POPI Act – would you put a padlock on the Crown Jewels?

POPI Act reasonably practicable

In previous blogs in this series on compliance with the POPI Act we have looked at the definition of personal information and also what is meant by “processing“. We also suggested a DIY method to get you on your way to understanding exactly how your company or organisation processes personal information as a first step towards POPI Act compliance.
It is important to understand how personal information is processed by your company so that you can ensure that the manner in which it is processed complies with the “conditions for lawful processing of personal information”.
In this blog, and as promised here, we will examine the the concept of “reasonably practicable” a little more closely

“Reasonably practicable” – what does it mean?

The POPI Act applies to a wide range of organisations, from large companies listed on the JSE to corner stores.  The term “reasonably practicable” does sound like it was drafted by a lawyer who had a penchant for making terms sound more complex than they are. The term combines the concept of acting in a reasonable manner with the concept of practicality. Actions of an organisation processing personal information must, in essence, be reasonable and practical. Put another way, they must not be unreasonable nor must they be impractical.
The concept of reasonableness is not foreign to the South African common law. It is at the heart of the law of delict (bluntly put, the law of delict is a branch of law that deals with liability for loss when there is no contract, things like car accidents and defamation). One’s conduct gets measured against the conduct of the reasonable man. He is a fictional man who always acts perfectly reasonably. If you the reasonable man would have foreseen harm in a situation, and you did not, you acted unreasonably and therefore negligently. Secondly, if the reasonable man in your situation would have taken steps to mitigate or avoid the harm and you did not take those steps, then you acted unreasonably.

How do you compare to the reasonable man?

Here is a simple example. You are driving down the road and the speed limit is 60kph. You see children kicking a ball in the field next to the road. Would the reasonable man foresee harm? Yes, it is reasonable to think that one of the kids would kick the ball into the road and run into the road to fetch it without looking for traffic (that’s what kids do, that how accidents happen). If you did not foresee harm you acted negligently. Secondly, having foreseen the harm, would the reasonable man have taken steps to avoid the harm? Yes, of course, he would have slowed down to under the speed limit to such a speed as to be able to stop and avoid an accident if the kid did run into the road. So, did you slow down? If you didn’t, your conduct would have fallen short of the reasonable man and you would be negligent.

Cookies vs the Crown Jewels

Let’s pull this back to the POPI Act. Remember, the purpose of the POPI Act is to give effect to the Constitutional right to privacy. At its heart it has this as its bottom line: keep personal information personal, keep it a secret. Remember, if more than one person knows a secret, then its not a secret anymore. But the POPI Act basically states that personal information that is shared with organisations must be protected. In effect. It must be kept secret. But putting a cookie jar in the Tower of London to prevent cookies being stolen would not be reasonable or practical, similarly – putting a small padlock over the Crown Jewels would also by unreasonable, and not practical. The reasonable man would just not do something like this. POPI Act reasonably practicable
So, where the POPI Act qualifies the obligation with the term “reasonable practicable”, the responsible party must ensure that the steps that are taken are considered, and well thought out. That is the steps taken must be reasoned through with reference to the type of personal information being processed as well as the consequences of a leak of such personal information. The measures put in place must also be practical, they must do the job. This exercise should be undertaken and preferably documented in order to be sure that your organisation is compliant with the provisions of the POPI Act that are qualified by the term “reasonably practicable”.
It must be noted that this blog is not legal advice. Should you wish to understand:

  • the implications of the POPI Act on your business or organisation,
  • which provisions must be perfectly complied with,
  • which provisions may be less than perfectly complied with (the ones that are qualified by the term “reasonably practicable”,
  • the extent of non-compliance that is permitted by the POPI Act for your business, as well as
  • the impacts of the POPI Act on your privacy policy, contracts and operations,

we recommend that you contact your attorney.
Image courtesy of this website.

Leave a Reply