Johannesburg, South Africa -- (SBWIRE) -- 06/03/2013 -- Pamela Stein, respected lawyer and partner at leading corporate law firm, Webber Wentzel, describes the first three conditions of lawful processing as outlined in South Africa's Protection of Personal of Personal Information Bill (POPI).
A comprehensive list of the requirements for lawful processing of personal information is located early in the Protection of Personal of Personal Information Bill (POPI), with convenient cross-references to the sections where these requirements are amplified.
At the heart of POPI is the principle that all processing of personal information must take place in compliance with the eight data protection principles. Failure to do so will render the processing unlawful.
The drafters of the legislation have adopted a proactive approach to regulation, labelling the eight data protection principles as ‘conditions’ rather than principles, to emphasise that they are an absolute prerequisite for the lawful processing of personal information.
The first three conditions are examined below.
Condition 1— Accountability:
In an attempt to encourage data protection by design, and following the approach adopted by the European Union (EU) Draft Regulation, this condition requires the responsible party to ensure compliance with all the conditions for lawful processing. This must be done at the time of the determination of the purpose and the means of the processing, as well as during the processing of the data.
Condition 2 — Processing limitation:
Under this condition, processing may only take place if the following circumstances exist: the data subject consents to the processing; the processing is necessary to conclude or perform a contract to which the data subject is a party; processing is necessary for compliance with an obligation imposed by law on the responsible party; or processing protects a legitimate interest of the data subject or the responsible party or a third party to whom the information is supplied.
Secondly, data must be collected from the data subject unless a justification to collect from elsewhere exists. Besides national security and crime prevention, other exceptions include the following:
- Consent of the data subject to collect from elsewhere;
- The data are contained in a public
- Record or have been deliberately
- Made public by the data subject;
- The collection from another source
- Would not prejudice the legitimate
- Interest of the data subject;
- Compliance with the condition
- Would prejudice a lawful purpose
- Of the collection; or
- Compliance would not be reasonably practical.
Thirdly, data subjects may, at any time, object to the processing of their personal information, and unless the responsible party is required by law to process that information, the processing of the information must stop.
Condition 3 — Purpose specification:
POPI gives effect to the purpose specification condition by requiring that the collection must be for an explicitly defined purpose related to a function or activity of the reasonable party. Unless there are exceptional circumstances, personal information can only be retained for as long as it is necessary to achieve the purpose for which it was collected.
These exceptions recognise the retention of data for historical, statistical and research purposes. Under this condition, personal information must be identified, destroyed or deleted after the responsible party is no longer authorised to retain the record.
POPI has adopted the approach of Article 17 of the EU Draft Regulation by giving the data subject the rights to be ‘forgotten’ in an online environment, to erasure of their data, and to data portability. It includes the obligation on the responsible party to, in certain circumstances, restrict the processing rather than destroy the data, for instance where a data subject challenges the accuracy of the data, or if the processing is unlawful, or where the data are maintained simply for the purposes of proof. In such circumstances, rather than destroy the data, the data subject can agree to its retention, and the responsible party is then required to restrict the processing.
About Webber Wentzel
Webber Wentzel is a leading law firm in Africa, being consistently ranked at the top by a diversity of international ratings agencies in 2012.
The firm has a staff complement of approximately 800 people (including almost 150 partners and more than 450 professionals in a variety of legal disciplines) in offices in Johannesburg and Cape Town. Its client base includes many of South Africa’s Top 100 companies in banking & finance, insurance & legal liability, media, telecommunications & intellectual property, mining, oil & gas, private equity, and property law.
Webber Wentzel is a full service corporate law firm offering expertise in various legal areas including Dispute Resolution, Mergers & Acquisitions , Project Finance and Tax .
Webber Wentzel’s strategy is to help clients wherever they do business. Work in Africa represents a growing area of practice and, together with a network of best friend law firms; the firm has assisted clients in cross-border deals in most of the countries in sub-Saharan Africa.
Webber Wentzel has entered into a collaborative alliance with global law firm, Linklaters, which is recognised for its leading African practice having worked on numerous landmark transactions in almost every country on the continent over the past 30 years. The alliance will see the two firms working closely together for the benefit of clients in Africa.
The firm is also associated with ALN, a group of leading law firms in Africa.
For more information visit http://www.webberwentzel.com/. Follow Webber Wentzel on Twitter: @WebberWentzel.