WAKE-UP CALL FOR ALL OF US
THE MILLIONS of Facebook profiles analysed by Cambridge Analytica constitute one of the biggest breaches of personal information to date. The data was collected through an application accessed by Facebook users in terms of which these users agreed to have their data collected for academic use. What was also collected by the application was information from the Facebook users’ friends.
Facebook has acknowledged that more than 87 million of the 2.2 billion Facebook users’ personal information may have been shared with Cambridge Analytica. It is estimated that almost 93 000 South African Facebook users’ personal information could potentially have been shared with Cambridge Analytica.
The question to consider is to what extent Facebook users and businesses in South Africa are aware of the impact of the Protection of Personal Information Act, 2013 (Popia) on their daily actions and interactions.
The preamble to Popia clearly sets out the aims and objectives of the act, which are to protect personal information processed by public and private bodies and to introduce certain conditions detailing the minimum requirements for the processing of personal information.
The establishment of minimum requirements for the lawful processing of personal information requires all responsible parties (the parties responsible for the processing of information) to comply with conditions 1 to 8 of Popia.
The definition of processing personal information, as set out in Popia, clearly shows that information sent or received by a user of social media is subject to the statutory provisions of Popia. This means that:
The collection, receipt, recording, organisation and other methods of processing set out in section 1 of the Popia, must be in compliance with the provisions of the act.
Personal information must be lawfully processed in a reasonable manner that does not infringe on the privacy of the data subject (the person to whom the data relates).
Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
The requirement of consent. This is probably the most important question regarding the lawfulness of processing – whether the data subject has consented to the processing of his, her, or its personal information;
The personal information must be collected directly from the data subject.
Personal information must be collected