Print Print

Privacy Policy (for your customers)

October 14, 2008 – 9:24 pm by John Giles

Broadly speaking, there are 2 types of privacy policies:

  1. A Customer Privacy Policy which deals with all Customer PI that you hold; and
  2. An Employee Privacy Policy which deals with all Employee PI that you hold.

This article deals with Customer Privacy Policies.

If you collect personal information (PI) about your customers (or any identifiable individual) through your web site or offline, you need to have a privacy policy.  A privacy policy should appear on all web sites that collect personal information about visitors to the web site. However, it should not be limited to your online visitors. If you collect, maintain and use consumer PI in other ways, then the policy should cover that as well.

Factors to bear in mind whilst drafting a privacy policy

Whilst you have most certainly encountered a maze of privacy policies whilst surfing the Internet, it is very tempting to simply copy one and cut and paste from it to suit your own needs. Think before you do so as the maze of privacy policies you encounter are a direct result of legislation and court judgements in other countries that serve to protect PI. In many instances, that legislation and those poor judgements are of no relevance in South Africa.

Your privacy policy must keep 3 goals in mind:

  1. The policy must satisfy the legal requirements required by law (such as the Protection of Personal Information Bill, the Consumer Protection Act and the National Credit Act)  and industry requirements (which will be spelt out in various Industry Codes which the Bill makes provision for). For organisations doing business on a global basis, they must consider a multitude of international privacy laws as well.
  2. The policy must satisfy your business objectives
  3. The policy must reassure consumers (privacy is an emotional issue for most consumers. many people feel as though there is a full frontal assault on their PI. They believe they have little or no control over the collection and use of their PI. As a result, a privacy policy must be designed to allay consumers concerns and make them feel comfortable doing business with your organisation).

Our policy has been drafted taking points 1 and 3 into account. Should your organisation be doing business on a global basis and should you feel uncertain whether your business objectives might influence the content of the privacy policy negatively, contact Michalsons Attorneys who can provide traditional legal assistance and support to help you customise this policy.

Should you require Privacy Procedures, feel free to contact us (the policy provides high-level statements of your positions on particular issues whereas procedures bring those positions down to earth by laying out specific actions and responsibilities).

Please remember the following important pointer: Many organisations assume that once they privacy policy is in place, the job is completed. This is a mistake. Every time content or services are added, or website functionalities change, there is a risk of exposing users to privacy breaches. It is critical to every online business that as the business changes, the policy is reviewed to see if changes to meet the new challenges are necessary.

What are the benefits of having a privacy policy?
  1. It may reduce the risk of your company being sued for infringing a customer’s right to privacy.
  2. The policy should also ensure that you comply with the law and therefore avoid sanctions for non-compliance.
  3. It will help you gain consumer confidence.
  4. Hopefully bad publicity which can have serious economic consequences can be avoided.
  5. Your potential customers will not feel the need to seek out your competitors with better data privacy practices.
  6. A privacy policy should demonstrate good practice and therefore help to attract new customers or to keep existing customers.
  7. A well drafted privacy policy should also enable you to deal with the personal information of customers in a manner which is beneficial to you.
  8. The personal information relating to your customers is a valuable business asset which should be protected and possibly even developed.

A South African Online Privacy Policy for Your Use

We have developed a template of an online privacy policy specifically for South Africa.  Comments for the customisation and implementation of the online privacy policy are included as footnotes.   The privacy policy is designed to satisfy your requirements regards the personal information of others and their privacy.  Please contact us for further information or if you require a template online privacy policy.

Do you collect personal information?

Personal information can be collected by various means and you should carefully analyse the functioning of your business or web site to establish if and to what extent you gather personal information. You might even collect personal information without knowing it!  Ways in which personal information is collected include:

  • visitors subscribing to a newsletter,
  • a user registering on a blog or forum,
  • users submitting their details via a form,
  • in the process of contracting online,
  • taking orders,
  • through the personalisation of a web site by a user,
  • through the use of cookies,
  • monitoring user access and habits,
  • sending or receiving e-mails,
  • SMS’s or other similar messages.

Data Privacy in South Africa

Under South African law, an individual’s right to privacy is enshrined in the Constitution of the Republic of South Africa (”the Constitution”). The Constitution provides that everyone has the right to privacy. However, section 36 limits certain privacy rights where “reasonable and justifiable”. No specific standalone legislation dealing with privacy currently exists in South Africa. Specific legislation dealing with privacy and data protection is expected in the future.

The Promotion of Access to Information Act (Proatia) is to an extent relevant to privacy and online privacy policies. The essence of Proatia is that private bodies are required to allow access to their records under certain circumstances. Proatia mandates that:

the head of a private body must refuse a request for access to a record of the body if its disclosure would involve the unreasonable disclosure of personal information about a third party

and the privacy of end users or customers is therefore indirectly protected. In addition, the section of Proatia that deals with the correction of personal information is very relevant to privacy policies.

Until such time as privacy legislation is enacted, we recommend that all companies that collect personal information should have a privacy policy that complies with international best practice and which will most likely comply with future South African privacy legislation. The privacy policy should also comply with the provisions of Proatia and other relevant legislation to the extent that they are relevant.

Some General Comments

A privacy policy is a dynamic document and should be amended as the law relating to privacy and your business develops and changes. Your privacy policy should therefore be reviewed on a regular basis.

It is suggested that you alert users to the fact that their personal information will be dealt with under a privacy policy by way of a clear and prominently displayed notice at the bottom of each web page of your web site.

Similar:

  • Share/Bookmark

Tags:

You must be logged in to post a comment.

Copyright 2002 - 2010 Lematics. All Rights Reserved. Entries (RSS), Comments (RSS) and XML Sitemap. Designed by Bob