The South African Protection of Personal Information Act, 2013 (POPI), which protects the processing of personal information by public and private bodies, is much like similar UK and EU legislation. It was signed into law in November 2013 but is not in full effect yet. Once the Act is made effective, companies will be given a year’s grace to comply with the Act, unless this period is extended as allowed by the Act.
POPI forces companies to rethink the way they access, collect, store and use the personal information of all those they interact with, including employees and clients.
POPI aims to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing personal information by holding them accountable should they abuse or compromise your personal information in any way.
POPI prioritises the owner’s right to privacy over the right to information and affords the owner the ability to exercise control over when and how personal information is shared, the type of information shared, who has access to this information and so forth.
Enter social media platforms
Social media platforms and the like are a melting-pot of personal information and in a digital age, social media provides the tools to access this personal information, collect it, process and store it.
But how do the rules of POPI apply to companies making use of social media platforms to run their businesses?
The general rule of POPI is that personal information must be collected directly from the data subject and may only be processed with the consent of the data subject. Information may be used where it is necessary to comply with a legal obligation, public law duty or contractual obligation.
However, if a person makes the information publicly accessible, for example, by failing to ensure that their privacy settings are heightened on social media, one does not need the data subject’s consent to process the information.
Examples of “personal information” for an individual includes ID numbers, email addresses, marital status, criminal record, private correspondence, membership in trade unions and other organisations.
If a person submits a contest or sweepstakes entry or fills out a form online and that company for instance, collects the information, once the information collected is used for the purpose intended, it must be destroyed. Further it must not to be disseminated further without consent.
POPI aims to protect an individual’s Constitutional right to privacy, but individuals are urged not to compromising their personal information by sharing it with unfettered discretion in the digital public domain. Modern technology makes it easy to access, collect and process high volumes of data at high speeds. This information can then be sold, used for further processing and /or applied towards other ends. In the wrong hands such processing can cause irreparable harm to individuals and companies.
To protect an individual’s right to privacy and to avoid the abuse of your information, the South African legislature felt that data protection legislation was necessary even if it meant imposing some social limits to balance the technological progress. The legislature essentially took the position that if a social media user does not want personal data compromised, the user must treat such data with the level of confidentiality and privacy the user believes is appropriate and to be cautious about the platforms on which it is shared.