When dealing with records holding personal information, it is imperative to better understand what classifies processing in POPI. Here is the definition of processing in the POPI Act:
|‘processing’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—|
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
The definition of processing in POPI is one of the cornerstones of the POPI Act. It makes one realise just how far-reaching the legislation is. It helps to break this definition down into a logical picture.
A better understanding of processing in POPI
In a previous post “POPI: What is a Record?” we discussed the definition. We gave a fuller picture of what constitutes a record containing personal information. One is accountable for it throughout its existence in the company. This is referred to as the “cradle to grave” period of accountability.
During this period, there are a host of actions that could happen to this record. To help one to understand the concept of processing, here are some of the regular actions you are likely to take during the life of a record. These are regulated through requirements in POPI:
- getting hold of the details when one first creates the record at collection time (it could include other types of records like emails, paper documents such as application forms, and other electronic files that are generated during the process);
- keeping these records and files on the computer or in physical locations such as filing cabinets, boxes and drawers;
- retrieving records to make changes such as bank or address details or to distribute them for specific purposes like marketing;
- and then eventually deleting the records when there is no further purpose for them.
While a simplification, this helps to understand what the main areas of impact are when it comes to processing personal information.
A nuance to remember here is that when one stores records containing personal information, even if one has no intention of doing anything with them, by definition one is still processing personal information.
So if one has archived records it means one is processing personal information for as long as they are in archives. One then has to comply with the POPI rules relating to this processing. This includes things like safeguarding them against unlawful access, deleting them once the purpose has been achieved and restricting access.