16
Mei/May 2017
Article
I Artikel
partner/owner /employer will have to
prove that you have taken appropriate
and reasonable steps to safeguard
personal information.
Proposed guidelines to follow
in order to prepare for the
implementation of POPI (List is
not exclusive)
Check your vehicles, homes, offices,
etc. to determine whether you have
any data (employee/ customer/
supplier) which could be construed
as personal information and ask the
following questions:
1. Whose personal information do I
have?
2 Why do I need this personal
information (what do I do with the
personal information)? Personal
information must only be collected
for a specific, explicitly defined and
lawful purpose that is related to a
function or activity of the practice
concerned.
3 Why and how is the personal
information processed (i.e. this
covers all phases of a typical
information management lifecycle
– from collection to usage, sharing,
disposal, archiving, etc.)? Ensure
that the processing is adequate,
relevant and not excessive
given the purpose for which it is
processed.
4 What checks and balances do I
have in place to safeguard against
the unauthorised disclosure of
personal information? These
checks and balances apply to all
electronic and/or hand processing
systems.
5. Do I need the consent of the data
subject to process his/her/its
information?
6. Do I have the data subject's
consent?
7. Do I need to process the personal
information further? It may be
relevant if you, for example, wish
to forward newsletters to a client.
8. With whom do I share the personal
information, i.e. third parties – both
locally and internationally, other
legal entities – sometimes within
the same group or company, etc.?
Remember, POPI also applies to
personal information send to a
foreign country.
9. If I do share personal information
with a third party; does this third
party comply with POPI? For
example, the practice outsources
its payroll to VIP. VIP's processing
systems must be compatible with
the purpose for which the data
was initially collected, namely the
payment of salaries and PAYE,
employment equity, etc..
10. Do I allow a "data subject” access
to his/her personal information
when requested to do so? POPI
allows "data subjects" to make
certain requests, free of charge, to
organisations holding their PI.
11. How long do I retain records and
how do I delete/destroy such
records? (Retain records for
required periods and then delete,
destroyed or de-identified as soon
as the purpose for collecting the
information has been achieved
unless you have a valid reason for
keeping such record, for example
another Act of Parliament.)
12. Do I disclose personal information
to third parties who request such
information? For example, your
employee wishes to buy furniture
and the furniture shop contacts you
to enquire:
- Whether the employee works for
you
- His salary
- Date of employment
- Any other information that you
believe is relevant, for instance
whether there are any garnishing
orders against the employee’s
salary
- Whether the employee is
permanently or temporary
employed?
12. Do my employees know what
are expected off them in order to
comply with POPI?
13. Do I address the requirements
of POPI in all my agreements
(employees/clients/providers/etc.)?
For example, a clause relating
to POPI should be included in
contracts of
employment
giving you as
an employer
inter alia
consent to
- collect, utilise
and retain his/
her personal for
employment purposes, including
but not limited to identity and/
or passport number, date of
birth, age, gender, race, driver’s
license, contact details (physical
and e-mail addresses/telephone/
cell phone number), marital status,
education information, employment
history, salary and tax information,
photos, physical and mental health
information (if an operational
requirement) and fingerprints;
- forward his/her personal
information to specific third parties,
for example XX Pension Fund, YY
Medical Aid and SARS.
Some Practice tips:
(a) Ensure that laptops, cell phones,
I-pads, etc. are secured when
you remove them from your work
premises, especially whilst in your
vehicle.
(b) Incidents which may result in
personal information being
compromised must be reported as
soon as possible.
(c) Be careful when personal
information is forwarded by fax or
email.
(d) Follow set procedure when storing
or destroying personal information.
Do not discard documents in a
rubbish dump.
(e) When you receive a request by a
third party, irrespective whether
the third party is a family member
of the data subject, or a local
authority, government department
or the police, to disclose another
person/legal entity’s personal
information, tread with caution.
(i) A key point to consider is whether
the disclosure is relevant to and
necessary for the conduct of the
practice’s business. For example,
it would generally be appropriate
to disclose a veterinarian’s work
>>> 17
POPI
has
arrived
and
no
, I
am
not
referring
to
your
niece
!<<< 15