Overviewpopi_compliance_monitoring

  • Data subjects have the right to be notified about the collection and use of their personal information. This is a key transparency requirement under POPIA.
  • You must provide data subjects with information including: your purposes for processing their personal information, your retention periods for that personal information, and who it will be shared with. We call this ‘notification information’.
  • You must provide notification information to data subjects at the time you collect their personal information from them.
  • If you obtain personal information from other sources, you must provide data subjects with notification information within a reasonable period of obtaining the information and no later than one month.
  • There are a few circumstances when you do not need to provide people with notification information, such as if a data subject already has the information or if it would involve a disproportionate effort to provide it to them.
  • The information you provide to data subjects must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
  • It is often most effective to provide notification information to data subjects using a combination of different techniques including layering, dashboards, and just-in-time notices.
  • User testing is a good way to get feedback on how effective the delivery of your notification information is.
  • You must regularly review, and where necessary, update your notification information. You must bring any new uses of a data subject’s personal information to their attention before you start the processing.
  • Getting the right to be informed correct can help you to comply with other aspects of POPIA and build trust with data subjects, but getting it wrong can leave you open to complaints, settlements, fines and lead to reputational damage.

 

Checklist

What to provide

We provide data subjects with all the following notification information:

☐ The name and contact details of our organisation.

☐ The name and contact details of our responsible party (if applicable).

☐ The contact details of our information officer (if applicable).

☐ The purposes of the processing.

☐ The lawful basis for the processing.

☐ The legitimate interests for the processing (if applicable).

☐ The categories of personal information obtained (if the personal information is not obtained from the data subject it relates to).

☐ The recipients or categories of recipients of the personal information.

☐ The details of transborder flows of personal information (if applicable).

☐ The retention periods for the personal information.

☐ The rights available to data subjects in respect of the processing.

☐ The right to withdraw consent (if applicable).

☐ The right to lodge a complaint with the Information Regulator.

☐ The source of the personal information (if the personal information is not obtained from the data subject it relates to).

☐ The details of whether data subjects are under a statutory or contractual obligation to provide the personal information (if applicable, and if the personal information is collected from the data subject it relates to).

☐ The details of the existence of automated decision-making, including profiling (if applicable).


When to provide it

☐ We provide data subjects with notification information at the time we collect their personal information from them.

If we obtain personal information from a source other than the data subjects it relates to, we provide them with notification information:

☐ within a reasonable of period of obtaining the personal information and no later than one month;

☐ if we plan to communicate with the data subject, at the latest, when the first communication takes place; or

☐ if we plan to disclose the data to someone else, at the latest, when the data is disclosed.


How to provide it

We provide the information in a way that is: 

☐ concise;

☐ transparent;

☐ intelligible;

☐ easily accessible; and

☐ uses clear and plain language.


Changes to the information

☐ We regularly review and, where necessary, update our notification information.

☐ If we plan to use personal information for a new purpose, we update our notification information and communicate the changes to individuals before starting any new processing.


Best practice – drafting the information

☐ We undertake an information audit to find out what personal information we hold and what we do with it.

☐ We put ourselves in the position of the people we’re collecting information about.

☐ We carry out user testing to evaluate how effective our notification information is.

Best practice – delivering the information

When providing our notification information to data subjects, we use a combination of appropriate techniques, such as:

☐ a layered approach;

☐ dashboards;

☐ just-in-time notices;

☐ icons; and

☐ mobile and smart device functionalities.

 Briefly

What is the right to be notified and why is it important?

The right to be notified covers some of the key transparency requirements of POPIA. It is about providing data subjects with clear and concise information about what you do with their personal information.

Section 18 of POPIA specifies what data subjects have the right to be notified about. We call this ‘notification information’.

Using an effective approach can help you to comply with other aspects of POPIA, foster trust with data subjects and obtain more useful information from them.

Getting this wrong can leave you open to complaints, settlements, fines and lead to reputational damage.

What notification information should we provide?

The table below summarises the information that you must provide. What you need to tell data subjects differs slightly depending on whether you collect personal information from the data subjects directly or obtain it from another source.

What information do we need to provide? personal information collected from data subjects personal information obtained from other sources
The name and contact details of your organisation
The name and contact details of the responsible party
The contact details of your information officer
The purposes of the processing ✓ 
The lawful basis for the processing
The legitimate interests for the processing
The categories of personal information obtained  
The recipients or categories of recipients of the personal information ✓ 
The details of transborder flows of personal information ✓  ✓ 
The retention periods for the personal information ✓ 
The rights available to individuals in respect of the processing ✓ 
The right to withdraw consent
The right to lodge a complaint with the Information Regulator ✓ 
The source of the personal information  
The details of whether individuals are under a statutory or contractual obligation to provide the personal information  
The details of the existence of automated decision-making, including profiling

When should we provide notification information?

When you collect personal information from the individual it relates to, you must provide them with notification information at the time you obtain their data.

When you obtain personal information from a source other than the individual it relates to, you need to provide the individual with notification information:

  • within a reasonable period of obtaining the personal information and no later than one month;
  • if you use the data to communicate with the individual, at the latest, when the first communication takes place; or
  • if you envisage disclosure to someone else, at the latest, when you disclose the data.

You must actively provide notification information to data subjects. You can meet this requirement by putting the information on your website, but you must make data subjects aware of it and give them an easy way to access it.

Are there any exceptions?

When collecting personal information from data subjects, you do not need to provide them with any information that they already have.

When obtaining personal information from other sources, you do not need to provide data subjects with notification information if:

  • the data subject already has the information;
  • providing the information to the data subject would be impossible;
  • providing the information to the data subject would involve a disproportionate effort;
  • providing the information to the data subject would render impossible or seriously impair the achievement of the objectives of the processing;
  • you are required by law to obtain or disclose the personal information; or
  • you are subject to an obligation of professional secrecy regulated by law that covers the personal information.

How should we draft our notification information?

An information audit or data mapping exercise can help you find out what personal information you hold and what you do with it.

You should think about the intended audience for your notification information and put yourself in their position.

If you collect or obtain children’s personal information, you must take particular care to ensure that the information you provide them with is appropriately written, using clear and plain language.

For all audiences, you must provide information to them in a way that is:

  • concise;
  • transparent;
  • intelligible;
  • easily accessible; and
  • uses clear and plain language.

It is good practice to carry out user testing on your draft notification information to get feedback on how easy it is to access and understand.

After it is finalised, undertake regular reviews to check it remains accurate and up to date.

If you plan to use personal information for any new purposes, you must update your notification information and proactively bring any changes to people’s attention.

What methods can we use to provide notification information?

There are a number of techniques you can use to provide people with notification information. You can use:

  • A layered approach – short notices containing key notification information that have additional layers of more detailed information.
  • Dashboards – preference management tools that inform people how you use their data and allow them to manage what happens with it.
  • Just-in-time notices – relevant and focused notification information delivered at the time you collect individual pieces of information about people.
  • Icons – small, meaningful, symbols that indicate the existence of a particular type of data processing.
  • Mobile and smart device functionalities – including pop-ups, voice alerts and mobile device gestures.

Consider the context in which you are collecting personal information. It is good practice to use the same medium you use to collect personal information to deliver notification information.

Taking a blended approach, using more than one of these techniques, is often the most effective way to provide notification information.

What common issues might come up in practice?

If you share personal information to (or sell it with) other organisations:

  • As part of the notification information you provide, you must tell data subjects who you are giving their information to, unless you are relying on an exception or an exemption.
  • You can tell people the names of the organisations or the categories that they fall within; choose the option that is most meaningful.
  • It is good practice to use a dashboard to let data subjects manage who their data is sold to, or shared with, where they have a choice.

 

If you buy personal information from other organisations:

  • You must provide data subjects with your own notification information, unless you are relying on an exception or an exemption.
  • You must carry out a Personal Information Impact Assessment to find ways to mitigate the risks of the processing to data subjects.
  • If your purpose for using the personal information is different to that for which it was originally obtained, you must tell data subjects about this, as well as what your lawful basis is for the processing.
  • Provide data subjects with your notification information within a reasonable period of buying the data, and no later than one month.

 

If you obtain personal information from publicly accessible sources:

  • You still have to provide data subjects with notification information, unless you are relying on an exception or an exemption.
  • You must carry out a personal information impact assessment to find ways to mitigate the risks of the processing to the data subjects.
  • You must request prior authorisation from the Information Regulator before combining information about data subjects from a number of different sources .
  • Provide data subjects with notification information within a reasonable period of obtaining the data, and no later than one month.

 

If you apply Artificial Intelligence (AI) to personal information:

  • Be upfront about it and explain your purposes for using AI.
  • If the purposes for processing are unclear at the outset, give data subjects an indication of what you are going to do with their information. As your processing purposes become clearer, update your notification information and actively communicate this to people.
  • Inform people about any new uses of personal information before you actually start the processing.
  • If you use AI to make solely automated decisions about data subjects with legal or similarly significant effects, tell them what information you use, why it is relevant and what the likely impact is going to be.
  • Consider using just-in-time notices and dashboards which can help to keep data subjects informed and let them control further uses of their personal information.