1 July 2021 saw the anxiously anticipated implementation date of the Protection of Personal Information Act 4 of 2013 (POPIA). The Act aims to govern the ways in which personal information is processed by public and private bodies in order to protect it and its owners through an Information Regulator formed for this purpose. Processing includes activities such as the collection, receipt, recording, storage, updating or modification as well as dissemination to name a few. Personal information is essentially any information that identifies a natural or juristic person. For the purposes of issuing a B-BBEE scorecard, your chosen B-BBEE Verification Agency would act as a responsible party and processor of personal information which would include:
a. information relating to the race, gender, national, ethnic or social origin, age, physical or mental health, disability, language and birth of the person;
b. information relating to the education or the medical, financial, or employment status/history of the person;
c. any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assigned to the person;
d. the biometric information of the person as well as their names
Under the Codes of Good Practice for Broad-based Black Economic Empowerment, issued in terms of the Broad-Based Black Economic Empowerment Act 53 of 2003 (B-BBEE Act), such information must be processed in order to score points on the B-BBEE Scorecard. It must be emphasised that POPIA does not prevent your verification agency from requesting, processing or storing this information, but rather sets out conditions that provide guidance on how these activities should be done. POPIA actually makes allowance throughout the Act for this by making reference to the requirement for compliance to other laws such as the BEE Act that require detailed, lawful processing of personal information. Section 29 of the POPIA, as an example, states that the prohibition of processing of personal information concerning a data subject’s race or ethnic origin, as referred to in section 26, does not apply if the processing is carried out to:
· identify data subjects and only when this is essential for that purpose; and
· comply with laws and other measures designed to protect or advance persons, or categories of persons, disadvantaged by unfair discrimination (The BEE Act).
POPIA vs. B-BBEE
With the POPIA legislation in effect, the B-BBEE Industry, being substantial processors of such related personal information, is often presented with a measured entity's response of "due to POPIA legislation, we are not required to submit personal information in relation to our annual B-BBEE Verification".
As mentioned, it is important to take note of the fact that the POPIA legislation does in fact not prohibit the exchange of such information depicted above, however, does require there to be a justifiable legal, and/or regulatory reasoning behind the request and/or retention of such information.
Conditions of the Act
The Act lists a number of conditions that provide a framework for companies to manage how they process information which would then be tailored to the daily operations and applicable legislative requirements they function within, if any. The conditions (and in some cases how they pertain to the B-BBEE Act) are as follows:
Condition 1: Accountability defines the assigning of responsibility by organisations for overseeing compliance with the Act. This takes the form of an appointed Information Officer in every organisation.
Condition 2: The Limitation on Processing requires that personal information may only be processed in a fair and lawful manner that does not infringe on privacy or consent.
Condition 3: Purpose Specification defines the scope within which personal information may be processed by an organisation. This should only be for the purposes of fulfilling the core function that the data is collected for such as the B-BBEE Verification.
Condition 4: Further Processing Limitation means that once consent has been given for the processing of personal information for the purpose of the B-BBEE Verification, any further use or processing must be compatible with the initial purpose.
Condition 5: Information Quality refers to the responsibility of organisations to ensure and maintain the quality of the personal information that they process. In terms of B-BBEE, this is central to the purpose it’s collected for and in most cases is updated on an annual basis with the renewal of B-BBEE Certificates.
Condition 6: Openness speaks to an organisation’s duty to process information in a fair and transparent manner which gives data subjects insight into where information is collected, the purpose thereof, who the responsible person is, the consequences of refusal to give such information. For a bee Verification, points cannot be awarded if information is not shared.
Condition 7: Security Safeguards require that all personal information should be kept secure against the risk of loss, unauthorised access, interference, modification, destruction or disclosure. With the allowance by SANAS for remote verifications due to COVID-19, data security is of the utmost importance as most of it would be shared over digital platforms.
Condition 8: Data Subject Participation - Individuals whose personal information is processed have the right to access and/or request the correction or deletion of any personal information held about them that may be inaccurate, misleading or outdated in so far as it does not contradict with any other legal or regulatory requirements for record retention.
In short, the B-BBEE Legislation along with the regulatory requirements of the SANAS R47-03, satisfies the reasoning behind a BEE Rating Agency's request for, and/or retention of such related information, and thus, provided that the BEE Rating Agency has adhered to all requirements as specified per the POPIA legislation, shall be required to obtain & retain, all relevant required personal information needed in terms of all requirements pertinent to the process of an annual B-BBEE Verification resulting in an accredited B-BBEE Certificate.
Considering the fact that Verification agencies are major responsible parties and processors of personal information of measured entities, agreements aligned with POPIA should exist that define the relationships between the two parties and in doing so protect both parties. There are a number of examples of data breaches that show us why POPIA is not to be taken lightly going forward with penalties for non-compliance of fines of up to R10million or 10 years’ imprisonment. Many reputable Verification will have policies, agreements and measures in place for compliance, while allowing them to continue to fulfil their primary roles of verification, MSCT BEE Services being one of them.