30 June 2020 by POPI Bumper Special Alert

Personal Information: Four key areas to be aware of

Personal information is everywhere. It is almost impossible to do business these days without collecting personal information of customers, suppliers and employees. Personal information is collected in so many ways, although to an ever increasing extent, online through contact forms, email and the creation of online profiles. The Protection of Personal Information Act of 2013 (POPI) – when it becomes fully operative – will regulate the collection, storage and dissemination of personal information. Businesses must ensure that the necessary consents for the collection, storage and dissemination of personal information are obtained. But first, businesses will need to be clear that what they are collecting is in fact personal information.

So, what is personal information? Personal information includes, among other things, the following:

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, belief, culture, language and birth of the person;
  • information relating to the education or the medical, financial, criminal or employment history of the person;
  • the e-mail address, physical address and telephone number of the person;
  • the biometric information of the person;
  • the personal opinions, views or preferences of the person; and
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

There are four key areas of collection of personal information that businesses need to be aware of:

(1) Market research via direct marketing

Collecting personal information is big business. Understandably, businesses can profitably make use of this information to market their products or services. Many businesses undertake research as regards prospective customers by, among other things, accessing information already available in the public domain (for example, through publicly accessible social media platforms and websites) as well as obtaining contact information in respect of potential customers (for example, from a company switchboard). The personal information is then captured and stored to be used for purposes of direct marketing. The business then reaches out to these persons via personalised or mass-generated emails and/or via telephone calls. This is all personal information. Even the personal information of persons who have indicated that they do not wish to be contacted again via direct marketing is required to be stored for a certain period of time.

(2) Online

As noted, most businesses these days also collect information from their clients and customers via their websites. For example, most e-commerce stores require users to complete a profile of themselves, containing personal information. If you collect personal information from your clients or customers, make sure that they are made aware of this in clear and express terms, and make sure that you provide that they expressly consent to the collection, sharing and storage of such personal information. This can be achieved by introducing such consents into the business’s online terms and conditions.

(3) Employment Agreements

A third significant source of personal information that businesses collect, store and disseminate is that of its employees and prospective employees. Employment agreements (including both permanent and fixed term employment agreements), as well as independent contractor and consultancy agreements need to have the requisite provisions in place as regards the collection, storage and dissemination of the personal information. Similarly, any application forms that are used for application purposes will need to contain similar provisions (even if the person never becomes an employee of the business).

(4) Service Level Agreements

Service level agreements (or ‘SLAs’) are a common source of personal information that businesses collect, store and disseminate. This will contain information about customers or third party service providers. Customer-facing service level agreements and third-party supply agreements need to have the requisite provisions in place to ensure that consent is provided to collect, store and disseminate this information.

It is critical that businesses are alive to the personal information being collected, stored and disseminated via market research, online browsing, employment agreements, customer-facing service level agreements and third party supply agreements, and ensure that the requisite approvals are in place from data subjects. The collection, storage and dissemination of all of this personal information will need to comply with the requirements of POPI.

download PDF

The information and material published on this website is provided for general purposes only and does not constitute legal advice.

We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter.

We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages.

Please refer to the full terms and conditions on the website.

Copyright © 2020 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com

You may also be interested in