The details of Principle 3 are articulated in clauses 12, 13 and 14 of the Bill, which require an organisation to do the following:
- ensure that personal information is only processed for specific, explicitly defined and legitimate reasons relating to the functions or activities of the organisation;
- take steps to make the data subject (person whose personal information is being processed) aware of the purposes for which the personal information will be processed; and
- establish mechanisms to ensure that personal information is only kept for as long as it is required to fulfil the purpose for which it was collected.
It will be difficult for an organisation to comply with this principle without first undertaking an exercise to ascertain the various sources of personal information in existence throughout the organisation. Thereafter the organisation will have to link the personal information to specific, explicitly defined and legitimate purposes as required by the Bill. It is unlikely that an organisation will be able to get around this requirement by using a blanket “legitimate business purpose” specification for processing personal information as the purpose must be explicitly defined. This means that it will be critical for the organisation to determine what the various reasons are for which it processes personal information on a daily basis and whether these reasons are indeed legitimate.
The obligation to make the data subject aware of the purposes for which the personal information will be processed must be read together with Principle 6: Openness. In terms of this principle the organisation must notify the data subject of a number of things relating to the processing of the personal information, including the purpose for which it will be processed, the consequences of the failure to provide the personal information and the recipients to whom the personal information will be disclosed. Depending on the nature and number of data subjects, the organisation will have to decide what the most appropriate means would be of communicating this information to the relevant persons.
Generally, the organisation will not be allowed to keep the personal information after the purpose for which it is required has been fulfilled or is no longer relevant. This is subject to the following exceptions:
- if the organisation is required to keep the information in terms of any other law;
- if the organisation needs to keep the information for a lawful purpose related to its activities (as long as any further purpose is communicated to the data subject);
- if the organisation is contractually bound to keep the information (as long as the data subject’s rights are not unreasonably intruded upon); or
- if the data subject consents to the organisation keeping the information for an extended period.
This requirement will impact upon the organisation’s general retention duties in terms of the Electronic Communications and Transactions Act No. 25 of 2002 and specific retention duties contained in various other pieces of legislation. The organisation must therefore consider compiling or, if one already exists, updating its document retention policy in order to ensure a coordinated approach to document retention that includes specific reference to the retention of records that contain personal information. It is important that the retention policy also formalises the organisation’s approach to the destruction and de-identification of personal information once it is no longer required. In terms of the Bill, records containing personal information must be destroyed or deleted in a manner that prevents its re-construction in an intelligible form. This implies that certain practices such as the formatting of hard drives may not be adequate to ensure compliance with the Bill since information contained on hard drives is capable of being retrieved and reconstituted through digital recovery processes available to many organisations.
It is worth repeating that the identification, specification and notification of the purpose for which personal information is processed provides the context for the application of many of the other principles in the Bill. Once the purpose has been identified, the personal information may generally only be processed insofar as it is necessary for the fulfilment of that purpose. Therefore it would be helpful for the elements of Principle 3 to be borne in mind when considering the impact of the remaining information protection principles which will be covered in greater detail over the next few months.
Applying Principle 3 to your organisation
Below are a few questions that can assist in determining how ready your organisation is to begin dealing with the implications of Principle 3:
- What are all the purposes for which your organisation collects personal information?
- Does your organisation classify personal information in terms of the purposes for which it is processed?
- Does your organisation inform relevant persons about the specific purposes for which their personal information is required?
- Does your organisation clearly identify the names and categories of all people/organisations to whom the information will be supplied?
- When and how does your organisation inform relevant persons of the purposes for which their personal information is required? For example, consider updating of application forms, call centre scripts, employee on-boarding forms etc.
- Does your organisation offer relevant persons the opportunity to restrict the purposes for which their personal information will be processed?
- Does your organisation offer relevant persons the opportunity to object to the recipients to whom the personal information will be supplied?
- Does your organisation have a document retention policy?
- Does your organisation’s document retention policy make provision for the retention of records containing personal information?
- What is your organisation’s process for destroying and/or de-identifying records at the end of the retention period?
- Does your organisation inform relevant persons about the duration for which the records will be retained and how these records will be destroyed at the end of the retention period?
- Does your organisation inform relevant persons if it needs to retain the documents for a longer period than initially contemplated?