Thank you to Sumien du Plessis for writing this follow-up blog, on the impact POPIA is having at the SAISI office, and in your pratice too.
Knock-knock…
Who’s……..
Oh wait…. you have heard this before!
Let’s just jump straight into POPIA-SAISI-effect from requirement 2 of the PRIVACY POLICY IN TERMS OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013.
- Limit the processing of personal information
This requirement gets back to the basics – SAISI is only allowed to ask for minimum personal information about the specific purpose for which an individual has dealings with SAISI. If I, now want to attend a course, SAISI cannot ask me to share information, which was previously standard on any application form, like for instance: race, gender, age, physical address, etc. I must just tell you that for the life of me, I could never understand why anybody wanted to know how old I am on a course application! So, I, for one, salute this requirement. Unfortunately, for SAISI, it means that they should re-do all their application forms to ensure that only the minimum required information is on each application. I will concede that some applications might require more personal information than others. Thus, SAISI has to carefully consider the minimum needed personal information asked of their members and shared with third parties.
- Specify the purpose of needed information
To safeguard further regulation over what information goes where, to whom, and for how long, SAISI must explain specifically, clearly, and lawfully for what purpose the personal information is collected. They should also utterly destroy or delete personal information as soon as the reason for obtaining it has expired. In the case of personal information obtained for research purposes, all information should be de-identified so that the information cannot be reconstructed in an intelligible form.
- Further Processing limitation
As if conditions 2 and 3 have not given us enough security that our information will be handled with confidentiality and the utmost care, condition 4 ensures that SAISI has to obtain consent for any further processing of information other than the original purpose it was collected for. So, if SAISI wanted to disclose my personal information to any third party I have to complete and sign yet another form, with all my information, to give consent for the secondary use of the original information. This will mean more paperwork, more places to secure, and more headaches all around for SAISI!
- Information quality
SAISI should make sure that personal information is complete, accurate, not misleading, and up-to-date. I suppose this is another colossal task. I think this could also be a very frustrating job for the board member who is in charge of keeping the information in tip-top quality, especially when I consider how slowly I sometimes react to requests to update my personal information.
- Openness
And now we are at condition 6……drum-roll, please! After 5 requirements protecting personal information (almost at all costs), condition 6 tells you that all this protection may only happen after you have gotten your PAIA manual in place. Yes, ladies and gentlemen, this is the Promotion of Access to Information Act. So, SAISI should keep our personal information safely under cloak and dagger, but then also be willing to share everything under the everyone-may-know-everything-of you-if-they-ask-nicely-Act. Albeit by going through all the legal steps set out by PAIA, but still…I think this can create somewhat of a dilemma for big institutions, such as SAISI. And, of course, it created more work, because SAISI had to get their PAIA in place as well.
- Security safeguards
I think with obligation 6 in mind, number 7 serves again as a reminder that all personal information should be securely collected, used, stored, modified, demolished, and distributed. This requirement, for me, seems to have more financial implications, than the others, because appropriate, reasonable, and technical measures have to be taken to prevent the loss, damage, and unlawful access of information. For this to happen, specialized security options for data storage and data sharing should be obtained. I do not know what it costs a big institution, but I do know that I didn’t get my security measures for free.
- Data subject participation
Lastly, the POPI Act has thought of giving the data subject (that would be you and me) the right to request confirmation, correction, or deletion of the personal information being held by the responsible party (SAISI), with adequate proof of identity. For you and me, this is the promise that we are in control of our own stuff. For SAISI, this might just open a whole new can of worms!
Now, right here at the end of my blog, I want to state that the above outlook is my own personal (albeit limited) opinion of how POPIA affects SAISI. I am sure there will be many other implications, which I haven’t considered in this blog.
Please note that SAISI’s POPIA and PAIA manuals can be viewed on https://instsi.co.za/paia-manual/.