Is it open season for sharing personal information in conversation, or should we be vigilant about breaching POPIA?
WHAT SECTION 3 SAYS
To find out if POPIA applies to your activities, you must read section 3 of the Act. Section 3 states that POPIA applies when you ‘process’ personal information entered into a ‘record’ by automated means, or when you process information by non-automated means for it to form part of or to be intended to form part of a filing system.
WTF is this now? To really understand section 3, we must define ‘processing’ and ‘record’.
- Processing is any activity by which personal information is made available in any form – this includes sharing information while having a chat.
- Record is any recorded information regardless of form or medium, and includes writing, photographs, films, maps, and labels.
This means that when you share personal information in a conversation, it would qualify as ‘processing.’
But does this also mean that when you orally share personal information with someone the information is being ‘entered into a record’? Can the personal information you talked about be considered to form part of a filing system?
WHAT THE CJEU SAYS
The Court of Justice of the European Union (CJEU) recently tackled a similar question under the General Data Protection Regulation (GDPR) and found that oral disclosures constitute ‘processing’ under the GDPR. The court emphasised that if people were allowed to share personal information orally without being regulated, it would undermine the GDPR’s objectives. The CJEU did, however, note that disclosing information orally might fall outside the scope of the GDPR if the processing of that information is manual and if the data does not form part of a filing system nor is intended to.
Since POPIA’s definitions for processing and its material scope closely align with that of the GDPR, we can expect a similar interpretation of POPIA.
APPLYING THIS INTERPRETATION
Let’s look at an example based on the GDPR: The CJEU examined whether the GDPR applied to a Finnish District Court’s oral disclosure of information about criminal proceedings. The court refused to disclose the information orally due to a lack of legal basis for a search in its systems. Here, the information was part of the court’s register, a filing system, thus it fell under the GDPR’s scope.
Now let’s consider an example based on POPIA: A colleague asks you to provide a client’s address. You provide the information orally, without referring to any records. In this case, POPIA would not apply, since the information doesn’t form part of a filing system.
IT’S ALL ABOUT FILING SYSTEMS
Understanding when POPIA applies to oral disclosures of personal information hinges on whether that information forms part of a filing system. Both the GDPR and POPIA stress that sharing personal information orally can indeed be seen as processing information, but that the context would determine if that information is entered into a record. So, always ensure that your oral disclosures comply with POPIA to avoid inadvertently breaching POPIA.
Need help with your oral disclosures? Contact us.