The POPI (Protection of Personal Information) Act has not yet commenced, although it was enacted in 2013. The delay, while frustrating for some, gives others a breathing space to get their companies up to scratch on the law. Francis Cronje, founder & MD at franciscronje.com and CEO at InfoSeal, was on hand at iLegal 2016 to talk about what POPI is and the impact it could have on surveillance operations.
Cronje took the time to explain to the attendees what qualifies as personal and identifiable information, and noted that POPI applies to the collection and processing of this data.
Organisations will have to select an individual who will be responsible for the implementation and maintenance of the processes governing POPI, although the penalties for non-compliance can apply to a company’s directors, for example.
The collection of data is not banned completely, rather it is managed more effectively. However, the collecting must be done with the individual’s consent. Additionally, one cannot collect personally identifiable information about children.
After the brief introduction to the POPI regulations, Cronje went on to highlight specific areas where the act could affect companies. For example, cross-border data transfers may not be the best idea once POPI has commenced. How does a company know which regulations its overseas service provider follows and what recourse do you have if something goes wrong?
When it comes to CCTV specifically, companies can still make use of their surveillance operations, but they need to alert people as to the use of CCTV on their premises. And, of course, there are certain areas where it would not be appropriate, such as bathrooms. Cronje advises companies to “use the results of impact assessment to determine whether CCTV is justified in all the circumstances and if so, how it should be operated in practice”.
Furthermore, it is also important to establish who has responsibility for control of the images, for example, deciding what is to be recorded, how the images should be used and to whom they may be disclosed. Finding your CCTV videos on YouTube is not acceptable.
Moreover, in terms of storing the images, a company will have to ensure it has set up the recording in such a way that images cannot be inadvertently corrupted or copied. People who you have recorded (or collected personal information from) also have a right to ask what data you have related to them.
Finally, although there is so much more to consider, once CCTV images have been collected, the company needs to ensure they are stored securely and that there is a process for destroying the footage after a certain time. This process and timetable needs to be adhered to and the footage properly destroyed.
In conclusion, Cronje noted that POPI compliance is not impossible if one has the correct information and uses it to design your data collection and handling processes correctly.
© Technews Publishing (Pty) Ltd | All Rights Reserved