So, what is personal information? Personal information includes, among other things, the following:
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- the e-mail address, physical address and telephone number of the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
There are four key areas of collection of personal information that businesses need to be aware of:
(1) Market research via direct marketing
Collecting personal information is big business. Understandably, businesses can profitably make use of this information to market their products or services. Many businesses undertake research as regards prospective customers by, among other things, accessing information already available in the public domain (for example, through publicly accessible social media platforms and websites) as well as obtaining contact information in respect of potential customers (for example, from a company switchboard). The personal information is then captured and stored to be used for purposes of direct marketing. The business then reaches out to these persons via personalised or mass-generated emails and/or via telephone calls. This is all personal information. Even the personal information of persons who have indicated that they do not wish to be contacted again via direct marketing is required to be stored for a certain period of time.
As noted, most businesses these days also collect information from their clients and customers via their websites. For example, most e-commerce stores require users to complete a profile of themselves, containing personal information. If you collect personal information from your clients or customers, make sure that they are made aware of this in clear and express terms, and make sure that you provide that they expressly consent to the collection, sharing and storage of such personal information. This can be achieved by introducing such consents into the business’s online terms and conditions.
(3) Employment Agreements
A third significant source of personal information that businesses collect, store and disseminate is that of its employees and prospective employees. Employment agreements (including both permanent and fixed term employment agreements), as well as independent contractor and consultancy agreements need to have the requisite provisions in place as regards the collection, storage and dissemination of the personal information. Similarly, any application forms that are used for application purposes will need to contain similar provisions (even if the person never becomes an employee of the business).
(4) Service Level Agreements
Service level agreements (or ‘SLAs’) are a common source of personal information that businesses collect, store and disseminate. This will contain information about customers or third party service providers. Customer-facing service level agreements and third-party supply agreements need to have the requisite provisions in place to ensure that consent is provided to collect, store and disseminate this information.
It is critical that businesses are alive to the personal information being collected, stored and disseminated via market research, online browsing, employment agreements, customer-facing service level agreements and third party supply agreements, and ensure that the requisite approvals are in place from data subjects. The collection, storage and dissemination of all of this personal information will need to comply with the requirements of POPI.