Call centres will need to review their operations in light of the Protection of Personal Information Bill (POPI), says Dommisse Attorneys' Jana van Zyl.
The Bill is expected to be passed before year-end, and "will change how call centres use, share and retain their customers' and prospects' information. This will include operations for specific campaigns on behalf of clients," Van Zyl explains.
According to POPI, companies using personal data will be obliged to log, store and transfer that data securely. Third parties involved in data access, such as call centre IT support, will need to enter into formal agreements and implement the requisite security measures.
"There are physical security measures as well as technical security measures which need to be addressed," explains Van Zyl. "Access control, for example, is crucial. Technical security measures should be implemented in accordance with internationally accepted standards. All personal information that qualifies for protection in terms of POPI needs to be protected using technical means. These may, for example, include encryption, firewalls, anti-virus, backups, disk encryption for mobile hard drives and devices.
"If there is a breach of data - even if you can hold your IT service provider accountable contractually - it will still not rid you of your own responsibilities and accountability towards the individual under the law. Ultimately, you will remain responsible if you are the 'responsible party' in terms of the law," she adds.
If claims are made against a 'responsible party', the burden of proof lies with that party to show that 'reasonable organisational measures' have been implemented - that is, business processes followed by the company to ensure the confidentiality, integrity and availability of the data have been protected at all times.
A further restriction is that call centres are obliged to use personal data only for the purposes for which it was collected. "For example, if a person signed up for a specific campaign only, and the call centre collected the data to use for that campaign only, the person should not be contacted for a different campaign. Going forward, if someone only opted in to receive SMS communication, the call centre should use that channel and that channel only," Van Zyl explains.
"This principal will be supported by the Consumer Protection Act's national opt-out register (once in operation). In terms of POPI, a person also has a right to obtain a copy of the record of personal information that a call centre might have on him, and if the company is not, by law, entitled to have that information, they may ask for it to be deleted."
Breaches of the Act may face fines of up to R10 million, as well as civil action. Companies that will be affected by the legislation should being preparing immediately, says Van Zyl. "There is no quick fix for POPI compliance. Start by meeting with an attorney that specialises in privacy law. Companies should complete a GAP analysis and start implementing action plans based on unique organisational needs in order to ensure compliance with POPI."
Share