municipalities
Image: Vitaliy Vodolazskyy © 123RF.com

The fast and definite approach of the enforcement of the Protection of Personal Information Act (PoPIA) has left many within the utility sector uncertain about the boundaries of consent within this new piece of legislation.

To avoid substantial penalties, it is imperative that municipalities and utility organisations obtain consent for all the data within their possession. PoPIA was implemented on the 1st of July 2020. A grace period of 12-months has been granted, after which all are expected to comply.

While the Act has been put into effect for the protection of personal information processed by public and private bodies, financial compensation for damages, fines that tally in the millions, and up to 10 years’ imprisonment may be the result of non-compliance.

“With such high non-compliance penalties, many may feel intimidated by the Act and the pressure of compliance. Especially within the utility industry where organisation leaders are already under immense pressure to adhere to stringent rules and procedures. For this reason, Impression Signatures has made it a priority to provide relevant information about PoPIA to the utility sector. With sound, digestible information at hand, we hope to empower municipalities to ensure compliance and avoid hefty penalties,” explains Carrie Peter, Solution Owner at Impression Signatures.

Have you read?
Is your organisation complying with data protection laws?

Peter explains that there are clear and strict requirements outlined in PoPIA regarding consent. The onus of proof of obtaining consent is the responsibility of the individual or entity responsible for the collecting of the information. As such, it is the municipality’s responsibility to prove that consent was obtained from the customer and not vice versa.

“Although this seems simple enough at face value, this regulation may require utilities to restructure their data systems to capture and provide the relevant information. This may mean that a complete re-engineering of current systems is required,” confirms Peter.   

Data storage at municipalities and utilities

Further to the proof of obtained consent, organisations must also comply with data storage and security standards as set out by the Act. This may pose further challenges as most data management infrastructures have not been designed with privacy as the most pivotal concern.

“Municipalities and utilities hold enormous amounts of sensitive personal data. This makes compliance, privacy, and consent requirements a difficult task. These organisations will be required to collect, catalogue, and digitise their vast amounts of data for it to be processed lawfully, and for the consent and privacy conditions to be put in place,” continues Peter.  

According to the Act, organisations may not utilise an individual’s data unless they obtain permission from that individual to use the data and unless the individual has been offered some value for the received data. Once this has happened and the organisation has obtained the data, with the required consent, high protection measures must be in place to ensure the data is protected and kept private beyond the purpose for consented use.

When it comes to the issue of consent the law is clear; “Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.” Therefore, utilities must obtain consent from the individual or entity from whom the data is being obtained.

The utility must also be able to substantiate that there is a valid reason for obtaining private information, such as requiring an address for rates or electricity billing purposes. Additionally, further consent is required if any of the given information needs to be forwarded to any third parties, such as meter reading companies.

“Utilities and municipalities already have masses of private data in their possession, and getting consent for all this, as well as new data, poses a challenge that can seem impossible. As consent may be considered the lynchpin of PoPIA. Given the severity of punishment for non-compliance and the difficulty in ordering data and obtaining appropriate consent, utilising a data solution system that aids in streamlining the process would be highly advisable,” concludes Peter. “These systems allow users to follow an easy and effective process, while the organisation can rest assured that the required data management, and needed consent is being seen to.”

The Impressions Signatures PoPIA Campaign seeks to provide clear and relevant information about the requirements and obligations of this new Act.