What is Considered Personal Data?
According to the Protection of Personal Information Act or POPIA, your personal data includes the following examples:
- Demographic details – race, gender, age, marital status, nationality, sexual orientation, religion, language, etc
- Biometric information
- Education and employment information and history
- Medical, financial and criminal records and history
- Location information – address, phone numbers etc
- Personal opinions
- Correspondence sent
While you own your personal data, businesses can collect this information from you for the purpose of research. However, they have to act within the regulations to keep this personal data protected.
Why is it Important to Protect Personal Data?
Every person has the right to privacy, which includes the right to keep his or her information private as well. Therefore, businesses cannot unlawfully collect, retain, disseminate or use personal information. We live in a society where information is shared regularly. However, the governing laws protect the process of gathering and using this information. This is done to protect the individual’s rights and determine a business’ rights when it comes to engagement with individuals.
Businesses have the responsibility to protect their database from the abuse of information. For example, according to the ICC/ESOMAR International code, a company that collects the data of an individual is responsible for ensuring that there is no unauthorised access of the data. This means that no third party can access your data without your consent.
What Does this Entail for the Individual?
When a business collects your information, you as the individual, have the right to:
- Be notified when personal information is collected
- Know who holds their information and be allowed access to this information
- Correct, delete or destroy information
- Object to personal information processing
- Choose whether or not their information can be used in direct marketing
- Decide not to be subjected to the automatic processing of their data, e.g. being profiled on social media.
- Complain to the regulator about how their data is being managed.
- Institute civil or criminal proceedings depending on the transgression and legislation.
What are the Dangers to the Individual Without Personal Data Protection?
Because of our digital age, we now face threats to data protection like never before. Data attacks are a common occurrence, and it is a company’s responsibility to protect any personal data they collect from this. Companies can ensure that there are people, processes and correct technology in place to prevent attacks. An example of a data attack include ransomware, in which data is stolen until the demands of the attacker are fulfilled. This criminal attack is a particularly dangerous violation of privacy and personal data protection, which is why companies have to avoid this at all costs.
Identity theft is another growing concern in the digital information age. If a company fails to protect an individual’s personal information the implications for the individual are severe. By failing to abide by rules and regulations protecting an individual’s personal information, you are opening up the individual to:
- Credit fraud and damage to credit records
- Application fraud (student loans, credits loans, home loans etc.)
- Crimes being committed in their name
- A restricted lifestyle until their identity has been claimed back
How Do We Ensure The Protection of Personal Data?
Keeping in mind the right of individuals and their personal data, responsible data collectors follow the advised procedures and regulations at all times. Genex uses information from originations like SAMRA and local and international codes like POPIA and ICC/ESOMAR International Code to ensure a fully compliant data management process. These regulations act as guidelines and rules we follow to ensure no infringement of the protection of personal data. One example of the guidelines Genex follows to ensure compliance is with the use of a data management compliance process.
Data Management Compliance
An example of a data management process we follow is one in compliance with the ESOMAR Data Protection Checklist. This checklist highlights the responsibilities a company has within a global data protection framework. This is to ensure that data subjects retain control over their personal information.
The checklist highlights five key areas to follow:
- Minimum Impact
You should only collect necessary/required data, and in a means that doesn’t harm the individual in any way.
- Notice and consent
You need clear, informed, specific and voluntary consent from an individual for data collection.
You need to have a process in place to ensure that data is always correct, up-to-date and that it is protected against unauthorised access or misuse.
- Outsourcing or data transfer
You are responsible for anyone else who has access to the personal data, from employees to subcontractors.
Information about privacy must be made available (such as a confidentiality agreement) and well as the roles and accountability of the data controller.
Over and above this checklist, there are other rules and regulations that Genex utilises.This includes both international and local guidelines such as the following:
Genex ensures that we abide by the regulations of the Southern Africa Marketing Research Association (SAMRA). Our SAMRA Membership requires us to adhere to the internationally accepted Code of Conduct for marketing research, social research and opinion polling research.
SAMRA is the organisation responsible for safeguarding and protecting research ethics. They deal with complaints and enquiries relating to the Code of Conduct. By being a member of this organisation, we ensure that our research remains true to all ethical standards and procedure.
For example, SAMRA offers the SAMRA Red List, which is a database of individuals who have opted out of participation in research. This way, subscribers to this list don’t continue to ask for the participation of persons who have requested to be excluded from research. Keeping a positive public perception that allows for future research.
ICC/ESOMAR International Code
The ICC (International Chamber of Commerce) and ESOMAR (the global voice of the data, research and insights community) have developed an internationally recognised code.
The basic fundamental principles for research covered by this code include:
- The responsible connection of personal data for research that is transparent.
- The protection of personal data from outside sources without the consent of the data subject (i.e. data attacks)
- Ethical behaviour that does not harm a data subject or the reputation of research
As discussed previously, POPIA is the South African regulation that manages personal information. In simple terms, this ensures the accountability of businesses when collection processing, storing and sharing personal data. Similar to international codes and as previously mentioned, it covers areas like data consent, transparency, safeguarding, access and integrity and accuracy.
Overall, Genex values the importance of protecting personal information. We are committed to staying informed regarding regulation and policy. We believe that these guidelines are not simply a basis for research, but something we have ingrained in our company culture.
What are you doing to ensure your own data security? Let us know in the comments below.