What does POPI mean?
POPI – protection of personal information. The basis of the Bill of Rights is that all human rights should be enforced. As a country driven by democracy and equal rights, the Constitution is clear regarding the protection of rights. The right to privacy is one of these rights and is regarded as being extremely important.
A breakthrough for the protection of consumers came with the proclamation of the Consumer Protection Act 68 of 2008 and the Protection of Personal Information (POPI) Act 4 of 2013.
The purpose is to protect the right to privacy when handling personal information. This right has to be balanced against the right to access information. Email and direct marketing campaigns may not be carried out unless the recipients have given their consent to be contacted. In the past omission to exercise the option, was seen as consent. Not anymore!
POPI and direct marketing
Direct marketing is not being phased out by this Act, but marketers will be ensured that those being contacted are actually interested in their offerings. Rather than putting an end to direct marketing, POPI controls the practice and protects consumers.
POPI requires that records of personal information not be retained for longer than is necessary for achieving a specific purpose, unless authorised by law or consented by the consumer. There are strict instructions on how personal information records must be destroyed.
Marketers are responsible to ensure compliance and according to South African law, ignorance of the law is no defense.
How does POPI change retail?
Retailers now has to answer customers’ questions about the type and amount of personal information they are collecting, why they are collecting it, where they got the information they already have and how they intend to protect it against abuse.
POPI provides a wide definition for ‘personal information’, because this could include data ranging from addresses, ID numbers, cell phone numbers, biometrics and even personal views on certain issues. There is no defined list of information that retailers are forbidden from collecting, but rule of thumb says they should only collect what is necessary to achieve a specific purpose. Some questions would be:
“Is a copy of the ID necessary or only presentation of the original?”
“If they don’t need a copy, why keep it?”
If a company collects data via their public Facebook page, they are still responsible to secure and protect that data and has to limit their use, release and custody of the information to a specific purpose.
POPI also has implications for HR activities regarding current policies and employee contracts.
Responsible use of personal information is key!