ARTICLE 3: Condition 3 of the Protection of Personal Information Act (POPI)

As part of our series of articles discussing POPI, in this article we provide insight into the requirements set out in Condition 3.

Condition 3: Purpose Specification

  • Collection for specific purpose

Insight: Responsible parties must ensure that the purpose for which they collect personal information is specific, lawful and clearly communicated to data subjects. For example, where a potential client provides personal information such as contact details, ID number etc. On an application form (web based or paper based) the purpose for collection must be made clear.

Consider the points where your business processes require personal information to be collected from persons and ensure these points of collection clearly state:

  • What personal information your company requires.
  • Why the specific personal information elements are required (how it will be used by your company).

Condition 3: Elements of collection 

  • Retention and restriction of records

 Insight: This requirement talks to effective record management policies and procedures, usually in the form of a company-wide record management program/ Information lifecycle Management (ILM) framework.

Responsible parties must ensure that they have a method in place to keep record of what personal information is processed and the reason for its processing. This is important from a regulatory reporting point of view and should also form part of existing data governance efforts.

Additionally, responsible parties have to ensure that they retain personal information records for as long as it is required by relevant legislation or used for its original purpose, and thereafter destroy/ de-identify such personal information. In other words, if your company does not legally require personal information it must de-identified/ destroyed in such a manner that it cannot be re-identified.

Where companies wish to keep personal information for longer periods than required by law, they must obtain consent from their data subjects (or alternatively notify the regulator where consent cannot be obtained from the data subject), have a legal purpose for retaining the information or keep the information in line with the conditions of the POPI Act.

NOTE: The insight in this article is not aimed at providing legal advice. Further the content of this article may be subject to change based on amendments to the Protection of Personal Information Act, No. 4 of 2013 and requirements of related industry legislation and codes of conduct.

 

Download: Mobius POPI SIG Article 3 – Condition 3