Do not try to protect all the personal information you process all of the time. You should only do what is reasonably practicable to protect personal information. This might sound strange coming from a lawyer who helps organisations to comply with laws, so let me explain.
Some organisations are aiming for absolute compliance and warranting that they will comply with POPI. They are spending huge amounts of time and money striving for something that is just not reasonable, practical or possible. They are overreacting to this latest regulatory requirement. They are trying to protect personal information at all costs.
It is just not possible to protect all personal information, all the time. Yes, there are various regulatory obligations or requirements that come out of POPI that require you to take action where you can go tick – it’s done – we comply. But those are the easy ones. The difficult ones are the subjective ones, especially the ones that involve a balancing of rights and interests. The conditions for lawful processing in POPI really set out what a responsible party should reasonably do from a practical perspective when processing personal information. I’m not suggesting you be irresponsible. You must be responsible and be able to prove that you were. I’m also not suggesting that you don’t comply with the law.
Just because you don’t protect all personal information, all the time does not mean that you are not POPI compliant or POPIA compliant. You can still be 100% compliant whilst failing to protect personal data.
What does POPIA say?
Let us look at some of the things POPI itself says:
- You must process personal information in a reasonable manner that does not infringe the privacy of data subjects (section 9)
- You do not need to collect personal information directly from a data subject if it is not reasonably practicable in the circumstances of the particular case to do so. (Section 12)
- You can retain personal information if you reasonable require it for your activities. (Section 14)
- You must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated. (Section 16)
- When you collect personal information you must take reasonably practicable steps to ensure that the data subject is aware of various things. This should be before it is collected or as soon as reasonably practicable after it has been collected. (Section 18)
- You must take appropriate and reasonable measures to secure the personal information you process. (Section 19)
- If it is reasonably practicable to do so, you should tell people to whom you have given personal information that it has been updated. (Section 24(3))
- You can transfer personal information to another country if it is for the data subject’s benefit and it is not reasonably practicable to get their consent (and they would have probably given it). (Section 72)
I’m sure you spotted the common thread. POPI does not say you have to do it. Just do what is reasonable.
Then looking at the sanctions for non-compliance.
- To defend a civil action for damages you can raise the defence that it was not reasonably practicable in the circumstances of the particular case. (Section 99(2))
- If you are charged with the offence of failing to comply with the conditions regards account numbers, you can raise the valid defence that you took reasonable steps to prevent the contravention. (section 105)
- When determining an appropriate fine, the Information Regulator must consider whether you could have prevented the contravention from occurring. In other words what was reasonably practicable for you to have done. (Section 109(3))
Don’t spend a huge amount of time and money trying to achieve the impossible goal of protecting all personal information all the time
So, the bottom line is – don’t spend a huge amount of time and money trying to achieve the impossible goal of protecting all personal information. In any case, if you managed to do it, you’d probably stop the free flow of personal information and bring the organisation to its knees.
What does reasonably practicable to comply with mean?
Only do what is reasonably practicable to comply with POPI. What does that mean? I hear you say. That is the million-dollar (I mean Rand) question. Well, hopefully, you don’t have to spend a million Rand. It certainly will be cheaper to only do what is reasonably practicable, rather than protecting personal information 100% of the time. According to the dictionary:
- reasonable means “having sound judgement; fair and sensible” or “as much as is appropriate or fair; moderate” and
- practicable means “able to be done or put into practice successfully”
If we look at the term “reasonably practicable” it is used in Australia in the context of health and safety. In terms of the Australian Work Health and Safety Act 2011 the onus is placed on the ‘duty holder’ to prove that they have done everything possible to reduce or eliminate risks in the workplace. The role of the duty holder would be similar to that of the responsible party in terms of POPI. Australian courts use an objective test to determine if the organisation did what was reasonably practicable in a particular case. Like POPI makes provision for a weighing of interest so does the Australian legislation. All matters must be taken into account in determining if they have done what was reasonably practicable. Although the term is used mainly for health and safety in Australia the principle stays the same. Reasonably practicable is a balance between the damages suffered and the steps taken in avoiding the risks. While Australia protects their workforce, POPI will protect the personal information of all of you.
To me, it means to do what a responsible person would have done in the circumstances to protect personal information considering:
- The kind of personal information you’re processing. For example, account numbers can be used by a thief to steal money from a bank account. Special personal information can be used to discriminate against someone.
- Whose personal information it is. If it’s a child’s you need to do more to protect it.
- The harm someone could suffer if their personal information got into the wrong hands.
- The cost to protect it.
- Whether your actions will actually have the effect of protecting personal information. Is it possible to protect personal information?
- What is appropriate considering that personal information needs to flow.
We can help you
- Raise your awareness of data protection compliance by attending one of our workshops.
- Practically assess how POPI impacts you and your organisation by doing a personal information impact assessment.
- Comply with POPI in a practical and effective manner by asking for our assistance or joining the Michalsons Data Protection Programme.