POPI - As Little as Possible???
POPI Act on the Ground - and the concept of Minimality
In a previous article we identified that an organisation must identify exactly what personal information of individuals and organisations has been collected and stored. This includes paper as well as electronic data. Once this has been achieved we suggest that the organisation identifies and analyses the type of information they have on hand against the purpose for which it was collected.
This information must then be objectively measured against the POPI Act concept of Minimality. The POPI Act introduces the concept of Minimality in Condition 2, Section 10 as follows: “Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.â€
The organisation, as the Responsible Party (the entity who determines the purpose of and means for processing personal information) is accountable to ensure the lawful processing of personal information. In our experience most organisations have over the years continually added to the type of personal information that they collect and process. In many cases sensitive information like race, gender etc. are unnecessarily processed and this could lead to the organisation being exposed to unnecessary risk in the future.
Analyzing and understanding what would be deemed as relevant and necessary and not excessive information can be a complex exercise as there may be legislated and other legitimate reasons for collecting even the most sensitive information. Even within the same industry, what is deemed to be acceptable would depend on the exact service provided by different organisations. A typical example could be entities that provide their products and services on credit as opposed to those that sell cash or even online.
As an example I have created the table below where I have extracted some of the more sensitive types of personal information from those listed in the POPI Act and matrixed these with some business and industry types. I have also used a Customer in some cases and Employees in others just to highlight the different sensitive personal information processing possibilities in each case.
It is therefore critical that organisations reevaluate why they collect personal information and ensure that the information is relevant and not excessive.
In the next article we will provide the first of a series of articles on the onus that rests on organisations to protect the personal information they collect.