POPIA Q&A: Data Collection, Privacy & Storage

What about WhatsApp groups where people can see other people’s contact details, but they have opted in for that group?

This is a problem as it discloses everyone’s details – this is a data breach. You’ll need to create a WhatsApp group that doesn’t expose everyone’s data.

We usually create a WhatsApp group for our events, so we can share information and pictures from the events with clients who have attended. How does POPIA affect us?

WhatsApp is fine if you’re not displaying everyone’s phone numbers to the group – there are settings for this.

Photographs, however, are private information. The question you have to ask yourself when deciding if you can share these is: did the people in these photos have an expectation of privacy or is it expected that someone would be taking photos at the event?

Overseas Regulators are calling for a common-sense approach. So, if you’re at a public event and there are photographers, an attendee can probably assume that their picture will be taken. Our Regulator is yet to clear this up, but the European regulations may be a good indicator of what’s to come in South Africa.

For how long can we keep contact information?

You can and must keep information for as long as the purpose remains valid. So, start thinking about how long you may need this information.

In marketing, some people request that their information be deleted from your database. The problem with this is that if you delete the information, you run the risk of contacting them again if their information finds its way onto your list again. You will have to keep at least the email address or mobile number to ensure that you know who Not to contact.

If a client gives us their ID number to make a booking, can we keep this on file for the next time they book, or do we need to ask them for this again every time?

According to POPIA, you can keep information for as long as the reason for keeping it is valid. If there’s a transaction involved, you’ll need to keep the information for a while for tax reasons.

If you want to keep it for convenience, ask the client. Offer them the option for you to keep the information for their convenience next time they want to use your services, so they don’t have to fill in the information again. Then ensure you keep the information secure.

Can we ask customers for personal information like hobbies, family, etc. or are there regulations that prevent marketers from obtaining this information?

In general, there’s no regulation that prevents you from obtaining this info, particularly if you’re obtaining it from the person directly and the sharing of this info is voluntary. However, it must only be collected if it’s necessary and for a valuable purpose.

If you go this route, indicate to the client that this is voluntary, what the effect would be if they don’t give it to you, and that they can opt out at any time.

To find more POPI Act information: Click here.