Informing Your Consumers About Data Collected
Section 13 of the Protection of Personal Information Act (POPIA) provides that ”personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.” Then the supplier must take steps to make the consumer aware of this purpose section 13(2).
Consumer/Client must be aware that personal data is being collected. Section 18 provides that the consumer must be made aware that information is being collected and the source from which it is being collected.
In section 18(1)(a) Information that must also be disclosed to the consumer:
- the name of the responsible party;
- the purpose for which the information is being collected;
- whether the supply of the information is voluntary or mandatory;
- the consequences of a failure to supply the information;
- if the collection of the information is authorised or required by legislation, the name of that legislation;
- if the information is going to be transferred to a third country or international organisation and the level of protection which is given in that country or organisation; and
- any other information which is necessary to make the processing reasonable, for example:
- the recipient of the information;
- the nature or category of the information;
- the existence of the right to have access to your personal information and to correct the information if necessary;
- the existence of the right to object to the processing of the personal information; and
- the right to lodge a complaint with the Information Regulator.
If the information is collected from the consumer they must be given this information before it takes place. If not, then the consumer must be notified as soon as is reasonably practicable section 18(3).
There are several exceptions to this obligation as stated in section 18(4)
- The consumer can consent to the non-compliance.
- If the non-compliance does not prejudice the legitimate interests of the consumer as set out in this Bill, it can be justified.
- If compliance could prejudice a lawful purpose of the collection, it is not required.
- If compliance is not reasonably practicable, non-compliance will be excused.
- A supplier does not have to comply if the information will not be used in a form in which the consumer may be identified or the information will be used for historical, statistical or research purposes.
- As with many of the obligations in terms of the Bill, non-compliance is in the interest of national security or in the interest of maintaining the law and preventing, detecting, investigating, prosecuting and punishing offences (if the supplier is a public body), if the information is collected in order to collect tax or if non-compliance is necessary to conduct proceedings in a court or tribunal.