My business now holds a lot of personal information about customers, and I am unsure of the guidelines, what does the law state about holding customer data?
Privacy is a fundamental right, and Section 11 of the Consumer Protection Act in relation on consumer’s privacy states:
The provisions in the Act which regulate direct marketing extend to all communication for the purposes of direct marketing (not only direct marketing via electronic communication).
In terms of section 11, a consumer may either refuse to accept, pre-emptively block, or require another person to discontinue any communication which may be seen as direct marketing. This may include telephone calls, e-mails, brochures or letters in the mail, etc.
The National Consumer Commission will facilitate the establishment of a registry where a consumer may register their particular preferences (for example, that a consumer wishes not to receive any direct marketing (a pre-emptive block) or, where he previously agreed to receive marketing material, he now wishes to change his mind and requires the marketer to stop marketing to him directly).
Businesses will have to ensure that they have measures in place to receive and record consumers’ specific preferences (at no cost to the consumer), and abide by these expressed preferences.
And, when the new Protection of Personal Information (POPI) law is passed, it will have far-reaching implications for individuals and businesses. POPI restricts how information can be collected and used, and sets out eight principles:
- Accountability: The responsible party, those who process the personal information, must ensure that all the principles and the measures are complied with.
- Processing limitation: Processing must be done lawfully and in a manner that does not infringe the privacy of the individual, and that it can only be processed if the processing is adequate, relevant and not excessive, for the purpose it is to be used.
- Purpose specification: Personal information must only be collected for a specific purpose and the individuals must be aware of the purpose of collection. In addition, records must not be retained for longer than necessary to achieve the purpose for which it was collected or processed for.
- Further processing limitation: Further processing must be compatible with the purpose of collection.
- Information quality: The holder of the data must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated when necessary. All the while taking into account the purpose the information was initially collected.
- Openness: You must ensure that the data subject is aware of the information being collected and the purpose of collection.
- Data subject participation: The data subject can request whether an organisation holds their private information, and what information is held. They may also request the correction or deletion of information which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.