Overviewpopi_compliance_monitoring

  • You must ensure that you do not do anything with personal information in breach of any other laws. (You should maintain a register of laws applicable to your processing of personal information.)
  • You must identify valid grounds under POPIA (known as a ‘lawful basis’) for collecting and using personal information.
  • You must use personal information in a way that is fair. This means you must not process personal information in a way that is unduly detrimental, unexpected or misleading to the data subjects concerned.
  • You must be clear, open and honest with people from the start about how you will use their personal information.
  • You must ensure the personal data you are processing is:
    • adequate – sufficient to properly fulfil your stated purpose;
    • relevant – has a rational link to that purpose; and
    • not excessive – you do not hold more than you need for that purpose.
  • Personal information should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
  • Personal information must be collected directly from the data subject, except if a legal basis exists to collect the information indirectly.

 

Checklist

Lawfulness

☐ We have identified an appropriate lawful basis (or bases) for all our processing of personal information and have stopped processing without a lawful basis.

☐ Our processing complies with the obligations imposed by law.

☐ When our processing is based on legitimate interest, we have documented our justification.

☐ If our processing is based on consent, we have proof for the data subject or competent person's consent.

☐ We have stopped processing personal information when data subjects have objected or withdrawn their consent.

☐ If we are processing special personal information, we have identified an authorisation for processing this type of information.

☐ We limit our collection of personal from a source other than the data subject to when it would not prejudice a legitimate interest of the data subject, or when an exemption applies. 

Fairness

☐ We are processing personal information in a reasonable manner for which there is no less intrusive way to achieve the same result.

☐ We have considered how the processing may affect the data subjects concerned and can justify any adverse impact.

☐ We only handle data subjects' information in ways they would reasonably expect, or we can explain why any unexpected processing is justified.

☐ We are careful not to confuse processing that is necessary for the stated purpose with processing which is only necessary because of your chosen method of pursuing that purpose

☐ We do not deceive or mislead data subjects when we collect their personal information.

Minimality

☐ We are clear about the purpose when we process personal information, and given the purpose for which it is processed, we are certain the processing is adequate, relevant and not excessive.

☐ We only collect personal information we actually need for our specified purposes.

☐ We have sufficient personal information to properly fulfil those purposes.

☐ We periodically review the information we hold, and delete anything we don’t need.

 

 Briefly

What is the processing limitation condition?

POPIA says: 

“Section 9. Personal information must be processed—

(a) lawfully; and

(b) in a reasonable manner that does not infringe the privacy of the data subject.”


“Section 10. Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive".

 It’s not enough to show your processing is lawful if it is fundamentally unfair to or hidden from the data subjects concerned.

Given the purpose for which personal information is processed, it may only be processed, if it is adequate, relevant and not excessive.

 

What is lawfully?

For processing of personal information to be lawful, you need to identify specific grounds for the processing. There are six options which depend on your purpose and your relationship with the data subject. There are also specific additional conditions for processing some especially sensitive types of personal information.

If no lawful basis applies then your processing will be unlawful and in breach of this condition.

Lawfulness also means that you don’t do anything with the personal information which is unlawful in a more general sense. This includes statute and common law obligations, whether criminal or civil. If processing involves committing a criminal offence, it will obviously be unlawful. However, processing may also be unlawful if it results in:

  • a breach of a duty of confidence;
  • your organisation exceeding its legal powers or exercising those powers improperly;
  • an infringement of copyright;
  • a breach of an enforceable contractual agreement;
  • a breach of industry-specific legislation or regulations; or
  • a breach of the Bill of Rights.

Although processing personal information in breach of copyright or industry regulations (for example) will involve unlawful processing in breach of this condition, this does not mean that the Regulator can pursue allegations which are primarily about breaches of copyright, financial regulations or other laws outside their remit and expertise as Information Regulator.

What is adequate, relevant and not excessive?

Processing of personal information must always be fair as well as lawful. If any aspect of your processing is unfair you will be in breach of this condition – even if you can show that you have a lawful basis for the processing.

You should identify the minimum amount of personal information you need to fulfil your purpose. You should hold that much information, but no more.

The accountability condition means that you need to be able to demonstrate that you have appropriate processes to ensure that you only collect and hold the personal information you need.

Assessing whether you are processing information adequate, relevant and not excessive depends partly on how you obtain it. In particular, if anyone is deceived or misled when the personal information is obtained, then this is unlikely to be fair.

In order to assess whether or not you are processing personal is adequate, relevant and not excessive, you must consider more generally how it affects the interests of the people concerned – as a group and individually. If you have obtained and used the information fairly in relation to most of the people it relates to but unfairly in relation to one individual, there will still be a breach of this condition.

To assess whether you are holding the right amount of personal information, you must first be clear about why you need it.

For special category information or criminal offence information, it is particularly important to make sure you collect and retain only the minimum amount of information.

You may need to consider this separately for each data subject, or for each group of data subjects sharing relevant characteristics. You should in particular consider any specific factors that an data subject brings to your attention – for example, as part of an objection, request for rectification of incomplete data, or request for erasure of unnecessary data.

You should periodically review your processing to check that the personal data you hold is still relevant and adequate for your purposes, and delete anything you no longer need. 

Personal information may sometimes be used in a way that negatively affects an individual without this necessarily being unfair. What matters is whether or not such detriment is justified.

Example

Where personal information is collected to assess tax liability or to impose a fine for breaking the speed limit, the information is being used in a way that may cause detriment to the individuals concerned, but the proper use of personal information for these purposes will not be unfair. 

An employer holds details of the blood groups of some of its employees. These employees do hazardous work and the information is needed in case of accident. The employer has in place safety procedures to help prevent accidents so it may be that this data is never needed, but it still needs to hold this information in case of emergency.

If the employer holds the blood groups of the rest of the workforce, though, such information is likely to be irrelevant and excessive as they do not engage in the same hazardous work.

If you are holding more data than is actually necessary for your purpose, this is likely to be unlawful (as most of the lawful bases have a necessity element) as well as a breach of the data minimisation condition. Data subjects will also have the right to erasure. 

When could we be processing inadequate personal information?

If the processing you carry out is not helping you to achieve your purpose then the personal information probably inadequate. You should not process personal information if it is insufficient for its intended purpose.

In some circumstances you may need to collect more personal information than you had originally anticipated using, so that you have enough information for the purpose in question.

What is consent, justification and objection?

Personal information may only be processed if—

  • the data subject (or a competent person where the data subject is a child) consents to the processing;
  • processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
  • processing complies with an obligation imposed by law on you;
  • processing protects a legitimate interest of the data subject;
  • processing is necessary for the proper performance of a public law duty by a public body; or
  • processing is necessary for pursuing your legitimate interests or those of a third party to whom you have supplied the information.

A data subject may object, at any time, to the processing of personal information—

  • using the prescribed form, on reasonable grounds relating to his, her or its particular situation, unless there is legislation that provides for such processing; or
  • for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications.

If a data subject has objected to the processing of personal information, you may no longer process the data subject's personal information.

 

What is collection directly from data subject?

Personal information must be collected directly from the data subject, except as otherwise provided for below.

It is not necessary to collect personal information directly from the data subject if:

  • the information is contained in or derived from a public record (keep in mind the original purpose for being made public)
  • has deliberately been made public by the data subject (and the purpose for doing so)
  • consented to the collection of the information from another source (with evidence of consent being retained)
  • collection of the information from another source would not prejudice a legitimate interest of the data subject
  • collection of the information from another source is necessary—
    • to avoid prejudice to the maintenance of the law by any public body;
    • to comply with an obligation imposed by law;
    • for the conduct of proceedings in any court or tribunal;
    • in the interests of national security; or
    • to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied;
  • compliance would prejudice a lawful purpose of the collection; 
  • compliance is not reasonably practicable in the circumstances of the particular case.

What about the adequacy and relevance of opinions?

A record of an opinion is not necessarily inadequate or irrelevant personal data just because the individual disagrees with it or thinks it has not taken account of information they think is important.

However, in order to be adequate, your records should make clear that it is opinion rather than fact. The record of the opinion (or of the context it is held in) should also contain enough information to enable a reader to interpret it correctly. For example, it should state the date and the author’s name and position.

If an opinion is likely to be controversial or very sensitive, or if it will have a significant impact when used or disclosed, it is even more important to state the circumstances or the evidence it is based on. If a record contains an opinion that summarises more detailed records held elsewhere, you should make this clear.

Example

A GP's record may hold only a letter from a consultant and it will be the hospital file that contains greater detail. In this case, the record of the consultant’s opinion should contain enough information to enable detailed records to be traced.