“Processing” is defined in the Bill as follows: “any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use
b) dissemination by means of transmission, distribution or making available in any other form
c) merging, linking, as well as blocking, degradation, erasure or destruction of information.
In terms of the above definition, an organisation must comply with the requirements of the Bill during every stage of the information life cycle insofar as it is reasonably practical to do so. The definition of “processing” is not limited to electronic personal information but includes paper based records. In addition, processing encompasses an array of activities including collection, storage, use, display, transfer, archiving, modifying, maintaining and destruction.
The details of Principle 2 are articulated in clauses 8, 9, 10 and 11 of the Bill. In order to give effect to the Processing Limitation Principle, an organisation must ensure the following:
- That personal information is processed in a lawful manner that does not unreasonably infringe upon the privacy of the individual to whom the personal information relates (clause 8).
- That only the minimum amount of personal information may be processed as is relevant to achieve the purpose for which it is required. An organisation may not request more information than is necessary to achieve a particular purpose (clause 9).
- That the explicit consent of the individual is obtained prior to the processing of personal information. If the individual objects to such processing, the organisation may not continue with the processing of that information (clause 10).
- That the organisation must collect the personal information directly from the individual except in situations that are specifically excluded from the Bill, for example if the information is contained in a public record or was deliberately made public by the individual (clause 11).
In applying the above an organisation is required to take into account the reasonable expectations of the individual to whom the personal information relates. Fair processing implies that the processing must be done in a manner that is transparent to the individual, thereby requiring the individual’s explicit consent. In order to minimise intruding on the individual’s right to privacy, the amount of personal information that is collected should not be excessive in relation to the purpose for which it is needed.
Ultimately, the lawfulness of processing will depend on how effectively the organisation is able to embed all eight of the information protection principles within the information management and governance structures of the business as a whole.
Applying Principle 2 to your organisation
Below are a few questions that can assist in determining how ready your organisation is to begin dealing with the implications of Principle 2:
- What are the different ways in which your organisation processes personal information?
- Does your organisation have a formal policy for the processing of personal information?
- If yes, does your policy identify the lawful basis in terms of which it can process information, e.g. consent, legislation, contract?
- What categories of personal information does your organisation process?
- What are the different purposes for which your organisation processes these different categories of personal information?
- How does your organisation assess whether the type of personal information is adequate for, and relevant to, the purpose for which it is collected?
- How does your organisation ensure that the type of information requested and provided is not excessive for its purpose?
- Does your organisation have procedures in place for de-identifying personal information to ensure minimum disclosure?
- Does your organisation obtain the consent of individuals before processing their personal information?
- When is consent obtained?
- What is the form of the consent that is obtained?
- Does your organisation record instances of non-consent?
- Does your organisation supply personal information to third parties?
- If yes, does your organisation obtain consent from the relevant individual to supply their personal information to third parties?
- Does your organisation obtain personal information directly from the individuals concerned?
- Does your organisation use intermediaries or agents to collect personal information?
- Does your organisation make use of databases and/or market research to collect personal information?