POPIng the bubble: What’s in the Act?

Condition 1 – Accountability

Ensure that all requirements are met and appropriate measures are put in place to ensure compliance.

Condition 2 – Processing limitation

Personal information must be processed lawfully and in a reasonable manner, and the information must be limited only to what is necessary to achieve the overarching purpose.

Condition 3 – Purpose specification

The purpose of the collection of information must be lawful and clearly defined.

Condition 4 – Further processing limitation

Further processing of personal information must be in accordance with the purpose of its collection.

Condition 5 – Information quality

Ensure that the personal information is complete, accurate, and not misleading.

Condition 6 – Openness

Keep record of all processing operations and keep data subjects informed of policies and procedures.

Condition 7 – Security safeguards

Secure information records with suitable software and physical security measures.

Condition 8 – Data subject participation

Data subjects have the right to request confirmation whether their personal information is being kept on record. They may also request a correction or deletion of any information which is inaccurate, excessive, misleading or unlawfully obtained.

We suggest the following preliminary steps:

1. Appointing an Information Officer, to manage the processing of information, and to deal with complaints and enquiries.
2. An evaluation of software and other methods used to collect and process personal information, to test the level of protection against unauthorised access.
3. Compiling a detailed Policy Document, for distribution to all data subjects. The Policy should explain:

• The purpose for which personal information is collected and processed
• Procedures for obtaining consent from data subjects
• Procedures for collecting personal information
• The storage and protection of personal information
• The rights of data subjects and complaints procedures