Tech Law: Processing, personal information and direct marketing under POPI
by Paul Jacobson (@pauljacobson) I touched on consent as a key consideration in the Protection of Personal Information Act (expected to be passed shortly) in our recent post titled “POPI is a steep, uphill climb for direct marketers“. As I pointed out in that post, the consent issue (the video below summarises consent as a key concept and why it is so important in direct marketing), while critical, just scratches the surface. There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to give you an overview of two further important terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”.
Personal Information and Processing
Before you can understand the conditions, you need to understand two further terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”. The “personal information” definition is pretty broad. It includes all the usual categories of personal information and a great deal more:
‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
I highlighted some of the interesting aspects of “personal information” because these categories of personal information are not always recognised as such. For example, “any identifying number, symbol” or “online identifier” could include a Twitter handle or pseudonym (assuming it could be associated with an identity). “Personal opinions, views or preferences” covers a wide range of questions marketers often ask people in surveys and competitions. Add to this other people’s “views or opinions” about your data subject and you’re now dealing with personal information about person A which you obtain from person B and which is also person B’s personal information so you potentially need to obtain consent from both people.
The next important term is “processing”. This is the term used for a variety of activities pertaining to how personal information is handled. It is also fairly broad:
‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;
This definition basically categorises virtually any action relating to personal information as “processing” and subject to consent by the data subject. As the definition’s lead-in indicates, this covers both single actions and groups of actions or, as the definition puts it: “any operation or activity or any set of operations”. Like I said, it is broad, very broad.
Both of these terms form part of the foundation of an adequate privacy model that direct marketing businesses should have in place already or, at the very least, should be actively developing. We will explore more POPI themes in an upcoming series of posts about the processing conditions in this anticipated legislation in more detail. The processing conditions establish a series of parameters that will shape direct marketing campaigns and other activities that make use of personal information for quite some time to come.
– Industry news you’ll make time for. Sign up for our free newsletter!