South Africa

Details

  • Service: Advisory, Tax
  • Type: Business and industry issue
  • Date: 2010/06/01

Protection of Personal Information Act (POPI)

Feature image
The KPMG POPI Centre of Excellence is focussed on bringing solutions to our clients which are uncomplicated and, of primary importance, make business sense.

The Protection of Personal Information Bill – Principle 5: Information Quality 

Clause 16 of the Bill sets out, in general terms, the responsibility of organisations to ensure and maintain the quality of the personal information that they process. The responsibility is articulated as follows:


The responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary. In taking the steps referred to . . . the responsible party must have regard to the purpose for which personal information is collected or further processed.

Despite the apparent simplicity of its wording, the practical implementation of this requirement is likely to be onerous, particularly for larger organisations.  Clause 16 is clear insofar as what constitutes “quality”, namely completeness, accuracy, truth and timeliness. However it does not go far enough in explaining how organisations are meant to ensure adequate compliance with the principle. Organisations are required to take “reasonably practicably steps”. Neither “reasonableness” nor “practicality” is defined in the Bill. As a result, what is “reasonable” or “practicable” is going to depend largely on the circumstances of a particular organisation or industry.


Generally, compliance with this principle will require all organisations to continually assess and evaluate not only the nature of the personal information that they hold, but also any changes to the purposes for which they originally collected the information. This highlights a linkage to the earlier principle of “Purpose Specification”. A change in circumstances or a failure by an organisation to keep information up-to-date could result in information that was originally adequate for a particular purpose becoming inadequate. Once the information is inadequate for its purpose or if the purpose no longer exists, the organisation may no longer process that information.

 

When looking at “reasonableness”, organisations may have to consider whether collection directly from the affected individual would be sufficient to indicate that they have done all they could reasonably have to ensure the accuracy of the information. Alternatively, organisations may decide that they want to go a step further and independently verify the accuracy of any personal information collected. The practicalities of the latter approach could prove to be overly onerous. Organisations may first want to assess the likely prejudice that would be caused to individuals because of a particular inaccuracy before deciding which approach to adopt.

 

A further challenge to ensuring compliance with this principle could arise in organisations that collect personal information through different mediums, e.g. telephonically, post and e-mail. Such organisations would have to ensure that relevant mechanisms are in place to manage the quality of information irrespective of the source. It is likely that the more successful attempts to manage compliance with this principle will involve regular and specific communications with employees and customers directly. It will be important for organisations to clearly inform affected individuals of their right to request corrections and/or updates to any personal information held about them, including the way in which they can go about doing this, e.g. change in particulars forms, customer call centres, website account profiles etc. It would then be up to the individuals themselves to use these mechanisms to help ensure that the quality of information held by organisations is in line with the standards contained in the legislation.

 

 

The rights of affected individuals in this regard will be discussed in greater detail under Principle 8, namely “Data Subject Participation”.

 

Applying Principle 5 to your organisation


Below are a few questions that can assist in determining how ready your organisation is to begin dealing with the implications of Principle 5:

 

  • Does your organisation have a process for checking the accuracy and completeness of records containing personal information?
  • Does your organisation have a process to deal with complaints relating to the timeliness and accuracy of personal information?
  • Does your organisation provide the opportunity to individuals to periodically verify and update their personal information?
  • How and when are individuals made aware of these processes?
  • Does your organisation have a process for monitoring and tracking updates to personal information?
  • Who is responsible in your organisation for ensuring that records containing personal information remain relevant, accurate and up-to-date?
 

Contact

Contact
Farzana Badat
Regulatory Compliance
Tel: +27 (0)11 647 5576
farzana.badat@kpmg.co.za