Listen to the article now
Last week we published an article on the phenomenon of personal data as a commodity where we cautioned individuals on what they need to know before sharing personal data online. Now that you are familiar with cookies, personal data, and data breaches – it is time to consider the laws surrounding data mining and how you can protect yourself against data breaches.
The Right To Privacy
Section 14 of the Bill of Rights guarantees the right to privacy. Section 14(d) provides that everyone has the right to privacy, which includes the right not to have the privacy of their communications infringed.
According to University of Pretoria law lecturer, Dr. Lukman Adebisi Abdulrauf, the right to data privacy considers an individual’s right to control his personal information, control who accesses it, and what it can be used for. Excessive influence on people’s privacy has the potential to both, directly and indirectly, limit the free development and the exchange of ideas.
Because of rapid advances in technology that threaten to infringe on this right and data mining which allows companies to turn our personal information into a useful commodity, the government has a duty to ensure the protection of the right to privacy. This duty also extends to private actors, individuals, and private business entities as it obligates them to not infringe on this right.
The conversation around data privacy has resulted in the enactment of data legislation that acts to deter infringements on the right to privacy. The most noteworthy being the Protection of Personal Information Act (POPIA). POPIA comes into effect on July 1 and provides for a 12-month grace period for companies to be compliant.
According to the preamble of the Act, POPIA is premised on the following principles:
- Promote the protection of personal information processed by public and private bodies.
- Introduce certain conditions aimed at establishing minimum requirements for the processing of personal information.
- Provide for the establishment of an information regulator.
- Provide for the rights of persons regarding unsolicited electronic communications and automated decision making.
- Regulate the flow of personal information across the borders of the Republic.
- Provide for matters connected to what the Act stands for.
POPIA provides much needed conditions for the lawful processing of personal data of South Africans. The Act recognises that the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information.
Since the allowance to process data is so wide – it is imperative to understand your rights as the data subject.
Rights Of The Data Subject
Section 5 of the Act is the provision for the rights of data subjects and provides that a data subject has the right:
- To be notified that personal information about them is being collected, provided or has been acquired.
- To request access to their personal information from the holder
- Where necessary, to request the correction, destruction, or deletion of their personal information.
- To object, on reasonable grounds, to the processing of their personal information
- Not to be subject to a decision solely based on automated processing of their personal information.
- To submit a complaint to the Regulator regarding an alleged interference
- To institute civil proceedings regarding an alleged interference with the protection of personal information
For the lawful processing of personal data, the Act provides eight conditions to companies, namely:
- Processing limitation
- Purpose specific processing
- Further processing limitation
- Information quality
- Security safeguards
- Data subject participation.
Compliance With The Act
To make sure companies are compliant with the principles of the Act and in turn, the right to privacy – the Act provides that they must:
- Obtain consent before collecting data.
- Only collect data needed for a legitimate purpose.
- Take reasonable steps to protect the integrity of the information.
- Store the information only for as long as it is required.
- Provide access and corrections to data subjects’ information.
Nowadays complaining about the persistence of telemarketers has become a regular part of many conversations. Direct marketing means approaching a data subject, either in person or by mail or electronic communication for the direct or indirect purpose of either promoting or offering to supply goods or services or requesting a donation of any kind. One of the most relevant aspects of POPIA is that it provides South Africans with rights regarding direct marketing.
As per section 69 of the Act, companies are permitted to engage in the processing of personal information for direct marketing only if the data subject has given consent or they are a customer of the company.
POPIA is expected to ensure fair, ethical, and safe data processing. Companies need to make sure they are compliant and we, as data subjects, need to stay clued up on the law to guard against any form of exploitation.