Overviewpopi_compliance_monitoring

  • Section 71 of POPIA has provisions on:
    • decision-making which results in legal consequences for data subjects, or which affects him, her or it to a substantial degree.
    • automated processing of personal information intended to provide a profile of such person including his or her performance at work, or his, her or its credit worthiness, reliability, location, health, personal preferences or conduct.
  • You can only carry out this type of decision making where the decision is:
    • necessary for the conclusion or execution of a contract and the request of data subject in terms of the contract are met or appropriate measures have been taken to protect the data subject’s legitimate interests;
    • governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate interests of data subjects.
  • You must identify whether any of your processing falls under Section 71 and, if so, make sure that you:
    • provide a data subject with sufficient information about the underlying logic of the automated processing of the information relating to him or her to enable him or her to make representations;
    • provide an opportunity for a data subject to make representations about a decision which is based solely on the basis of the automated processing of personal information;
    • introduce simple ways for them to request human intervention or challenge a decision;
    • carry out regular checks to make sure that your systems are working as required.

 

Checklist

All automated decision making and profiling

To comply with POPIA...

☐ We have a lawful basis to carry out profiling and/or automated decision-making and it is documented in our data protection policy.

☐ We send data subjects a link to our privacy notice/statement when we have obtained their personal data indirectly.

☐ We explain how data subjects can access details of the information we used to create their profile.

☐ We tell data subjects who provide us with their personal data how they can object to profiling, including profiling of performance at work, credit worthiness, reliability, location, health, personal preferences or conduct.

☐ We have procedures for customers, staff and other data subjects to access the personal information input into the profiles so they can review and edit for any accuracy issues.

☐ We have additional checks in place for our profiling/automated decision-making systems to protect any vulnerable groups (including children).

☐ We only collect the minimum amount of data needed and have a clear retention policy for the profiles we create.

As a model of best practice...

☐ We carry out a personal information impact assessment to consider and address the risks before we start any new automated decision making or profiling.

☐ We tell our customers, staff and other data subjects about the profiling and automated decision-making we carry out, what information we use to create the profiles and where we get this information from.

☐ We use anonymised data in our profiling activities.

Solely automated decision making, including profiling with legal or similarly significant effects or affects a data subject to a substantial degree(Section 71)

To comply with the POPIA...

☐ We carry out a personal information impact assessment to identify the risks to data subjects, show how we are going to mitigate the risks and what measures we have in place to meet POPIA requirements.

☐ We carry out processing under Section 71 for contractual purposes and we can demonstrate why it’s necessary.

OR

☐ We carry out processing under Section 71 because we have the data subject’s explicit consent recorded. We can show when and how we obtained consent. We tell data subjects how they can withdraw consent and have a simple way for them to do this.

OR

☐ We carry out processing under Section 71 because we are authorised or required to do so. This is the most appropriate way to achieve our aims.

☐ We don’t use special category data in our automated decision making systems unless we have a lawful basis to do so, and we can demonstrate what that basis is. We delete any special category data accidentally created.

☐ We explain that we use automated decision making processes, including profiling. We explain what information we use, why we use it and what the effects might be.

☐ We have a simple way for people to ask us to reconsider an automated decision.

☐ We have identified staff in our organisation who are authorised to carry out reviews and change decisions.

☐ We regularly check our systems for accuracy and bias and feed any changes back into the design process.

As a model of best practice...

☐ We use visuals to explain what information we collect/use and why this is relevant to the process.

☐ We have committed to a set of ethical principles to build trust with our customers. This is available on our website and on paper.

 

Briefly

What is required?

  • Profiling complies with the obligations specifically defined in POPIA.
  • You are required to give data subjects specific information about automated decision making, including profiling.
  • Solely automated decision-making, including profiling with legal or similarly significant effects, is restricted.
  • Restrictions on using special category and children’s personal data.

What is automated decision making and profiling?

Automated decision making is a decision made by automated means without any human involvement.

Examples of this include:

  • an online decision to award a loan;
  • selecting a supplier;
  • recommending an invest; and
  • a recruitment aptitude test which uses pre-programmed algorithms and criteria.

Automated individual decision-making does not have to involve profiling, although it often will do.

Profiling is:

“Any form of automated processing of personal information consisting of the use of personal information to evaluate certain issues relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including to analyse or predict aspects concerning that natural or juristic person’s performance at work, health, preferences, interests, reliability, ethics, behaviour, conduct, location or movements, economic situation or credit worthiness.”

Organisations obtain personal information about natural and juristic persons from a variety of different sources. Internet searches, financial statements, buying habits, lifestyle and behaviour data gathered from mobile phones, social networks, video surveillance systems and the Internet of Things are examples of the types of data organisations might collect.                             

Information is analysed to classify people, companies and other juristic persons into different groups or sectors, using algorithms and machine-learning. This analysis identifies links between different behaviours and characteristics to create profiles for natural and juristic persons.

Based on the traits of others who appear similar, organisations use profiling to:

  • find something out about individuals and companies’ preferences;
  • predict ethics, conduct or behaviour;
  • predict fraudulent behaviour;
  • predict service quality and reliability;
  • predict productivity;
  • predict buying habits;
  • forecast financial and corporate performance;
  • predict share price performance;
  • predict financial failure;
  • predict staff likely to leave company's employment;
  • hire a job applicant;
  • procure services;
  • serve an online advertisement;
  • make decisions about suppliers and service providers;
  • make decisions about hotels and restaurants;
  • make decisions about research and development;
  • make financing decisions;
  • make decisions about investments; and/or
  • make other decisions about data subjects.

This can be very useful for organisations and individuals in many sectors, including healthcare, education, financial services and marketing.

Automated decision making and profiling can lead to quicker and more consistent decisions. But if they are used irresponsibly there are significant risks for data subjects. POPIA's provisions are designed to address these risks.

What does POPIA say about automated decision-making and profiling?

POPIA restricts you from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals.

“A data subject may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated processing of personal information.”

[Section 71]

For something to be solely automated there must be no human involvement in the decision-making process.       

The restriction only covers solely automated decision making that produces legal or similarly significant effects. These types of effect are not defined in POPIA, but the decision must have a serious negative impact on a data subject to fall under this provision. 

A legal effect is something that adversely affects someone’s legal rights. Similarly, serious negative impact is more difficult to define but would include, for example, automatic refusal of an online credit application, supplier non-selection, and e-recruiting practices without human intervention.

When can we carry out this type of processing?

Solely automated decision-making - including profiling - with legal or similarly significant effects is restricted, although this restriction can be lifted in certain circumstances.

You can only carry out solely automated decision-making with legal or similarly significant effects if the decision is:

  • necessary for entering into or performance of a contract between an organisation and the data subject;
  • authorised by law (for example, for the purposes of labour, financial regulation, fraud or tax evasion); or
  • based on the data subject’s explicit consent.

If you’re using special category personal information you can only carry out processing described in Section 71) if:

  • you have the data subject’s explicit consent; or
  • the processing is necessary for reasons of substantial public interest.

What else do we need to consider?

Because this type of processing is considered to be high-risk the POPIA requires you to carry out a Personal Information Impact Assessment to show that you have identified and assessed what those risks are and how you will address them.

As well as restricting the circumstances in which you can carry out solely automated decision-making (as described in Section 71), POPIA also:

  • requires you to give data subjects specific information about the processing;
  • obliges you to take steps to prevent errors, bias and discrimination; and
  • gives data subjects rights to challenge and request a review of the decision.

These provisions are designed to increase data subjects’ understanding of how you might be using their personal information.

You must:

  • provide meaningful information about the logic involved in the decision-making process, as well as the significance and the envisaged consequences for the data subject;
  • use appropriate mathematical or statistical procedures;
  • ensure that data subjects can:
    • obtain human intervention;
    • express their point of view; and
    • obtain an explanation of the decision and challenge it;
  • put appropriate technical and organisational measures in place, so that you can correct inaccuracies and minimise the risk of errors;
  • secure personal information in a way that is proportionate to the risk to the interests and rights of the data subject, and that prevents discriminatory effects.

What if Section 71 doesn’t apply to our processing?

Section 71 applies to solely automated decision-making, including profiling, with legal or similarly significant effects.

If your processing does not match this definition then you can continue to carry out profiling and automated decision-making, but you must still comply with the POPIA conditions. You must identify and record your lawful basis for the processing and have processes in place so data subjects can exercise their rights.

Data subjects have a right to object to profiling in certain circumstances. You must bring details of this right specifically to their attention.