Remaining 5 of the 8 Conditions for lawful processing- Narrative
Welcome back to our Estate Agent clients to this, our fourth podcast in the series. Thank you for joining me again, Hayley.
Just to recap, last episode we looked at the definition of exactly what and who the Responsible Party is and who the Operator is. We also went through the first three Conditions for lawful processing that the Responsible Party needs to uphold, that is :
- 1 - Accountability
- 2 - Processing Limitation
- 3 - Purpose Specification
Today we are going to look at the remaining five Conditions of lawful processing :
- 4 - Further Processing Limitation
- 5 - Information Quality
- 6 - Openness
- 7 - Security Safeguards
- 8 - Data Subject Participation
Just to recap - Processing Limitation means that you are only allowed to process the data for the purpose that you collected it for. This means Further Processing Limitation outlines that anything else you do with that data must be compatible with the purposes for which you first collected that data.
That makes sense. If I give out my medical aid information about my health, it shouldn’t mean they can use that information to profile me for a Life Insurance product if I haven’t said they can. Is that right?
That’s right. You can use that information to do something in line with the purpose of your collection, but not something unrelated. Next up is Condition five, also a logical one, and that is Information Quality.
I guess that means you have to make sure the PI you collect is correct?
That’s exactly right. It’s your job as the Responsible Party to ensure it’s accurate, complete, not misleading, and updated where necessary, bearing in mind the purpose for which it was collected.
That’s all very reasonable and straight forward. What’s Condition six then?
Condition six is Openness and has two components. Firstly, if you’re working with PI you need to keep documentation of your processing operations and make this available to people in an accessible POPIA manual. Secondly, you need to notify them and make sure they’re aware of several things like what personal information you’re collecting, your name and address, the purpose you’re collecting it for, and who you’ll be sharing it with, if anyone, etc.
But surely if I’m getting information from someone they’ll be aware of it?
For Estate Agents they mostly will. Just check the full section of POPIA obligations to make sure you know what all your obligations are. Also, a note to our listeners that there are some exceptions to this section so again it’s wise to read it.
We’re on to Condition seven – what does that cover?
Condition seven is Security Safeguards. If you’re holding other peoples’ personal information, you have to make sure you can secure the integrity and confidentiality of that data. This means not leaving it lying around, making sure you lock your computer when you leave it, keeping your diary and phone inaccessible to others, and so on. You have to proactively identify all the risks, internally and externally, that could result in inappropriate access to the data, and put in place measures to protect it. This obligation to keep the personal information secure and confidential applies to both Responsible Parties and Operators.
So this isn’t just about making sure Estate Agents have a security scanning program on their laptops?
No, it’s much broader than that. You need to ensure holistically that anybody who doesn’t have the right to see that data doesn’t and can’t access that data in any form.
So for example, Estate Agents can’t leave a Showday Register at the front door for people to complete as they visit. Is that what you mean?
If people visiting the house can see the names and phone numbers of other people who have visited, either on a piece of paper or digital record, then yes, you’re breaching POPIA, strictly speaking. But this is easy to remedy – instead of having a register, you would simply have each visitor complete a separate form and then keep the forms secure and out of sight. And to jump back to a previous Condition, you will also have to consider the content of the Showday Register – what information is absolutely required to be collected, considering the purpose of the register and not collect anything more.
That does make sense but I guess there are many small habits that people will need to change to ensure everyone is keeping PI safe.
Yes, certainly. It helps to think of peoples’ PI as a precious asset. If you wouldn’t ask your clients to leave their wedding ring lying around unattended on a Showday Register, then you shouldn’t ask them to leave their data there either. Both are precious.
Great, thanks for that tip. It’s a useful way to think about how we should be handling people’s PI. Is there anything more to cover under Security Safeguards?
Yes, two more things. Firstly, it’s the Responsible Party’s job to make sure that there’s a written contract in place between them and any operator who needs to process that data on their behalf. And this contract needs to bind the Operator to the same levels of security that the Responsible Party has to comply with. The Operator is compelled to treat the Personal Information with confidence and only process it with the authorization of the Responsible Party. And finally, the Act specifies how people and companies must notify the regulator and the Data Subject if there is a breach, and I strongly suggest that anyone or any company handling lots of Personal Information makes sure they are aware of these responsibilities proactively.
Yes it makes sense to have an established process, policy document or the like, so that if there’s a breach you’re not starting from the very beginning in terms of understanding your obligations.
I totally agree, and that applies to several obligations under POPIA – being prepared is both smart and important.
So we’re left with one more – what is the eighth Condition?
That is Data Subject Participation. In a nutshell, people have the right to know whether a company or person holds their Personal Information. They also have a right to know what it has been used for and who it has been shared with. They also have the right to request changes to it if it is incorrect, and they have the right to ask that the company or person to delete their personal information.
That’s very empowering for individuals.
Yes, and it can be fairly onerous for companies. But going back to the purpose of POPIA - which is to give people a say in how their personal information is used so that it doesn’t infringe on their privacy – it is a necessary part of the Act. And as with all the other Conditions, there are exclusions and a lot more detail so please read the relevant section of the Act to understand exactly what needs to change in your business.
That was a lot to digest.
Yes there’s a lot of very important detail in the eight Conditions for Lawful Processing, and it’s the key part of the Act for all Responsible Parties to understand. If you’re addressing all eight Conditions, you’re probably doing a good job of staying on the right side of the law.
Thanks for another empowering session Linda. I’m looking forward to the next one. I’d like to encourage our listeners to give us feedback and tell us what their main questions and concerns are so that we can try to address these in future episodes.
We’d really like to be able to help our clients with specific questions. So yes, I encourage our listeners and readers to please send us feedback so that we can see how best to help you. Until next time… goodbye.