Taking responsibility: protecting personal information during elections

Electioneering and campaigning events are gaining momentum as South Africa  heads into the election period. You may have already noticed an increase in  telemarketer calls or targeted online ads designed to grab your attention and persuade you to vote for party X or party Y. It all seems normal, but according to the Protection of Personal Information Act (POPIA), strict protocols need to be observed when it comes to people obtaining your data. 

The Information Regulator, (IR) which was established as part of the enactment of POPIA, is responsible for ensuring that the core legislation is upheld, which is to police the rule  that everyone has the right to privacy.

In this context, personal information can range from your name, address, contact details, age, marital status, ethnicity, nationality or religion; to your sexual orientation, medical and mental conditions, employment history and biometric data. It’s an extensive list, and can be used against you if the list lands in the wrong hands. 

These concerns were raised in a webinar hosted by the Information Regulator on the dangers of misinformation and disinformation during the election period, with an emphasis on what political parties are allowed to t do during their election campaigns. 

“Political parties may not bombard voters with messages without first obtaining the voters’ consent to process his or her personal information, such as telephone number or an email address,” said  the IR’s executive overseeing POPIA, advocate Tshepo Boikanyo.

So, what are the rules?

• Political parties must obtain voter consent for campaigning.
• Consent is crucial for electronic communication. For example, asking for donations through unsolicited communication constitutes direct marketing and is prohibited without voter consent.
• Parties may ask a voter only once to obtain his or her consent for soliciting donations through electronic communication.  If denied, they cannot contact the voter again.
• Parties cannot obtain personal information for marketing from data brokers or publications generating automatic telephone numbers.

Measures they should implement to ensure that they comply with POPIA: 

• They must make sure that they obtain consent or make use of other justifications. 
• They should also allow for the correction and deletion of personal information by voters. 
• They have to have adequate safeguards to ensure the integrity and confidentiality of information that is under their control. 
• They need to report any security compromise relating to personal information to the Information Regulator immediately. They have to conduct a personal information impact assessment 
• Not retain records for longer than necessary. 

Failure to do so could result in hefty fines and even imprisonment. 

In effect, political parties or any other body as stated in POPIA are governed by the eight core conditions of the lawful processing of personal information. This is what it looks like for political parties: 

1. Accountability: Political parties must ensure lawful processing of personal information, demonstrate compliance with POPIA, and conduct training on POPIA.
2. Processing Limitation: Political parties may only process personal information with voter consent or other justifications as per Section 11 of POPIA. They cannot obtain personal information from data brokers or automatic generation applications. Voters can object to processing their personal information, and if they do, political parties must cease processing it.
3. Purpose Specification: Political parties can only process voter personal information for activities directly related to the party’s purposes. Record retention must ensure secure storage of purpose-specific information.
4. Further Processing Limitation: Any further processing of voter information must align with the original purpose of its collection.
5. Information Quality: Political parties must ensure the accuracy, currency, and completeness of processed personal information and allow voters to update their details.
6. Openness: Voters must be informed about the processing of their personal information by political parties, including its source and the responsible party collecting it.
7. Security Safeguards: Political parties must implement adequate security measures to protect voters’ personal information. They must notify the Information Regulator and affected voters in case of a security breach.
8. Data Subject Participation: Political parties must confirm whether they process a voter’s personal information upon request and allow correction and deletion of information by the voter.

The fair and ethical use of our information is a cornerstone of our democracy. Civil society and journalists alike need to familiarise themselves with POPIA during electioneering and ensure that political parties uphold these protocols with integrity and transparency.

Anyone who believes they have been a victim of political parties deploying irregular or illegal practices can raise their complaints with the IR here. 

For more information about POPIA, go here. 

Aarti Bhana

Website | + posts

Content Writer

• Aarti Bhana

  https://www.frayintermedia.com/post/author/aarti-bhana/

  Daily Maverick shutdown highlights the desperate state of SA’s media
• Aarti Bhana

  https://www.frayintermedia.com/post/author/aarti-bhana/

  Press freedom under threat in Somalia 
• Aarti Bhana

  https://www.frayintermedia.com/post/author/aarti-bhana/

  Back to basics: fact-checking in journalism 
• Aarti Bhana

  https://www.frayintermedia.com/post/author/aarti-bhana/

  Getting it right during election time