POPIA Disclosure Requirements – Aware of Collection
One of the disclosure requirements in the POPI Act that seems obvious on the face of it, is that the data subject must be aware of the collection. In an example where one takes out life cover with an insurance company, clearly this rule is not targeting that situation because the person taking out the life cover is driving the collection by filling in the application.
So, what is this all about? A good example to explain this is the situation where the responsible party has to collect additional information about the data subject before they can approve the application.
Passing on a data subject’s personal information
A common example would be where a company needs to do a credit check on the data subject before approving the contract. In this instance the company has collected the data subject’s personal information directly from the data subject, but will then hand it over to the credit bureau to obtain a credit rating on the person.
Disclosures required before passing on personal information
Such a process cannot take place unless the responsible party discloses to the data subject beforehand:
- what the purpose of the collection is,
- the source the information is being collected from, namely the credit bureau,
- and what the additional personal information is that will be collected.
Of course, the data subject has two options – to either agree that the collection can take place or to object, in which case the responsible party has every right to decline the application on the basis of insufficient information.
All the details regarding Disclosures and the six other workstreams that make up the full requirements of the POPI Act, can be found in the TOSMS online training programme The Complete Guide to the Protection of Personal Information Act.