contact form with the option to receive marketing material or not (most often a tick-box exercise). That information is then processed by use (sending the data subject marketing material to their email address or telephone number), potential analysis regarding demographics to modify the information for reports/studies. In this way information is processed by means of actual collection of information from data subjects, modifying and/or merging that information for the purpose of transmitting a report to the client.

Names, financial information and other identifying information may be provided to external accountants/auditors to produce audit reports or accounts. They often receive this information from automatic reports prepared by companies in SAP by Design or other accounting software. Under the definition of processing in POPI, the action of collecting or receiving the information, collating and transmitting that information (to the customer or to government authorities directly on behalf of a customer) would mean that accountants/auditors are processing information.

The running of a payroll within an organisation falls within the ambit of processing personal information. Employees’ personal information such as names and salary is received or collected and transferred by means of electronic uploading to a payroll system, which then records and stores that information and makes payment on a fixed monthly date.

These are just to name a few of the common activities that would constitute processing under POPI. What is evident is that the all-encompassing nature of the definition of processing in the Act, means that all companies will need to establish procedures, policies and trading/service terms to ensure their processing activities do not infringe on employees, customers, suppliers, contractors or other person’s rights as data subjects, and in doing so, must ensure compliance with the conditions prescribed by the Act.

Louella Tindale

Louella has a BA LLB (University of Cape Town) as well as a Certificate in Competition Law (University of the Witwatersrand). She was admitted as an attorney in 2010 after completing her articles at Werksmans Attorneys. In 2012, Louella relocated to the United Kingdom where she worked for two multi-nationals as in-house legal counsel – LSE listed hotel group PPHE Hotel Group (Park Plaza and art’otel) and FTSE 100 travel group TUI Travel. Louella joined Caveat Legal in 2017.