VN May 2017

Mei/May 2017

Article

I Artikel

partner/owner /employer will have to

prove that you have taken appropriate

and reasonable steps to safeguard

personal information.

Proposed guidelines to follow

in order to prepare for the

implementation of POPI (List is

not exclusive)

Check your vehicles, homes, offices,

etc. to determine whether you have

any data (employee/ customer/

supplier) which could be construed

as personal information and ask the

following questions:

1. Whose personal information do I

have?

2 Why do I need this personal

information (what do I do with the

personal information)? Personal

information must only be collected

for a specific, explicitly defined and

lawful purpose that is related to a

function or activity of the practice

concerned.

3 Why and how is the personal

information processed (i.e. this

covers all phases of a typical

information management lifecycle

– from collection to usage, sharing,

disposal, archiving, etc.)? Ensure

that the processing is adequate,

relevant and not excessive

given the purpose for which it is

processed.

4 What checks and balances do I

have in place to safeguard against

the unauthorised disclosure of

personal information? These

checks and balances apply to all

electronic and/or hand processing

systems.

5. Do I need the consent of the data

subject to process his/her/its

information?

6. Do I have the data subject's

consent?

7. Do I need to process the personal

information further? It may be

relevant if you, for example, wish

to forward newsletters to a client.

8. With whom do I share the personal

information, i.e. third parties – both

locally and internationally, other

legal entities – sometimes within

the same group or company, etc.?

Remember, POPI also applies to

personal information send to a

foreign country.

9. If I do share personal information

with a third party; does this third

party comply with POPI? For

example, the practice outsources

its payroll to VIP. VIP's processing

systems must be compatible with

the purpose for which the data

was initially collected, namely the

payment of salaries and PAYE,

employment equity, etc..

10. Do I allow a "data subject” access

to his/her personal information

when requested to do so? POPI

allows "data subjects" to make

certain requests, free of charge, to

organisations holding their PI.

11. How long do I retain records and

how do I delete/destroy such

records? (Retain records for

required periods and then delete,

destroyed or de-identified as soon

as the purpose for collecting the

information has been achieved

unless you have a valid reason for

keeping such record, for example

another Act of Parliament.)

12. Do I disclose personal information

to third parties who request such

information? For example, your

employee wishes to buy furniture

and the furniture shop contacts you

to enquire:

- Whether the employee works for

you

- His salary

- Date of employment

- Any other information that you

believe is relevant, for instance

whether there are any garnishing

orders against the employee’s

salary

- Whether the employee is

permanently or temporary

employed?

12. Do my employees know what

are expected off them in order to

comply with POPI?

13. Do I address the requirements

of POPI in all my agreements

(employees/clients/providers/etc.)?

For example, a clause relating

to POPI should be included in

contracts of

employment

giving you as

an employer

inter alia

consent to

- collect, utilise

and retain his/

her personal for

employment purposes, including

but not limited to identity and/

or passport number, date of

birth, age, gender, race, driver’s

license, contact details (physical

and e-mail addresses/telephone/

cell phone number), marital status,

education information, employment

history, salary and tax information,

photos, physical and mental health

information (if an operational

requirement) and fingerprints;

- forward his/her personal

information to specific third parties,

for example XX Pension Fund, YY

Medical Aid and SARS.

Some Practice tips:

(a) Ensure that laptops, cell phones,

I-pads, etc. are secured when

you remove them from your work

premises, especially whilst in your

vehicle.

(b) Incidents which may result in

personal information being

compromised must be reported as

soon as possible.

information is forwarded by fax or

email.

(d) Follow set procedure when storing

or destroying personal information.

Do not discard documents in a

rubbish dump.

(e) When you receive a request by a

third party, irrespective whether

the third party is a family member

of the data subject, or a local

authority, government department

or the police, to disclose another

person/legal entity’s personal

information, tread with caution.

(i) A key point to consider is whether

the disclosure is relevant to and

necessary for the conduct of the

practice’s business. For example,

it would generally be appropriate

to disclose a veterinarian’s work

>>> 17

POPI

has

arrived

and

, I

not

referring

your

niece

!<<< 15