One of the significant conditions for lawful processing under the Protection of Personal Information Act, 2013 (“POPIA”) is “openness”, which can be said to consist of two “pillars”. The purposes of this condition are to ensure that data subjects are fully apprised of all processing activities relating to their personal information and are well informed of their rights of access, objection to processing and rights to lodge complaints with the Information Regulator, so that the protections afforded to data subjects under POPIA can be effectively exercised by the data subjects. It follows that unless a data subject is aware of the processing of its personal information by a responsible party, the data subject will not be in a position to exercise its rights to object to such processing activity.
Pillar 1 - Privacy Notice
According to section 18 of POPIA, where organisations (being responsible parties) collect and process personal information of data subjects, such organisations are required to take reasonable steps to inform data subjects of certain prescribed information, which includes, amongst others:
- the details of the responsible party;
- the purpose for processing;
- categories of personal information collected and processed;
- the source of the collection;
- certain of the rights of the data subjects; and
- whether any personal information will be transferred to a third country.
With POPIA not being prescriptive on the manner and form in which compliance with section 18 of POPIA is to be achieved, organisations in South Africa adopted various methods, which included adopting new policies or revising GDPR styled privacy policies, statements and/or notices in the lead up to the 1 July 2021 deadline for the commencement of POPIA.
Pillar 2 - PAIA Manual
There is, however, a much-neglected sibling of the privacy notice – the PAIA Manual. A PAIA Manual is a record of processing activities in its Promotion of Access to Information Manual (a PAIA Manual), as required in terms of the Promotion of Access to Information Act, 2000 (PAIA). Many organisations neglected to take note of the other pillar of the “openness” condition, being the PAIA manual. The purpose of a PAIA Manual is to provide a process for requestors (being members of public) to access information and/or records held by a public or private organisation. As a consequence of the enactment of POPIA, the requirements of the PAIA Manual were adjusted to align with the provisions of POPIA including the obligation to maintain a record of processing activities. This means that even those organisations who have already maintained a PAIA manual, are required to revise their existing PAIA Manuals to account for any additional requirements imposed by the amendments to PAIA, for example including the details of the information officer and deputy information officers of the organisation in the PAIA Manual.
Notwithstanding many organisations’ efforts to implement privacy notices/policies and PAIA Manuals, compliance with the openness condition requires ongoing maintenance and measures. Such is the Sisyphean task of regulatory compliance. It is, therefore, important not only to compile a PAIA Manual and prepare privacy notices to disclose the prescribed information in terms of section 18 of POPIA, but also to ensure that such disclosures are current and reflective of all processing activities currently conducted by the organisation at any given time. To achieve ongoing compliance, we recommend that an organisation puts in place an internal procedure for an annual review and update to its privacy notices/policies and PAIA Manuals or updates, to account for the introduction of any materially new processing activity, for example introducing a new technology or line of service.
Data Subject Rights
Whilst organisations are focused on achieving compliance with the openness condition, a mutually exclusive obligation, is for organisations to ensure that the rights granted to data subjects under POPIA and PAIA (as disclosed in the privacy notices/policies and PAIA Manuals) are enforceable and are capable of effective exercise, through internal operating procedures. This means that where an organisation advises data subjects that they have a right to access information or object to processing activities, the organisation should have an internal process to regulate the handling of such requests, including a response process and timeline and mechanism in place to retrieve, extract and/or restrict the processing of the information in an appropriate manner, to give effect to the data subject request, in accordance with POPIA and PAIA. From a practical perspective, this process generally requires involvement from:
- the legal and compliance team - to verify and check the validity and legality of a request and consider the potential basis for objecting to such request;
- the information technology teams - to assist with extraction of data; and
- the access/contact point – as this is usually the originating point of the request.
Organisations should be aware that without a formalised procedure, there is a likely risk that employees may respond to such data subject requests in an inconsistent manner and without appropriate oversight, leading to potential unlawful disclosures of information.
A practical solution for organisations to regulate this risk and ensure compliance with the provisions of POPIA and PAIA, would be to implement a data subject rights policy or operating procedure, which details:
- the applicable data subject rights in law;
- the practical steps to be followed for receiving, responding and giving effect to a request; and
- the escalation procedures for certain types of requests.
Whilst the obligations under POPIA and PAIA place a burden on responsible parties to disclose and advise data subjects about the organisation’s processing activities, such disclosures would be substantively at odds and fall foul of the law, if an organisation does not actually give effect the conditions for lawful processing and ensure compliance with its corresponding obligations thereunder.
- There are two pillars to the “openness” condition – a privacy notice and a PAIA manual;
- Privacy notices or policies are useful tools in ensuring compliance with POPIA’s section 18 notification requirements;
- All organisations are required to implement and update their PAIA Manuals;
- A data subject rights policy or procedure is a useful tool to practically manage data subject requests and the exercise of data subject rights under PAIA and POPIA; and
- Implementing and maintaining a PAIA Manual, privacy notices or policies and data subject rights policy, does not automatically result in compliance with POPIA. In ensuring substantive compliance, organisations should always seek to give effect to the provisions of POPIA and PAIA.
Contact us if you require assisting with refreshing and reviewing PAIA Manuals and privacy notices and advice on practical ways to ensure execution of the data subject rights.