Law will limit the disclosure of your personal data
POPI compliance should be taken very seriously by those gaining the most from personal information
MORE compliance costs and another regulator are coming your way with our new POPI privacy laws. But don’t be scared into spending too much on the protection of personal information by prophets of doom who are often just looking for more work.
The law of privacy has been with us since Roman times. If you possess private information about someone else you should keep it private unless you have the informed consent of that person. You only use it for the purpose for which you have consent and you do not use it after that purpose has been fulfilled. Otherwise the information may not be disclosed unless it is overwhelmingly in the public interest to do so.
That is what the Protection of Personal Information Act (POPI) will say although in much more elaborate terms. POPI is not aimed at interfering with normal business relationships. It is mainly aimed at those who gather personal information to use it for purposes such as marketing their goods and services or selling the data at a profit. If you are in that business you need to take POPI compliance very seriously.
The good news is that personal information may be processed to carry out actions in performing a contract. In most such instances there is an implied consent from the client or customer. The patient whose doctor draws blood and sends it for analysis or e-mails a script to a pharmacy, by implication consents to private biological information being disclosed. A customer who asks the bank to give a bank guarantee by implication consents to the document being sent to the creditor. There are millions of daily examples where POPI will not fetter your operations. The common law will still apply.
In areas such as journalism and artistic expression the public interest in freedom of expression may override a right of privacy. Exhibiting the “Spear of the Nation” is not prohibited — even privates may not be private.
When you consider your POPI responsibilities, take a sensible view of the world of daily commerce. POPI is not intended to shackle you tightly unless your business is processing personal information for gain. Systems will have to be set up to ensure information held by your business is protected from access by others, but you may not have to break the bank to do so.
About 10 years in the making, POPI looks set to come into force this year — although after 10 years who can be certain? Once it is brought into force there will be one year in which to bring your information processing into line with the act. We also need regulations and the Information Regulator needs to be set up. There is time for a sensible approach, but start now.
Patrick Bracher is a director at Norton Rose SA.