From the start of July 2020, the Protection of Personal Information Act (POPIA) came into force in South Africa. Its objective is to ensure that personal information that is held or processed by a third party is done so lawfully and securely. Information may now only be processed if the purpose is adequate, relevant, and not considered excessive.
Organisations have approached the implementation of POPIA with trepidation, with concerns rasied about changes to ways of operating businesses and the unknown impact of increased compliance costs on profits. Is POPIA just another piece of legislation that places obligations on businesses and brings little benefit?
Few organisations know that POPIA can be used to detect and prevent employee fraud and collusion, allowing businesses to monitor risk events in a cost-effective way before events become a crisis.
The benefits of continual monitoring are clear. You will detect risk issues as they are evolving and prevent the risks impacting your organisation by taking appropriate mitigating action. Experts identify the need to undertake continual monitoring and by adapting your risk framework within your organisation to take advantage of POPIA, you can enjoy these benefits.
The cost of screening and lifestyle assessment has been identified as a consideration for the extent of implementation by some organisations we surveyed. Certainly, the cost of continual monitoring should be taken into consideration as you implement your risk framework within your organisation. The cost of the monitoring process depends upon several factors including the cost of the information you are collecting, the cost of the resources used to undertake the management of the framework and the costs of compiling and distributing the data within your organisation.
To find out the true cost of a Public Crisisread our previous blog
So how long does it take for an issue to become a full-blown crisis? And how could you possibly catch it from happening? The Guardian newspaper published an article about the five identified phases of the sub-prime financial crisis that hit the global financial markets in 2008. From sub-prime to downgrade, the article highlighted five stages of the crisis to hit the global economy since the Great Depression, isolating them to the dates, 9 August 2007,15 September 2008, 2 April 2009, 9 May 2010, and 5 August 2011.
From the result of surveys conducted, the implicit answer is yes. Management and treatment of risk results in better value for a company than management of a crisis. Managing risk will require you to track and monitor leading risk indicators.
Management and treatment of risk results in better value for a company than management of a crisis.
A right to privacy
How does what we have described relate to a person’s right to privacy? Does an employer have the right to undertake the evaluations and monitoring we have discussed? Does the employer have to inform employees they are undertaking these evaluations?
Polity[i] states POPIA’s reach is wide – it regulates all organisations who process personal information – information about employees, customers, suppliers, and those who outsource key processing activities, share data offshore, or engage in direct marketing.
Personal information broadly means[ii] any information relating to an identifiable, living, natural person or where applicable, an identifiable, existing juristic person (companies, CC’s etc.) and includes, but is not limited to:
- contact details: such as email addresses, telephone numbers, physical addresses etc.
- demographic information: such as age, sex, race, ethnicity etc.
- information relating to the education or medical, financial, criminal, or employment history of the person.
- biometric information: such as fingerprints
- the personal opinions, views, or preferences of the person
- the views or opinions of another individual about the person
- private correspondence sent by the person or further correspondence that would reveal the contents of the original correspondence.
- The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
- Processing means anything that can be done with the Personal Information including collection, usage, storage, dissemination, modification, or destruction.
A responsible person must comply with 8 conditions to lawfully process personal information[iii]
- ACCOUNTABILITY: You will be responsible for ensuring POPIA compliance
- PROCESSING LIMITATION: You must only process that information which you require.
- PURPOSE SPECIFICATION: Personal information must be collected for a specific purpose.
- FURTHER PROCESSING LIMITATION: Further processing of personal information (i.e., outside original purpose) must be compatible with the original purpose of collection.
- INFORMATION QUALITY: You must keep personal information records accurate and up to date.
- OPENNESS You must disclose certain information to data subjects (i.e that their information is being collected, where it is collected from and how it is used
- SECURITY SAFEGUARDS: You must secure the integrity and confidentiality of personal information.
- DATA SUBJECT PARTICIPATION: You must allow data subjects to access their personal information.
One way to ensure that any personal information that is obtained and therefore processed complies with the provisions of POPIA is to obtain the explicit consent of the individuals concerned while explaining why the information is required and how it will be used. This would be necessary should the person concerned not be in your employ.
It is permissible under POPIA and the National Credit Act (NCA) to obtain and use employee information for fraud detection and prevention without being obliged to obtain specific consent from the individual employees.
To comply with POPIA, you should not access information, unless it is considered to be:
- non-confidential information, or
- it is for a Permitted Purpose or
- it is with the consent of the consumer (the employee in this case).
Information that is generally known by others or available to the public is not generally considered to be confidential information. The following information is not generally considered confidential: Deeds Office information, Judgments, CIPC information concerning companies and directors, information related to trusts, landline telephone numbers and internet or social media posts or media articles as they all reside within the public domain.
A Permitted Purpose
POPIA and the NCA both permit organisations to collect and process information to detect and prevent fraud and collusion.
Employers may engage in the permitted purpose of fraud detection and prevention services as set out in Regulation 18(4)(b) of the NCA. Under the NCA, it may be possible for you in certain circumstances to access consumer and payments data of an employee for a prescribed or permitted purpose. Where an employer requires access to a consumer credit record to consider a candidate for employment in a position that requires honesty in dealing with cash or finances they are able to access such information in terms of regulation 18(4)(c) of the NCA. Section 11 of POPI refers to a permitted purpose for processing personal information and this provision is helpful to enable employers who wish to undertake risk assessments for a permitted purpose.
There are additional sections of and regulations to the NCA that assist employers to detect and prevent fraud. Section 68(1) of the NCA defines confidential information and permits employers to undertake risk assessments, provided that, the employer protects the confidentiality of that information and, in particular, only uses that information only for a purpose permitted or required in terms of the NCA.Additionally, regulation 18(4) lists the prescribed (or permitted) purposes for which a credit bureau may issue a credit report. Among other purposes, a person or employer may access a consumer credit information for the purpose of fraud detection and fraud prevention services.
Use POPIA to detect and prevent fraud and collusion
POPIA introduces more obligations upon organisations to collect, process and store personal information in a responsible manner. Equally, POPIA does not seek to limit the ability of organisations to detect and prevent fraud and collusion by employees and provides organisations with the necessary permissions to do this for permitted purposes. In such circumstances, organisations may detect and prevent fraud and collusion by employees without necessarily being required to obtain their prior consent.
Protect yourself and use our POPIA compliant solutions
Corporate Insights has developed a one-of-a-kind modular system that combines TransUnion’s big data universe with our own artificial intelligence and smart logic algorithms. It enables you to continually monitor, detect, act on, and prevent critical risks, both internally and externally.
The Corporate Insights system will allow you to protect your business from succumbing to the typical pitfalls that lead to corruption. It also comes with a host of additional benefits to ensure your company continues to operate optimally, free of the threat of corruption.
Click here to book a demonstration or call us today to find out how you can transform your business.
*What we describe in this blog is not legal advice and you should obtain advice appropriate to your circumstances. What we talk about here works for us.