CHAPTER 3 OF POPI
CONDITIONS FOR THE LAWFUL PROCESSING OF PERSONAL INFORMATION
In the first instalment of this series I provided an overview of the regulations governing the cloud computing environment created by POPI. In this instalment and the instalments to follow I will look at the conditions for the lawful processing of Personal Information of data subjects (identifiable natural and juristic persons) ("subjects") prescribed by Chapter 3 of POPI, as well as the measures prescribed to give effect to such conditions. I shall refer to these conditions and measures collectively as "the Conditions".
The importance of absolute and continual compliance with the Conditions cannot be overstated. Responsible parties must comply with each Condition in relation to the processing of the Personal Information of each Subject. Each instance of non-compliance may lead to the responsible party being found guilty of an offence and incurring a fine, imprisonment and/or civil liability.
THE FIRST CONDITION: THE ACCOUNTABILITY REQUIREMENT
1. Section 8 of POPI
Section 8 requires that:
"the responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself."
The Conditions must be complied with "at the time of the determination of the purpose and means of the processing and during the processing itself." The time period for which the Conditions must be complied is thus not explicitly defined, but it is determinable.
If the definition of processing is read with the Purpose Specification then, practically, a responsible party is accountable for compliance with the Conditions:
Whilst the term 'accountability' is not defined in POPI, if one conducts a literal interpretation of section 8 I believe that the standard of liability (accountability) imposed by this section is strict liability.
A responsible party is strictly liable for non-compliance with the Conditions in respect of each Subjects Personal Information.
4. The Responsible Party
For the purposes of cloud computing the term “responsible party”, as defined by POPI, means a Cloud User which, alone or in conjunction with a Cloud Provider and/or others, determines the purpose of and means for processing personal information.
POPI identifies the information officer as the representative of the responsible party.In a public organisation the information officer is the Director-General (or head of department) and in a private organisation, the Chief Executive Officer.
5. Responsibility for compliance vs Accountability for non-compliance
5.1 Responsibility for compliance
The information officer is responsible for encouraging compliance with the Conditions by the responsible party (whether they are a public or private organisation), with the Conditions and otherwise ensuring compliance by the organisation with the provisions of this Act.
5.2 The Problem
POPI clearly identifies the information officer as the person responsible for encouraging compliance with the Conditions within the responsible party; but it does not, as a number of articles would have you believe, identify the information officer as the person accountable for non-compliance by a responsible party with the Conditions.
In my opinion, if one looks at the provisions of POPI which deal with:
it is apparent that whilst the information officer maybe the person responsible for encouraging compliance by a responsible party with the Conditions, he is not necessarily the person accountable for a responsible party's non-compliance with the conditions.
5.3 Accountability for non-compliance with the Conditions
5.3.1 The importance of the Schedule
Section 110 of read with the schedule to POPI effects an amendment to PAIA to the extent set out therein ("the Schedule"). The Schedule provides for complaints arising out of non-compliance with PAIA to be referred to the Information Regulator, actioned upon, assessed and enforced in accordance with POPI (with the necessary changes).
Whilst we are not concerned with PAIA non-compliance, the Schedule prescribes that POPI's enforcement procedure (and provisions) be applied to transgressions of PAIA.
5.3.2 Enforcement notice
After the receipt of both: (1) after receipt of a complaint against a responsible party initiated in terms of POPI a responsible party is found to have failed to comply with the Conditions; and (2) after receipt of a complaint initiated against a responsible party in terms of PAIA a responsible party is found to have failed to comply with the provisions of PAIA, the Information Regulator shall issue an enforcement notice to the responsible party.
The Schedule and the sections contained therein are therefore relevant to the interpretation of the enforcement provisions which apply in the case of non-compliance with POPI.
5.3.3 Accountability for non-compliance with PAIA
The Schedule introduces section 77J to PAIA. it prescribes that in respect of a failure to comply with the provisions of PAIA the Information Regulator may:
" serve the information officer of a public body or the head of a private body with an enforcement notice -
(a) confirming, amending or setting aside the decision which is the subject of the complaint; or
(b) requiring the said officer or head to take such action or to refrain from taking such action as the Information Regulator has specified in the notice."
The information officer (being either the information officer or the head) is specifically identified by the legislature in the Schedule as person within the responsible party to whom the enforcement notice is addressed and the person who is required to take or refrain from taking the action specified in the notice.
An information officer who refuses/ fails to comply with a Notice, is guilty of an offence and liable upon conviction to fine or to imprisonment for a period not exceeding three years or to both such a fine and such imprisonment.
The information officer is therefore the person held accountable for non-compliance by the responsible party with the provisions of PAIA.
5.3.4 Accountability for non-compliance with POPI
However, section 95(1) prescribes that in respect of a failure to comply with the Conditions the Information Regulator may:
"…serve the responsible party with an enforcement notice requiring the responsible party to do either or both of the following:
(a) To take specified steps within a period specified in the notice, or to refrain from taking such steps; or
(b) to stop processing personal information specified in the notice, or to stop processing personal information for a purpose or in a manner specified in the notice within a period specified in the notice."
Unlike in section 77J, in section 95 the legislature has chosen to identify the responsible party itself as the person to whom the enforcement notice is addressed and the person who is required to take or refrain from taking the action specified in the notice.
A responsible party who fails to comply with Notice is guilty of an offence and is liable to a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment.
In light of the above it must be concluded that the legislature's intention was to distinguish between the persons accountable for non-compliance with the provisions of PAIA and those accountable for non-compliance with the provisions of POPI.
The responsible party is therefore the person held accountable for non-compliance its non-compliance with the provisions of POPI.
5.3.5 Extended accountability for non-compliance with POPI
Whilst it is the responsible party which is held accountable by POPI for non-compliance with the Conditions, it is a juristic person and is therefore incapable of acting on its own accord. It is the board who controls the responsible party and the board who is de factoresponsible for any non-compliance by the responsible party.
It is therefore possible that accountability for non-compliance by the responsible party with the Conditions may extend to the board and even the individual members of the board.
Considering the focus on personal liability of directors and the codification of their duties under the new Companies Act, it is plausible that a responsible party's failure to comply with the Conditions may (in extreme circumstances) lead to:
Responsibility for compliance and non-compliance by the responsible party with the Conditions is trusted to a few, namely the information officer and the board respectively. However, the threats to a responsible parties' continued compliance with the Conditions are as numerous as they are diverse.
It is therefore crucial that the board put in place sufficient measures to ensure compliance with each of the Conditions whilst Processing the personal information of each client and mitigates the risk that each identified threat poses to the responsible party.
In the next instalment we shall explore the meaning, threats and measures pertaining to the "Processing limitation", contained in section 9 of POPI.
Section 107(a) of POPI.
Section 107(a) of POPI.
Section 99 of POPI.
Section 8 of POPI.
In terms of section 1 of POPI processing commences when a client's Personal Information is collected or received by the Cloud User and concludes when the information is erased or destroyed by the Cloud User and all other persons (including Cloud Providers) to whom the Cloud User has disseminated the client's Personal Information.
In terms of section 13(1) of POPI, personal information must be collected for a specific, explicitly defined purpose. Logic then dictates that the time at which the purpose and means of processing a client's personal information must precede the collection or receipt thereof.
"personal information" is defined in section 1 of POPI as "information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to— (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; (b) information relating to the education or the medical, financial, criminal or employment history of the person; (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; (d) the biometric information of the person; (e) the personal opinions, views or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the person; and (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person."
Section 55 of of POPI.
Section 1 of POPI, read with section 1 of PAIA.
Section 55 (1)(a) of of POPI.
Section 55 (1)(d) of of POPI.
Section 74 of POPI.
Section 77C of PAIA as amended by the Schedule.
Section 77K of PAIA as amended by the Schedule.
Section 103 of of POPI.
Section 107(1) of of POPI.