Overviewpopi_compliance_monitoring

  • Openness requires you to maintain the documentation of all processing operations under your responsibility. This documentation is to cover all the processing that's purpose, data subjects and categories of information is recorded in your PAIA manual (as per PAIA Section 51(2)(c)).   
  • You are required to take reasonably practicable steps to ensure data subjects are aware of: 
    • personal information being collected and the source from which it is collected;
    • name and address of the responsible party;
    • purpose for which the information is being collected;
    • whether or not the supply of the information by that data subject is voluntary or mandatory;
    • consequences of failure to provide the information;
    • any particular law authorising or requiring the collection of the information;
    • any planned transfer of personal information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
    • any further information such as the—
      • recipient or category of recipients of the information;
      • nature or category of the information;
      • existence of the right of access to and the right to rectify the information collected;
      • existence of the right to object to the processing of personal information; and
      • right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator.
  • If you collect personal information directly from the data subject, you must make data subjects aware of the above before the information is collected, unless the data subject is already aware of the information;  
  • If you collect personal information directly from the data subject, you must make data subjects aware of the above before the information is collected or as soon as reasonably practicable after it has been collected.   
  • If you have previously taken the steps make data subjects aware of the above, you don't have to do so for the subsequent collection of similar information if the purpose of collection of the information remains the same.   

 

Checklist

☐ We maintain the documentation of all processing operations under our responsibility, including the processing performed by our operators.

We have informed data subjects of:

☐ personal information being collected and the source from which it is collected;

☐ name and address of the responsible party;

☐ purpose for which the information is being collected;

☐ whether or not the supply of the information by that data subject is voluntary or mandatory;

☐ consequences of failure to provide the information;

☐ any particular law authorising or requiring the collection of the information;

☐ where applicable, the responsible party intends to transfer the information to a third

☐ We review and update our transparency measures at appropriate intervals.

 

Briefly

What is openness?

Openness is about making it easy for the data subject to know and understand whether, by whom and for what purpose personal information relating to him, her or it are being collected. Data subjects are the owners of their personal information and have a constitutional right to control this information. Without transparency regarding the use of personal information, it is difficult for data subjects to exercise control over their personal information.

Why is openness important?

The constitution gives data subjects a number of rights regarding the processing of their personal information, To be in a position to exercise these rights, the data subject needs to understand how personal information is being processed. 

POPIA says:

"A responsible party must maintain the documentation of all processing operations under its responsibility."

What do we need to do?

Document.our processing operations. A systematic description of the processing of personal information is required. The  operation or set of operations which is performed on personal information or on sets of personal information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction must be documented.

That record shall contain all of the following information:

  1. the name and contact details of the responsible party and, where applicable, the joint responsible party and the information officer;
  2. the purposes of the processing;
  3. a description of the categories of data subjects and of the categories of personal information;
  4. the categories of recipients to whom the personal information have been or will be disclosed including recipients in third countries or international organisations;
  5. where applicable, transfers of personal information to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
  6. where possible, the envisaged time limits for retention of the different categories of data;
  7. where possible, a general description of the technical and organisational security measures referred to in Section 19.

Each operator and, where applicable, the operator’s subcontractors shall maintain a record of all categories of processing activities carried out on behalf of a responsible party, containing:

  1. the name and contact details of the operator or operators and of each responsible party on behalf of which the operator is acting, and the operator’s information officer;
  2. the categories of processing carried out on behalf of each responsible party;
  3. where applicable, transfers of personal information to a third country or an international organisation, including the identification of that third country or international organisation and documentation of suitable safeguards;
  4. a general description of the technical and organisational security measures referred to in Section 19.