‘POPI’ is an acronym for the PROTECTION OF PERSONAL INFORMATION ACT.
PRINCIPLE #3 – PURPOSE SPECIFICATION: PART 1 By Adv. Loui Nel
The purpose for which Personal Information (‘PI’) is collected must be:
- Specific (i.e. not excessive as far as the purpose is concerned – what it is to be used for); Related to the function or activity of the Responsible Peron (‘RP’) i.e. collector of the PI;
- Explicitly defined (Bear in mind the CPA requirement of ‘plain language’);
- Disclosed to the person whose information it is i.e. the date subject (‘DS’) (as provided for in Principle 6).
PI must not be kept for any longer than is required to ‘achieve the purpose for which it was collected OR subsequently processed’, UNLESS:
- It is required/authorized by law for example for tax purposes;
- It is reasonably required to do so for a function or activity of the RP;
- It is required to do so in terms of a contract with the DS;
- The DS consented to the retention;
- It is for ‘historical, statistical or research purposes’ (However compare Japanese whale hunting in the name of so called ‘scientific research’ so it may well be open to abuse?) BUT only if RP has ‘established appropriate safeguards’ against abuse.
PR must ‘destroy or delete’ PI:
- ‘as soon as reasonably practicable’ after authority has expired;
- in such a manner that ‘prevents its reconstruction in an intelligible form’;
- read with right of DS to request deletion i.e. DS can at any point request the RP to destroy his/her PI held by the RP.
Disclaimer: This article is intended to provide a brief overview of legal matters pertaining to the travel and tourism industry and is not intended as legal advice. © Adv Louis Nel, BENCHMARK, September 2013.