POPI defines “processing” as ‘any operation or activity or any set of operations, whether or not by automatic means, concerning person information’. This includes, amongst other things, the collection, recording, organisation, storage, modification or transmission of personal information. Despite this definition of “processing” no indication has been provided in POPI as to what the section 15 phrase “further processing” means. Since POPI is a new piece of legislation (only coming into force on 1 July 2020) there is no case law, at this stage, which can assist us in interpreting the phrase. However, POPI does provide that the further processing of personal information must be in accordance or compatible with the purpose for which the personal information was originally collected.
From this, it may be deduced that where a data subject provides consent to the processing of personal information for a specific expressly-defined purpose, and during the processing of such personal information it transpires that further processing (not originally envisaged and for which consent was not originally received) is required in order to fulfil the purpose that such further processing will fall within the ambit of section 15 of POPI. However, this viewpoint is yet to be tested and will, mostly likely, be expanded upon by our courts in the future.
Section 15 of POPI provides that in order to determine whether further processing is compatible with the purpose for which the personal information was originally collected. The following factors must be taken into consideration, namely:
- the relationship between the purpose of the intended further processing and the purpose for which the information has been collected;
- the nature of the information concerned;
- the consequences of the intended further processing for the data subject;
- the manner in which the information has been collected; and
- any contractual rights and obligations between the parties.
POPI further provides that where the purpose of the further processing is not compatible with the purpose for which such personal information was originally collected, further processing of such personal information may still occur where:
- the data subject consents to such further processing;
- the personal information is available in or derived from a public record or has deliberately been made public by the data subject;
- further processing is necessary to avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences; to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue; for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or if in the interests of national security;
- the further processing of the personal information is necessary to prevent or mitigate a serious and imminent threat to public health or public safety; or the life or health of the data subject or another individual;
- the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in identifiable form; or
- the further processing of the information is in accordance with an exemption granted by the Regulator in accordance with the provisions of POPI.
It may be difficult to determine the extent of processing which needs to be undertaken by a responsible party in order to fulfil the purpose for which the personal information of the data subject was originally sought and for which such data subject originally provided consent. The provisions of POPI pertaining to the further processing of personal information appear to create an instance where the responsible party does not need to constantly revert to the data subject to obtain the relevant consent to further process the personal information, provided that the further processing is in accordance or compatible with the provisions of POPI as detailed in this article. Where it is not, the responsible party may be required to once again approach the data subject to obtain consent for further processing.
It is important to ensure from the outset that the consent you, as the responsible party, obtain from a data subject provides such data subject with enough information regarding how and what manner the provided personal information will be processed. It is also important to understand and keep in mind the instances where further processing will occur and to ensure that it is compatible with the original purpose for which the personal information was provided.
This is a difficult concept to navigate and we are happy to provide assistance with regards to the content which should be set out in your consents as well as provide you with advice as to when further processing may occur during your processing method.