Truth about protection of personal information in South Africa
Despite its name, the Protection of Personal Information Act (Popia) does not prohibit data collection but regulates how it can be processed once obtained.
This is according to the managing director and data and tech attorney at Michalsons Attorneys, John Giles.
“One of the things that people are often surprised to hear about Popia is that it doesn’t prevent organizations from collecting and processing personal information,” Giles told Cape Talk.
“It simply sets out about eight conditions for the lawful processing of that personal information. And so often, they are lawfully gathering and processing that information.”
“Popia shouldn’t be the protection of personal information. It should be the processing of personal information. The idea is to set the conditions or the rules for when it can be lawfully processed,” he continued.
South Africa’s Information Regulator, formed to ensure Popia compliance, lays out eight conditions for processing personal information that companies must adhere to.
These include accountability, processing limitation, purpose-specific, further processing limitation, information quality, openness, security safeguards, and data subject participation.
Giles’ comments follow a Pam Golding data breach that resulted in numerous people receiving notifications from the real estate company despite never interacting with it.
When asked whether companies such as Pam Golding that collect personal information to market products and services are doing so legally, Giles said they are.
He says that as long as they lawfully process the information they collect, they abide by Popia.
“What Popia encourages is transparency and openness,” Giles said.
“So, when gathering information, they should be transparent and tell data subjects what information they have and why they have it.
He notes that data subjects can request access to any data a company has about them and how it is being processed.
Similarly, they can request that this data be removed from the company’s database. They can file a complaint with the Information Regulator if their data is not removed.
Companies often use personal information for direct marketing, including receiving advertisements via email, SMS, and phone calls.
However, the National Consumer Commission (NCC) and the Department of Trade, Industry, and Competition (DTIC) are cracking down on direct marketers who do so telephonically.
Hardin Ratshisusu, the acting commissioner at the NCC, said the DTIC’s new national opt-out registry for direct marketers would give the commission full sight of all direct marketers in the country.
“The Minister of Trade and Industry has published an amendment to the current regulations. The main thing here is there now has to be a national opt-out register that will be managed by the National Consumer Commission,” he said.
“We do appreciate that there are current external registers, but there is a concern that with the existing structures and frameworks, we still have a lot of abuse of consumers.”
“We don’t have full sight of all direct marketers in the country, and this will require them to register on an annual basis,” he added.
Ratshisusu explained that the processes and regulations surrounding the register and the registration of telemarketers are still being developed.
“We need to, in the regulations, make it clear that direct marketers follow the regulations and ensure that we stamp out unwanted calls to consumers,” he added.
The Department of Trade, Industry, and Competition (DTIC) recently told MyBroadband that it plans to roll out the new opt-out registry in the 2025/26 financial year.
“This is an electronic system where customers will apply by uploading their details into the registry,” it said.
It added that the registry will enable consumers to restrict or block unwanted communication from direct marketers.
Direct marketers must also register and clear their list of marketing leads before they can run a campaign.
“A cleansed consumer list will be valid for 30 days,” the DTIC added.
Loading ...