Direct marketers are just one of a myriad of business sectors that are going to have to take serious heed of the Protection of Personal Information Act (POPI,) which is about to become law. The only remaining step is the assent by President Jacob Zuma.
“Failure to comply with the act may have serious consequences,” says Judy von Klemperer, of Shepstone & Wylie Attorneys' Litigation Department. These extend to imprisonment of up to 10 years and or a fine of up to R10m.
“One of the areas where it will have a substantial impact is on direct marketing,” she adds. POPI will change direct marketing from an “Opt Out” scenario to an “Opt In” one. “In the future, the public can be approached and asked once if they are prepared to receive marketing materials. If the answer is no or opt-out the marketer may not approach you again without falling foul of the Act. If you agree to receive marketing material then it may be sent to you but you must be given the option on every bit of marketing material received,” explains von Klemperer.
“While fairly daunting, POPI’s enactment will see South Africa keeping abreast with international developments in this regard”. As the world has got smaller with the Internet it has become easier to find out personal information about someone without their knowledge and or consent. As it has become easier to access personal information about people, the need to protect their personal information has increased.
POPI creates obligations on the way that you gather, process, store and destroy information. It will not apply to personal information processed for purely personal or household activities and journalistic, literary and artistic purposes are also excluded. Failures to comply have serious consequences. POPI applies not only to the personal information of natural persons but also to a juristic or corporate entity.
The definition of ‘‘personal information’’ is very wide and includes almost any information that you may have about someone as well as information relating to their personal opinions and views and private or confidential correspondence sent by the person.
POPI sets out 8 Conditions for the lawful processing of personal information. “These conditions are important and must be met otherwise your processing of information will be unlawful for which there are serious consequences and substantial penalties.”
Von Klemperer advises that personal information can only be processed in certain circumstances, such as if the person consents, the processing is necessary to carry out actions for the conclusion or performance of a contract to which the person is a party, the processing complies with an obligation of law, the processing protects a legitimate interest of that person or for pursuing the legitimate interests of the responsible party.
For those in credit management and control, more often than not, these are the reasons that they are processing personal information. If you have the person’s consent to process the information, that will entitle you to process their information. The information would still need to be relevant for the purpose for which it is being processed; however consent from the person will provide you with permission to process the information. “It is prudent to include a consent to process information in terms of POPI in trading terms and conditions or in credit application forms.”
Personal information must be collected directly from the person whose information it is except where it is contained in or derived from a public record or has been made public by that person. Personal information may be obtained from another source if the person consents. Such a consent can, and should, be included in credit terms or terms and conditions.
Personal information may not be retained for longer than necessary to achieve the purpose for which was obtained unless that retention is authorised by law. It may be retained for statistical purposes but there must be safeguards that this all it will be used for. POPI requires the destruction or deletion of personal information as soon as it is no longer required. Destruction or deletion must be done in such a manner as to prevent it from being re-created in respect of both physical and digital records.
POPI also requires that a responsible person must secure the integrity and confidentiality of personal information and take steps to prevent loss of, damage and unauthorised destruction of personal information as well as unlawful access to or processing of information. “In other words not only must you keep the information safe, but also ensure that no one else can access it,” she says
A breach of POPI can give rise to a civil action for damages as well as criminal sanction. Certain breaches constitute an offence with the possibility of serious penalties and multi-million rand fines and or imprisonment.