Urgent PoPIA reminders – from Compli-Serve, SA
After several years of lead-up and implementation, we’re certain that most of us are aware of the ins-and-outs of PoPIA and how it affects our businesses, but if you’d like to read one of our most popular articles on it, you can click through to Oh Sh1t… POPIA is ACTUALLY here. But – for some quick reminders at a super high level, here’s a checklist that we recently received from our compliance colleagues.
In a nutshell, you should make sure that any personal data your organisation or business collects is:
- adequate – sufficient to properly fulfil your stated purpose
- relevant – has a rational link to that purpose
- limited to what is necessary – you do not hold more than you need for that purpose.
With that in mind – here’s an easy checklist to print out and keep nearby when working with client information:
- We only collect personal data we actually need for our specified purposes.
- We have sufficient personal data to properly fulfil those purposes.
- We periodically review the data we hold, and delete anything we don’t need.
The above means you should identify the minimum amount of personal data you need to fulfil your purpose.
Example 1
A recruitment agency places workers in a variety of jobs. It sends applicants a general questionnaire, which includes specific questions about health conditions that are only relevant to particular manual occupations. It would be irrelevant and excessive to obtain such information from an individual who was applying for an office job.
You must not collect personal data on the off chance that it might be useful in the future. However, you may be able to hold information for a foreseeable event that may never occur if you can justify it.
Example 2
An employer holds details of the blood groups of some of its employees. These employees do hazardous work and the information is needed in case of an accident. The employer has in place safety procedures to help prevent accidents so it may be that this data is never needed, but it still needs to hold this information in case of emergency.
If the employer holds the blood groups of the rest of the workforce, though, such information is likely to be irrelevant and excessive as they do not engage in the same hazardous work. If the processing you carry out is not helping you to achieve your purpose then the personal data you have is probably inadequate. You should not process personal data if it is insufficient for its intended purpose.
In some circumstances, you may need to collect more personal data than you had originally anticipated using so that you have enough information for the purpose in question.
Example 3
A group of individuals set up a club. At the outset, the club has only a handful of members, who all know each other, and the club’s activities are administered using only basic information about the members’ names and email addresses. The club proves to be very popular and its membership grows rapidly. It becomes necessary to collect additional information about members so that the club can identify them properly, and so that it can keep track of their membership status, subscription payments etc.
A record of an opinion is not necessarily inadequate or irrelevant personal data just because the individual disagrees with it or thinks it has not taken account of information they think is important.
However, in order to be adequate, your records should make clear that it is opinion rather than fact. The record of the opinion (or of the context it is held in) should also contain enough information to enable a reader to interpret it correctly. For example, it should state the date and the author’s name and position.
If an opinion is likely to be controversial or very sensitive, or if it will have a significant impact when used or disclosed, it is even more important to state the circumstances or the evidence it is based on. If a record contains an opinion that summarises more detailed records held elsewhere, you should make this clear.
We hope that’s a helpful reminder for the business year ahead!