POPI DO’S AND DONT’S
DO’S
1.1. DO conduct an information retention audit by creating a matrix which clearly identifies the various categories of personal information held by each department of CAVI, including emails, and setting out a precise retention policy for each category. (The POPI Audit Questionnaire in Annexure A should be used for this purpose.)
1.2. DO designate someone as an IO and ensure this person is adequately trained and registered with the Regulator.
1.3. DO, where possible, obtain "voluntary, specific and informed" consent from a data subject, including customers of CAVI, prior to processing his information, including his name, race, gender, marital status, address, identity number, e-mail address, physical address, and telephone number.
1.4. DO assume that CAVI will probably only have one chance to obtain the prescribed consent.
1.5. DO ensure that CAVI obtains "optimum" consent.
1.6. DO remember that POPI applies to paper files, information held electronically, video/DVD, audiotapes, photographs, images recorded on CCTV cameras, biometric information such as fingerprints etc.
1.7. DO be careful about sensitive data, namely data concerning race, political opinion, religious belief, trade union membership, physical or mental health, sex life, and criminal offences.
1.8. DO ensure the integrity and safekeeping of personal information in CAVI’s possession or under its control, by among other things, taking steps to prevent the information being lost, damaged, or unlawfully accessed.
1.9. DO define the purpose of gathering and processing of information, collect personal information only for a specific, explicitly defined and lawful purpose that is related to a function or activity of CAVI, and hold personal information only when necessary.
1.10. DO process personal information in a lawful manner; personal information is processed lawfully when if it is adequate, relevant, and not excessive given the purpose for which it is processed.
1.11. DO take steps to notify the data subject that CAVI holds personal information about him and tell him why CAVI needs to do so.
1.12. DO check the rationale for any further processing and ensure further processing is compatible with the purpose for which the data was initially collected.
1.13. DO ensure that CAVI has a written contract (data processing agreement) in place when sharing personal information with other organisations or third parties and that these parties enter into a Non-Disclosure Agreement.
1.14. DO ensure that personal information is entered into records accurately and that the information is complete, up to date, and not misleading.
1.15. DO obtain parental consent when collecting personal information about persons under the age of 18.
1.16. DO ensure that any paper record is properly filed or disposed of.
1.17. DO accommodate data subject requests, including requests to disclose the identity of all third parties that have had access to their information (which request CAVI must execute free of charge) and provide a record of personal information (which request CAVI may execute at a reasonable fee).
1.18. DO hold personal information in such a way that it can be collected for inspection at short notice.
1.19. DO direct any official requests to see personal information to the IO.
1.20. DO, as far as possible, de-identify (anonymise) personal information for statistical analysis.
1.21. DO respect the rights of a data subject, which include the right to confidentiality, which requires that CAVI refuses requests from family, friends and employers for information about him, including references, unless the written consent of the data subject has been acquired.
1.22. DO retain records for required periods only as personal information must be destroyed, deleted, or "de-identified" as soon as the purpose for collecting the information has been achieved, unless it is a requirement of law to keep it for a longer period. A record of the information must be retained, however, if CAVI has used it to make a decision about the data subject, including the CVs of prospective employees, for long enough for the data subject to request access to it. (Refer to the company’s Document Retention Policy.)
1.23. DO review personal information kept in files, including FICA information relating to customers of CAVI, from time to time (at least annually) and dispose of unnecessary information as confidential waste.
1.24. DO consider providing "open references" for employees leaving CAVI only (which are shown to the employee before they are sent to third parties).
1.25. DO, when writing documents, bear in mind that the data subjects have a right to see information relating to them.
1.26. DO note that transborder data transfer (including to neighbouring countries) is stringently regulated; therefore, seek further advice from the IO when this is to be done.
1.27. DO process personal information for the purpose of direct marketing by means of any form of electronic communication only if the data subject has given its consent in a form similar to Form 4 of the POPI Regulations to the processing or is a customer of CAVI.
1.28. DO process the personal information of a data subject who is a customer of CAVI for electronic direct marketing purposes only:
1.28.1. if CAVI has obtained the contact details of the data subject in the context of the ‘sale’ of a service;
1.28.2. for the purpose of direct marketing of CAVI’s own similar services; and
1.28.3. if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of its electronic details at the time when the information was collected and in each subsequent communication.
1.29. DO approach a data subject whose consent is required and who has not previously withheld such consent only once in order to request the consent of that data subject.
1.30. DO include in any communication for the purpose of direct marketing:
1.30.1. details of the identity of CAVI; and
1.30.2. an address or other contact details to which the recipient may send a request that such communications cease (i.e. include an opt-out function).
1.31. DO make sure that any opt-outs are recorded appropriately.
1.32. DO take special care when accessing CAVI’s computer network remotely and ensure that data is encrypted.
DON’TS
2.1. DO NOT ignore POPI. Ignorance may lead to a civil action for damages, regardless of whether intent or negligence can be proven on the part of CAVI, and to an enforcement notice being issued by the Regulator (non-compliance with an enforcement notice is an offence).
2.2. DO NOT use old mailing lists.
2.3. DO NOT reveal personal information to third parties without the data subject's permission or justification.
2.4. DO NOT take up references without the consent of the data subject, i.e. only ever approach individuals named by the data subject.
2.5. DO NOT verify qualifications of employees or job seekers without the consent of the data subject.
2.6. DO NOT hold personal information about a person without explicit consent or advice from the IO.
2.7. DO NOT print personal information without a good reason.
2.8. DO NOT place personal information about an individual on the Internet without his/her permission, unless it is a condition of his/her employment.
2.9. DO NOT send personal information outside South Africa (including our neighbouring countries) without taking advice from the IO.
2.10. DO NOT leave personal information insecure in any way, whether it is physical files or information held electronically.
2.11. DO NOT allow staff to take personal information (such as credit checks) home without particular care for security.
2.12. DO NOT process personal information on a computer that is not owned or supplied by CAVI.
2.13. DO NOT part with CAVI’s computers without advice on deletion of data from the IO.
2.14. DO NOT use email for sending confidential communications or unencrypted personal information, as it is relatively insecure.
2.15. DO NOT use personal information held for one purpose for a different purpose without permission from the data subject.
2.16. DO NOT delete or alter any personal information after the IO has received a request to inspect and/or disclose that personal information.
2.17. DO NOT mention anything in email correspondence that CAVI would not want a data subject to see; even deleted emails may be retrieved and revealed to those about whom they are written.