Background

The Protection of Personal Information Act (POPIA) sets out the rules businesses subject to the Act must follow when collecting personal information, including –

  • Processing Personal Information in accordance with the conditions for the lawful processing of personal information ;
  • Every person has the right to be notified that personal information is being collected;
  • Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive (minimality principle);
  • Personal information must be collected directly from the data subject, except as otherwise provided;
  • Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.

 

A privacy notification is one of several documents required for POPIA compliance. But whereas many of these documents are strictly internal, a privacy notification is provided to customers and other interested parties, explaining how the organisation processes their Personal Information. One of the major themes of POPIA is the promotion of transparency. This is achieved through the condition of openness (section 17 & 18), which require that Data Subjects MUST Bbe informed when their Personal Information is collected.

  1. When Personal Information is collected directly from the Data Subject: The general principle is that the notification cannot take place after the fact; the Data Subject must be informed BEFORE the Personal Information is collected.
  2. When Personal Information is being collected from other sources: The Data Subject must preferably be notified before collection takes place or, if that is not possible, as soon as reasonably pravticable after it has been collected.
  3. When more information is collected from the Data Subject: The Responsible Party do not need to re-notify the Data Subject if both the following requirements are met:
    1. The Personal Information is the same or from the same kind; and
    2. The purpose for processing the Personal Informationm remains the same.
  4. When processing activities change: Re-notification is necessary if –
    1. the change do have an impact on the Data Subject; or
    2. The change would be unexpected or surprising for the Data Subject.
  1. The Responsible Party must take reasonably practicable steps to ensure that the Data Subject is aware of all of the required information. Reasonable practical steps can include –
    1. Section 18 Privacy Notification: The Responsible Party can either –
      1. take the form of a single document which Data Subjects are referred to, or
      2. Data Subjects can be given the applicable notice as and when the Personal Information is collected, for instance an application form.
    2. Hard copy/ paper environment: For example when entering into contracts by postal means: written explanations, leaflets, information in contractual documentation, cartoons, infographics or flowcharts.
    3. Telephonic environment: Oral explanations by a real person to allow interaction and questions to be answered or automated or pre-recorded information with options to hear further more detailed information.
    4. Person to person environment: Such as responding to opinion polls, registering in person for a service: oral explanations or written explanations provided in hard or soft copy format.
    5. “Real-life” environment with CCTV/ drone recording: Visible boards containing the information, public signage, public information campaigns or newspaper/ media notices.