The elements of Openness are set out in clause 17 of the Protection of Personal Information (PPI) Bill. However in order to fully understand the impact of this principle, one must read clause 17 in conjunction with the requirements of Chapter 6 of the PPI Bill as well as the requirements of the Promotion of Access to Information Act 2 of 2000 (PAIA). This is perhaps the clearest example of how compliance with the PPI Bill may not effectively be achieved in isolation but will require an integrated approach within the context of other associated legislation currently in place.
Clause 17 contemplates two types of notification by organisations that process personal information, namely notification to the Regulator and notification to the data subject (individual whose personal information is being processed). We will discuss each of these notifications in turn. Notification to the Regulator
In terms of the PPI Bill, the responsibility for the monitoring and enforcement of compliance will rest with the Information Protection Regulator (the Regulator), an independent statutory body to be established once the legislation has been enacted.
Clause 17(1) provides that personal information may only be processed by an organisation that has notified the Regulator in terms of Chapter 6. Thus, in order to comply with clause 17(1), an organisation must also take cognisance of clauses 50 and 51 in Chapter 6 of the PPI Bill which set out the details of the notification that must be submitted to the Regulator.
Clause 50 requires the organisation to submit a notification to the Regulator before commencing the processing of personal information. In terms of clause 51, the notification must contain the following details:
- the name and address of the organisation
- the purpose for which the organisation will be processing the personal information
- a description of the categories of data subjects/individuals whose personal information will be processed
- a description of the actual personal information or categories of personal information that will be processed
- the recipients or categories of recipients to whom the personal information could be supplied
- details of any planned transfers of personal information outside of South Africa
- a general description of the information security measures to be taken by the organisation to ensure the confidentiality, integrity and availability of the personal information to be processed. (The security safeguard obligations of the organisation will be discussed in greater detail under Principle 7 in the next edition of Don’t Trip Up.)
The organisation will only have to notify the Regulator of the above once and not each time that personal information is being processed. However, if there is a change to the organisation’s name or address, the organisation must notify the Regulator within a week of the change. In addition, if there is a change to any of the other particulars listed in clause 51, the organisation must inform the Regulator within a year of the previous notification. The Regulator is empowered to prescribe further conditions for the format and/or details of the notification through the publishing of Regulations in the future. The Regulator may also exempt certain categories of processing from the notification requirement.
It must be noted that the Regulator to be established in terms of the PPI Bill will also be appointed to oversee and enforce compliance with the requirements of the PAIA. Therefore, if an organisation has already compiled and made available an access to information manual in terms of the PAIA, then the organisation will not have to comply with clause 17(1) of the PPI Bill as long as the PAIA manual already contains the information listed in clause 51. In future any updates to the PAIA manual will have to be communicated to the Regulator established by the PAIA and no longer to the South African Human Rights Commission (the current custodian of the PAIA).
If an organisation fails to notify the Regulator in terms of clause 50 or fails to comply with any future Regulations relating to the notification published by the Regulator the organisation will be guilty of an offence and liable to imprisonment or a fine under the PPI Bill.
Notification to the data subject
Clause 17(2) requires an organisation to also notify the individual whose personal information is being processed. If the personal information is collected directly from the individual, then the notification must take place before the collection. In any other case, the organisation must ensure that the notification takes place as soon as reasonably practicable after the collection of the personal information.
Clause 17 does not prescribe a format for the notification. However it does require that the organisation must take “reasonably practicable steps” to ensure that the individual is made aware of the details prescribed in clause 17(2). It is contemplated that details regarding the form and manner of the notification will be contained in future Regulations to be published by the Regulator once it has been established.
In terms of clause 17(2), the organisation must notify that individual of the following:
- the personal information being collected
- the name and address of the organisation
- the purpose for which the information is being collected
- whether or not the supply of the information by that individual is voluntary or mandatory (e.g. required in terms of other legislation or required for the performance of a legal agreement)
- the consequences of the failure to provide the information
- any particular law authorising or requiring the collection of the information
- information regarding the recipients or category of recipients of the information
- the existence of the rights of access to and rectification of the information being collected. (The rights of individuals relating to accessing and rectifying their personal information will be discussed in detail under Principle 8: Data Subject Participation.)
The extent of compliance with the above notification requirement is likely to determine the adequacy of the consent obtained from individuals for the processing of their personal information. Failure to notify the individual of one or more of the details listed above may result in any consent obtained being found to be insufficient in the circumstances.
The organisation will not have to comply with the data subject notification requirement in certain situations, including the following:
- if the individual consents to the non-compliance or the non-compliance will not be prejudicial to the individual
- if non-compliance is necessary for the maintenance of law and order or in the interests of national security
- to enforce legislation for SARS purposes
- if compliance is not reasonably practicable in the circumstances of the particular case (e.g. in the case of an emergency)
- if the information will be used in such a way that the individual will not be identified or for historical, statistical or research purposes.
Much of the detail regarding the manner and form of the notifications described above will likely be contained in Regulations and/or further guidance notes issued by the Regulator. It will therefore not be practically possible for full compliance with the provisions of Principle 6 until after the legislation has been enacted. However, it is recommended that in the meantime organisations begin assessing their compliance with current legislation such as the PAIA which will be impacted by the enactment of the PPI Bill.
To ensure that the notifications described above contain the requisite information in terms of the PPI Bill, an organisation may want to commence with the identification and collation of certain information such as:
- the types of personal information collected by the organisation
- the purposes for which the information is processed
- the recipients and/or categories of recipients to whom personal information is disclosed (including recipients outside of South Africa)
- an assessment of the security measures in place to protect the personal information that is processed by the organisation
- an analysis of any other legislation that requires the organisation to collect, use, store or disclose personal information, including the retention periods contained therein.
The above exercise is meant to assist the organisation determine what processes still need to be updated or modified in order to ensure adequate compliance once the PPI Bill is finally enacted. This is likely to render compliance with the legislation less onerous in the long term.
Applying Principle 6 to your organisation
Below are a few questions that can assist in determining how ready your organisation is to begin dealing with the implications of Principle 6:
- Does your organisation have a formal process for notifying individuals before processing personal information?
- Does your organisation have a formal process for notifying the Regulator before processing personal information (applicable only after enactment of the legislation)?
- Do your notifications contain the specific information required in clause 17 of the PPI Bill?
- Has your organisation compiled a manual and made it available in terms of the Promotion of Access to Information Act?
- Does your organisation regularly review and/or update the manual?
- Is the manual available on your organisation’s website?
- Who in your organisation is responsible for liaising with the Regulator in terms of the Promotion of Access to Information Act?
- Does your organisation use personal information for historical, statistical or research purposes?
- Has your organisation identified all the relevant legislation which requires the collection, storage or disclosure of personal information for various purposes?
- Does your organisation have a document retention policy setting out the statutory retention periods applicable to various categories of information held by the organisation?
- Does your organisation conduct regular assessments of the security mechanisms in place to protect the confidentiality, integrity and availability of personal information?