In a recent article titled Will POPIA kill the life blood of the Financial Services industry? Danelle van Heerden, Head: Advice Solutions Retail Affluent at SanlamConnect dissects this very important issue.
The Protection of Personal Information Act (POPIA) will protect South Africans’ constitutional right to privacy. This includes a requirement for lawful justification to exist before a data subject’s personal information (PI) may be processed.
- Will the collection of personal information to prospect for new clients become unlawful?
- Will the mining of databases to generate leads still be allowed?
- May we approach existing clients that have not given their explicit consent with offerings of new services and new products?
The answers to these questions are not as bleak as they may appear. POPIA is not only about protecting individuals’ right to privacy, but also aims to balance this right with the legitimate needs of organisations to collect and use personal information (PI) for business and other purposes.
Legitimate Interest
Can you collect and process potential customers’ personal information, and approach them, without their consent?
You may, where it is necessary to protect a legitimate interest of the data subject (the client), or for pursuing the legitimate interests of the responsible party (the FSP).
POPIA also allows for a data subject’s PI to be collected from sources other than directly from the data subject, for instance through leads or referrals, or from a public source, and for that information to be processed further.
In line with the principle of minimality, the amount of PI thus collected should not exceed what is required to make a meaningful and productive first contact with the prospective client.
How much PI can I collect?
Some basic information about a prospective client is needed to make a successful approach. Over and above the name and contact details, it may include information regarding the prospect’s age, marital status, important life events and employment. The principle of minimality requires that no more information should be collected and processed than what is necessary to achieve the immediate purpose of successfully approaching the client. If successful, resulting in further engagement with the client, consent must be obtained for the collection and processing of additional personal information required for the agreed purpose.
What about existing clients who have not given explicit consent?
When clients take out a new product, or make use of a provider’s services, such providers have a legal right to process their personal information. It then becomes the provider’s duty, in line with the requirements of the FAIS General Code of Conduct, PPR principles and TCF outcomes, to provide ongoing services, regularly reviewing their financial plans and keeping them informed of new products and services that could potentially enhance their financial wellness. Unless they specifically choose to opt out, existing clients can and should be approached regularly.
Staying compliant
How can we ensure we remain compliant when we process PI without the data subject’s consent?
- The PI must be safeguarded against loss or unlawful access.
- The PI may be used only for the purpose of making contact with the prospect.
- Only PI that is essential for the purpose of prospecting (to qualify and approach a prospect) may be collected.
- Information obtained may be enhanced from public sources (Internet, Facebook, Twitter, LinkedIn etc.).
- Prospects’ consent for the further processing of their PI must be obtained at the first engagement.
- Where prospects refuse consent or indicate that they do not want to be approached again, a record must be kept, to ensure the data subject’s wishes are respected. The client must be informed that, limited PI will have to be processed on an Opt-out register in order to prevent future interactions.
- Where an intermediary or practice does not wish to pursue particular prospects, their PI must be destroyed as soon as reasonably possible.
- Where PI is collected directly from the prospect, the purpose for collection must be specified and displayed clearly and legibly in plain language.
- It must be made clear that the information is collected on a voluntary basis and that no individual is under any obligation to provide any of the information requested.
A good read indeed. Kind of addressed the grey areas contained in the Act.