POPIA Disclosure Requirements
There are a number of POPIA disclosure requirements that appear in different sections of the POPI Act. TOSMS have consolidated these into a workstream, or logical grouping of work, called “Disclosures”. This is covered in the TOSMS online POPIA training programme.
Collection in service of contract?
In the previous article, the question arose whether the collection of personal data is always solely in service of the contract?
Take an example where someone goes to an insurance company to take out life cover. When they are busy filling in personal details and signing the application form, they are well aware of the purpose for which the insurance company is collecting their details, to service their contract. Or so they believe…
Initially the collection of personal data would be to service the contract the person has just entered into with the company. The necessary people in the company would be given access to their details to make sure they are able to get the cover they want by paying their premiums every month and updating the company with any details that change. As far as POPIA is concerned that is all legitimate and not required to be disclosed at collection because it is all in service of the contract that the person as the data subject has entered into.
The plot thickens however, if one now goes behind the scenes to look at what the insurance company does with the personal information that it has just collected.
Disclosures required when used for other purposes
What happens if the insurance company gives the information to other businesses in its group, like the Health Care and Investment divisions, and they start sending marketing information about their products?
The problem with this is that what the insurance company is now doing is not in service of the contract. It has nothing to do with the Life Cover. So, before the insurance company does anything with the personal information that is not in service of the contract or, as the Act says, is not for the original purpose for which the personal information was collected, it needs to make that disclosure at collection.