Under the PoPI Act, entities collecting personal information from you the “data subject”:
- may only collect personal information directly from you (the owner)
- must inform you when they are about to collect personal information and obtain your consent
- must have a good enough reason for collecting this information, i.e. it must be something they need in order to fulfil their obligations and/or deliver a service to you
- must provide adequate disclosure (transparency) on the purpose and intended use of this information
- may only share this information with authorised parties (also applies to colleagues)
Please note that the burden of proof resides with the entity collecting the information to prove that the information was obtained with the data subject’s consent, not the other way around.
It is important to note that once an entity has collected personal information from you they have the following obligations (additional ones mentioned further down below):
- They may only use the information for lawful purposes and purposes the data subject agreed to. This means that any further processing or data duplication must be compatible with the original purpose and stated intent of collection this information.
- Throughout the data take on process, access to this information must be limited to authorised parties only and only for as long as they need to perform their duty. This means that once someone has completed their part, unless authorised for other duties, they may no longer have access to this information (both paper and electronic). This would include limiting access to colleagues, even if they are in the same office or on the same electronic network.
It is essential that you train and educate staff accordingly as well as update your engagement and disclosure documents, including standard agreements, to comply with these requirements. Please see our PoPI Implementation Guide on how you can use WorkPool processes to manage the requirements around data collection and record action, as well as ensure staff do what they are supposed to, when they are supposed to and how they are supposed to. The PoPI legislation does not only protect new clients’ information, but also protects existing client’s data. This means that you also have an obligation to existing clients contracted before the PoPI Act came into effect, to obtain their consent and manage and safeguard their personal information in the same way.