VN May 2017

Article I Artikel

POPI has arrived and no , I am not referring to your niece !<<< 14

their employees not only understand the issues at hand but also that they work towards POPI compliance. So, what can you do, now that you have been frightened onto the straight and narrow? Certain sections of POPI have already commenced whilst the majority (especially those that create compliance requirements) will only commence on a later date to be proclaimed by the President. It is uncertain when they will be Regulator is operational, which might be at the end of 2017 or even in 2018. Still to be published is the regulations, which would be quite helpful in implementing the provisions in your line of business (regulations lay out the practical implementation of the actual Act). We will also have to see how POPI interacts with the current veterinary law and regulations. So then, if everything still appears up in the air, what is the point and why not simply wait and see? Firstly, POPI will give you a short period within which to comply, 12 months at this stage. Secondly, POPI is part common sense, part plain good practice management and no doubt, probably part a pain in the butt – especially in terms of administrative issues and reporting. Now is the time, when the pressure is still off and you don’t have to fork out a ton of money for a lawyer or “consultant”, to simply look at the information flows in your practice. The golden rule is, all information collected whereby an individual/ entity may be identified, must be done so with that individual/entity’s consent, must be safeguarded and only divulged or used in a justifiable manner that does not compromise that individual/entity’s right to privacy. Remember, you as the principal/ implemented, we simply do not know, but do not foresee that it will be before the Information

Later, you receive a letter from AB veterinary practice, enquiring whether you would be interested in buying small animal food from them. You now have the right under law, to request the AB Veterinary Practice to either delete your information on its database or to correct it. How does POPI deal with telemarketers? As an interesting aside, POPI also regulates how telemarketers should conduct their business. In case of direct marketing, the telemarketer only has one opportunity to ask the person whom he has contacted, whether that person would like to opt in to receive marketing information. For example, when contacted by a telemarketer, you must be given the option to opt in. This means that you must take a concrete action (give explicit consent) like saying “yes”, thereby declaring that you want to receive the information. This is different from opt out, often called “presumed consent,” in which you are presumed to be consenting unless you act to register your unwillingness. That still leaves us with the question: “Mr. Telemarketer, where did you get my contact details?” So, what’s the worst that can happen to you for blowing POPI off? The final responsibility for compliance with POPI rests with the responsible party even in instances where the personal information collection process has been entrusted to an employee or to a third party. If, for example, you do not respect a client’s wishes, the aggrieved client could report your conduct to the POPI Regulator. Depending on the outcome you may also - suffer reputational damage, resulting in loss of customers - pay out millions in damages in civil actions - be fined R10-million or up to 10 years’ imprisonment. It is therefore of the utmost importance that all veterinarians and

client and get permission to keep his personal information in your database (providing the reasons for such request); – to object in the event where personal information, collected for a valid reason, is used for a purpose other than what it was initially collected for. If you wish to use a client’s personal information for another purpose, for example, using his email address on your database to send unsolicited newsletters to him, the client needs to consent to that as well; – to be notified that personal information has been accessed or acquired by an unauthorised person. For example, one of your employees discloses your client list to his wife, who runs a travel agency enabling her to contact your clients to offer special holiday deals to them. You must inform the clients of such disclosure; – to establish whether a responsible party holds personal information and request access to it; – to request proof that adequate measures and controls are in place to track access and prevent unauthorised people, even within the same company, from accessing private information. For example, measures have been put in place to track access from unauthorised people; – to request the correction, destruction or deletion of his personal information. For example, your application for a position at AB Veterinary Practice is unsuccessful. he can request proof from a banking institution as to what

>>> 16

Mei/May 2017 15