Broadly speaking, there are two types of privacy policies:
Whilst you have most certainly encountered a maze of privacy policies whilst surfing the Internet, it is very tempting to simply copy one and cut and paste from it to suit your own needs. Think before you do so as the maze of privacy policies you encounter are a direct result of legislation and court judgements in other countries that serve to protect personal information. In many instances, that legislation and those poor judgements are of no relevance in South Africa.
- The policy must satisfy the legal requirements required by law (such as the Protection of Personal Information Act, the Consumer Protection Act and the National Credit Act) and industry requirements (which will be spelt out in various Industry Codes, which POPI makes provision for). For organisations doing business on a global basis, they must consider a multitude of international privacy laws as well.
- The policy must satisfy your business objectives.
- It may reduce the risk of your company being sued for infringing a customer’s right to privacy.
- The policy should also ensure that you comply with the law and therefore avoid sanctions for non-compliance.
- It will help you gain consumer confidence.
- Hopefully bad publicity which can have serious economic consequences can be avoided.
- Your potential customers will not feel the need to seek out your competitors with better data privacy practices.
- The personal information relating to your customers is a valuable business asset which should be protected and possibly even developed.
Do you collect personal information?
Personal information can be collected by various means and you should carefully analyse the functioning of your business or website to establish if and to what extent you gather personal information. You might even collect personal information without knowing it! Ways in which personal information is collected include:
- visitors subscribing to a newsletter,
- a user registering on a blog or forum,
- users submitting their details via a form,
- in the process of contracting online,
- taking orders,
- through the personalisation of a website by a user,
- monitoring user access and habits,
- sending or receiving e-mails,
- SMS’s or other similar messages.
Data Privacy in South Africa
Under South African law, an individual’s right to privacy is enshrined in the Constitution of the Republic of South Africa. The Constitution provides that everyone has the right to privacy. However, section 36 limits certain privacy rights where “reasonable and justifiable”. No specific standalone legislation dealing with privacy currently exists in South Africa. Specific legislation dealing with privacy and data protection is expected in the future.
The Promotion of Access to Information Act (PAIA) is to an extent relevant to privacy and online privacy policies. The essence of PAIA is that private bodies are required to allow access to their records under certain circumstances. PAIA mandates that “the head of a private body must refuse a request for access to a record of the body if its disclosure would involve the unreasonable disclosure of personal information about a third party” and the privacy of end users or customers is therefore indirectly protected. In addition, the section of PAIA that deals with the correction of personal information is very relevant to privacy policies.
Some General Comments